How to Use Powershell to Create Criteria-Based Security Groups from a CSV File

Article
1/17/2024

FIM ScriptBox Item

Summary

Create criteria-based Security Groups from a CSV file.

Your CSV must include a header row and the filters for the groups, as in the following example:

DisplayName,AccountName,Description,Filter
SG-Geneva,sgGeneva,Staff based in Geneva,/Person[(EmployeeType = 'Employee') and (OfficeLocation = 'Geneva')]
SG-Engineers,sgEngineers,All Engineers,/Person[(EmployeeType = 'Employee') and ((starts-with(JobTitle, 'Consultant')) or (starts-with(JobTitle, 'Technical')))]

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077

PARAM($CSVFile, $Domain, $Scope = "Global", $Type = "Security", $Owner = "Administrator")
#----------------------------------------------------------------------------------------------------------
set-variable -name URI -value "http://fim:5725/resourcemanagementservice"
set-variable -name PREFILTER -value "<Filter xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`" xmlns:xsd=`"http://www.w3.org/2001/XMLSchema`" Dialect=`"http://schemas.microsoft.com/2006/11/XPathFilterDialect`" xmlns=`"http://schemas.xmlsoap.org/ws/2004/09/enumeration`">"
set-variable -name POSTFILTER -value "</Filter>"
#----------------------------------------------------------------------------------------------------------
function SetAttribute
{
    PARAM($object, $attributeName, $attributeValue)
    END
    {
        write-host $attributeName $attributeValue
        $importChange = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportChange
        $importChange.Operation = 1
        $importChange.AttributeName = $attributeName
        $importChange.AttributeValue = $attributeValue
        $importChange.FullyResolved = 1
        $importChange.Locale = "Invariant"
        if ($object.Changes -eq $null) {$object.Changes = (,$importChange)}
        else {$object.Changes += $importChange}
    }
}
#----------------------------------------------------------------------------------------------------------
function CreateObject
{
    PARAM($objectType)
    END
    {
       $newObject = New-Object Microsoft.ResourceManagement.Automation.ObjectModel.ImportObject
       $newObject.ObjectType = $objectType
       $newObject.SourceObjectIdentifier = [System.Guid]::NewGuid().ToString()
       $newObject
     }
}
#----------------------------------------------------------------------------------------------------------

if(@(get-pssnapin | where-object {$_.Name -eq "FIMAutomation"} ).count -eq 0) {add-pssnapin FIMAutomation}

# Get Owner
$ownerObject = export-fimconfig -uri $URI `
                                –onlyBaseResources `
                                -customconfig "/Person[AccountName='$Owner']"
if($ownerObject -eq $null) {throw "Owner not found!"}
$ownerID = $ownerObject.ResourceManagementObject.ObjectIdentifier -replace "urn:uuid:",""

# Import CSV and process each line
import-csv($CSVFile) | foreach {

# Check if a group with the same name already exists
$objectName = $_.DisplayName
$exportObject = export-fimconfig -uri $URI `
                                  –onlyBaseResources `
                                  -customconfig "/Group[DisplayName='$objectName']"
if($exportObject) {write-host "`nGroup $objectName already exists"}
else
  {
  $filter = $PREFILTER + $_.Filter + $POSTFILTER

  # Create group and add attributes
  $newGroup = CreateObject -objectType "Group"
  SetAttribute -object $newGroup -attributeName "DisplayName" -attributeValue $objectName
  SetAttribute -object $newGroup -attributeName "AccountName" -attributeValue $_.AccountName
  SetAttribute -object $newGroup -attributeName "Domain" -attributeValue $DOMAIN
  SetAttribute -object $newGroup -attributeName "Scope" -attributeValue $SCOPE
  SetAttribute -object $newGroup -attributeName "Type" -attributeValue $TYPE
  SetAttribute -object $newGroup -attributeName "Filter" -attributeValue $filter
  SetAttribute -object $newGroup -attributeName "Description" -attributeValue $_.Description
  SetAttribute -object $newGroup -attributeName "Owner" -attributeValue $ownerID
  SetAttribute -object $newGroup -attributeName "DisplayedOwner" -attributeValue $ownerID
  SetAttribute -object $newGroup -attributeName "MembershipLocked" -attributeValue $true
  SetAttribute -object $newGroup -attributeName "MembershipAddWorkflow" -attributeValue "None"

  # Import group into the FIM Portal
  $newGroup | Import-FIMConfig -uri $URI
  write-host "`nGroup creation request complete`n"
  }
}

Note

To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.

Share via

How to Use Powershell to Create Criteria-Based Security Groups from a CSV File

See Also

Additional resources