MIMWAL: Update set membership based on group membership
March 25, 2016 8 Comments
This is another post based on my current experiences with the Microsoft Workflow Activity Library aka MIM WAL.
Of course you can do ths with a own custom activity or PowerShell activity but both requires a lot of code to maintain. I saw this question on how to update set members based on group members a lot of times in the TechNet forum and as you now due to limitation of FIM / MIM you can not do that with OoB functions.
But with the MIMWAL there is now an fast and reliable solution for that, so you can for example grant permissions in Portal (indirectly) based on AD groups.
The scenario for this example is like following:
- I assume we have a set and a group with the same DisplayName. ( _ModifySetByGroup in this example)
- We want to completly have the group and set membership in sync
- I want to use only one workflow for multiple groups
So first there is the need to create a couple of things:
- Create a Set and a Group called: _ModifySetByGroup both with manually member only
- Create a Set (ex: Groups that can update sets) which contains all the groups (the one above) that you want to keep in sync with sets
Now you need to create the action workflow with the MIMWAL Update Resource Activity:
The Queries section is for looking up the sets that we want to modify, the xpath filter here searches for sets that meet the Groups (Target Resource) DisplayName. The Key value is a handle for later usage of the queried set. The Updates section then sets the current groups [//Target/ExplicitMember] attribute to the sets we queried above [//Queries/Set/ExplicitMember]. Dont forget to set the Allow Null flag to also remove all members from the set.
Last thing is to create an Management Policy Rule (MPR) like following:
- PolicyType: Request based
- Requestor Set: All People
- Operation: Add and Remove multivalue attribute
- Target Resource Set (Before and After): The set you created above (ex. Groups that can update sets)
- Select specific attribute: Manually-managed Membership (ExplicitMember)
- Policy Workflow: The action workflow with the MIMWAL activity created above
As you can see the membership of the set is completly overwritten every time the group changes its members, but if you take a look to the request history you only see the delta changes of the differences between the group and the sets membership due to the effective implementation of MIMWAL.
Now all you need to do to add additional sets that need to be updated by groups is to add new proper named sets and groups and add the group to the set called: Groups that can update sets created unter point 2. above.
Modifications of that solution:
If you want to have sets with members updated by group but be also be able to add/remove additional members manually you can modify the Updates section like this:
- Remove the current value expression and target
- Add Expression: RemoveValues([//Delta/ExplicitMember/Removed]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked
- Add Expression: InsertValues([//Delta/ExplicitMember/Added]) and Target: [//Queries/Set/ExplicitMember] Allow Null: unchecked
This will only add or remove the delta changes you make on the group memberships instead of setting the complete membership every time.