Partager via

Group Synchronization and Group Management

  • Article

There are a lot of guides out there that walk you through the steps of setting up Inbound Group Synchronization from Active Directory, on the surface these guides are correct except for 1 major flaw, most of the guides if not all of them show constant values for membershipLocked and the membershipAddWorkflow  attributes. This would be incorrect. The guides that I have seen show the following Inbound Attribute Flows for Group Managing

  1. Constant Values
  • "false"   -> membershipLocked
  • "Owner Approval" -> membershipAddWorkflow

The problem with using constant values for these attributes is every group that is being managed by the FIM Portal will be converted to a Manually Managed Group with Owner approval. This has its own set of problems

To better understand this, we have to understand the types of Groups that can be Managed with FIM.

Of course there is Security Groups and Distribution Groups but these groups can be separated into 4 sub categories.

There are 4 Sub Categories of FIM Managed Groups

  1. Criteria Based Groups:
  2. Manager Based Groups
  3. Open Groups
  4. Owner Approval Groups

Criteria Based Groups: Are groups that are defined based on a specified Criteria for example User Department being set with a value of HR. This criteria would automatically put all users that have a value of HR for the Department as a member of this group. Criteria Based Groups can be defined using multiple attributes in an And, Or , And / Or scenario.

Manager Based Groups: Much like Crieteria Groups except these are pre defined Criteria Groups with the Criteria being set using the Manager attribute of users. All users with the Manager Attribute set with the User that is defined as the manager in the Manager Based Group ill automatically be a member of the group.

Open Group: Are open for anyone to join the group, no approvals or permissions are required to become a member.

Owner Approval: Are groups that are initially Open for anyone to initiate or ask to Join the group which is then either approved or denied by one of the defined Owners of the Group. Currently Group ownership must be defined by individual users in the FIM Portal and can not by Default use another group set as the Group Owner of the group. You could manually using the Advanced feature set the Group Owner with another group but the approval process will fail because the Approval Workflow Process does not recursively resolve members of a group when.

 

How the FIM Portal identifies these Groups, The FIM Portal uses 2 Attributes to define these sub categories for groups

  1. membershipLocked
  2. membershipAddWorkflow

The combination of these 2 attributes and the values being set will define which category the Group falls into.

 

Group type membershipLocked membershipAddWorkflow
Criteria Group  True  None
Manager Based Groups  True  None
Open Groups  False  None
Owner Approval Groups  False  Owner Approval

 

By default you are unable to set a Group that has the Membership Add Workflow Attribute set with the value of Owner Approval with a value of True for the Membership Locked Attribute.

 

Now when using a Static value as the value being populated for the Membership Add Workflow Attribute or Membership Locked Attribute you would loose the ability to have any type of group in the FIM Portal other than Owner Approval. This would be because on every sync these attributes would be changed which would change the type of Group.

How i resolve this issue:

If your working with Groups its a good chance that Exchange is installed on the network. So I normally try and utilize2 of the extensionAttribute1 and 2 if available or any 2 of the extensionAttributes, There are other attributes that you could use but i would recomend at least 2 unused attributes. In an envioronment where Exchange is not installed you will probably not have extensionAttributes 1 through 15 but there should be an attribute called groupAttrbutes which is no longer used.

How I configure the Outbound Group Synchronization Rule

Source Destination
CustomExpression IIF(membershipLocked,"true","false")  extensionAttribute2
CustomExpression membershipAddWorkflow  extensionAttribute1

 

How I configure the Inbound Group Synchronization Rule.

Source Destination
CustomExpression IIF(IsPresent(extensionAttribute2),extensionAttribute2,"false")  membershipLocked
CustomExpression IIF(IsPresent(extensionAttribute1),extensionAttribute1,"None")  membershipAddWorkflow

 

 

Additionally there are a few additional things to keep in mind when working with Groups within the FIM Portal.

By Default when Creating a Security Group in AD it does not contain a Display Name, so when you import these groups into the FIM Portal you don't know which group is which unless you click on it, or when you well that kind of defeats the purpose of Group Management.

I like to add the Following Attribute Flows on the Inbound and Outbound Sync Rules to fix this issue.

 

How I configure the Inbound Group Synchronization Rule to add Display Name for Groups into the FIM Portal. In my example I use the attribute cn but you could also use the name attribute as by default these 2 attributes are populated for all groups in AD.

Source Destination
 CustomExpression  IIF(IsPresent(displayName),displayName,cn)  displayName
 

On the Outbound Group Sync Rule I simply flow displayName to displayName which will update the Display Name on all FIM Managed Security Groups

 

 

 

## https://blogs.msdn.com/connector_space ##

Comments

  • Anonymous
    February 01, 2015
    Good stuff Anthony. I didn't fully understand the explanation on the membershiplocked and membershipaddworkflow but I'll try to read up more on it. Also, check spelling.

  • Anonymous
    February 01, 2015
    Good stuff Anthony. I didn't fully understand the explanation on the membershiplocked and membershipaddworkflow but I'll try to read up more on it. Also, check spelling.

  • Anonymous
    February 01, 2015
    Syncing a value to represent "membershipLocked" and "membershipAddWorkflow" allows Group Management to completely sync without negatively impacting the Group within the Portal for example by following the "How Do I Synchronize Groups from AD DS to FIM" located technet.microsoft.com/.../ff686936%28v=WS.10%29.aspx it suggest. This referenced guide suggest a constant flow for "membershipLocked" = "false" and "membershipAddWorkflow" = "OwnerApproval". If in the portal you convert a group or create a new group to utilize one of the Criteria Group Features and you sync this group to Active Directory on the next Inbound Sync this would break the criteria group, converting to a improperly configured owner approved group. Of course you could set precedence but this could potentially limit how you manage groups in your environment especially if your deploying Group Management in multiple phases across your organization.  

  • Anonymous
    June 30, 2016
    Hello!How we can add extensionAttribute1 and extensionAttribute2 to our sync rules?This parameters are not available for choice.Thanks!

    • Anonymous
      July 26, 2016
      @AL the "extensionAttribute1" and "extensionAttribute2" attributes or any attributes that you wish to be able to work with need to be (Depending on the Source or destination) , in the above example i created these custom attributes in the Synchronization Server which is then shows up for an Inbound Sync Rule as the "Source" of the attribute.Does that help.