Hi Alistair!
Saw some messages you've been sending re: MIM. I know Danny's replied to a few... if you need some more in depth advice, or someone to review your set up before you push it into production, give us a shout and we can see how we can help š.
Hope you're keeping well - if there's anything else you guys need to get remote learning in place, then just shout!
Thanks
A
Amy Stokes-Waters
Identity & Security Specialist
M: 07712 741 463
Identity Experts Limited is a company registered in England and Wales, Company No 9002786, VAT No 189 0038 93
Registered Office: The Media Centre | Northumberland Street | Huddersfield | West Yorkshire | United Kingdom | HD1 1RL
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 30 March 2020 15:05
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
I found this article which seems to talk about multi-value sql stuff so I'll have a read. Thanks for pointing me in that direction. Another technet post confirmed it's not possible to do group management in code in a MA rules extension. One needs this multi-value stuff or dump a post-provisioning text file somewhere to be picked up by something else that does something. Maybe I'll just knock up an ActiveMQ MA that sends post-provisioning messages to a broker and let a separate group management system pick them up and do the group stuff. hmmm, mim could say "I've just done this, who else needs to do something?".
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.wapshere.com%2Fmissmiis%2Fwho-needs-group-populator-when-you-have-multivalue-tables&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557557578&sdata=yiBYEfUL5osBC%2FzsXJD9gerDm3pDMmXJpHTefHvXatY%3D&reserved=0
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Alistair Young <[log in to unmask]>
Sent: 30 March 2020 14:50
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
Warning. This email did not originate from the University.
You should only open any links or attachments if you are certain this email is genuine and the content is safe.
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
I think I'm ok on the main flow SQL MA -> AD. How do you actually create the groups? I couldn't see a way to do it in either the SQL rules DLL or Metaverse provisioning DLL. All the required info is coming in on the SQL MA but I need to create the group based on multi-valued enrollments. e.g. if enrollment field = MOD101, the group needs to be Course-MOD101-Students. The portal can't do that. Is it possible to write code to do it in a rules extension? I tried that but it all went to pot as the DLL can't put users in groups, or create groups. If fact, pot is putting it lightly! I'm missing my 1s and 0s.
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Danny Grogan <[log in to unmask]>
Sent: 30 March 2020 14:44
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
Yes, itās the SQL Server MA. Its all about creating the correct data views from SQL and having a multi-valued data input. I can run you through it on a call if thatās easier
When you say "The course/module groups don't have the same name as the courses/modules", is there anything we can link them with (a code or anything)? If theres nothing to link them with, you may be better starting from scratch. If there is anything that can link them, join rules will link and manage them
Cheers
Danny Grogan
External Confidential
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 30 March 2020 14:37
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
thanks again, not sure I'm really getting any of this though (I'm not an AD admin so please excuse me not understanding the answers!).
If mim sync is the 'SQL MA' I can't see how to create/populate groups as users can't be added to non existent groups at that stage by a rules extension and the extension can't create groups either.
The course/module groups don't have the same name as the courses/modules and the solution at the moment is to create/manage them directly in AD via a daemon service linked to the SRS. I can't see any way to replicate this in mim. e.g. SQL MA -> sync -> group management in metaverse -> export to AD.
cheers,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Danny Grogan <[log in to unmask]>
Sent: 30 March 2020 14:14
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
Hi Alistair
We typically do this through MIM Sync, using HR/Student Records SQL data. Every course/module/department etc. gets a group created (Distribution or Security as required) and adds everyone required to the groups (this includes 1 to many, where one student may be on many courses/modules etc). this can then sync to any app that handles groups (LDAP/AD/ADLDS/Portal etc.). You can also create all groups and generate a filter on each (all people on course XXY)
This needs to be logic absolute, i.e. you are in the course, therefore in the group or not on the course and not a member. I've previously POC'd a bolt on that creates an inclusion and exclusion group for each course/module/dept in the portal to override the SQL data. Users can then request to join the inclusion group and admins can add users to the exclusions group.....it worked in Dev š
The overrides are complex, the SQL data group creation is fairly straight forward
Cheers
Danny Grogan
External Confidential
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Andy Swiffin (Staff)
Sent: 30 March 2020 13:52
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
I'm not sure I understand the question.
Users are sync'd on to the group engine by MIM. The software running on the group engine manages the membership and the groups get syncd back through mim to AD.
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 30 March 2020 13:43
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
thanks for that. Do you manage memberships of those groups with the 'group engine' too? e.g. does mim create the users and the 'group engine' adds/removes them from groups? If so, how do you sync the two? i.e. the 'group engine' running but the users not yet created by mim?
thanks,
Alistair
________________________________________
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 30 March 2020 13:30
To: [log in to unmask]
Subject: Re: Dealing with thousands of groups
Warning. This email contains web links and originates from outside of the University.
You should only click on these links if you are certain that the email is genuine and the content is safe.
We manage our autogroups in a separate adlds "group engine". We've extended group schema to include an ldap filter.
Module lists automatically create as soon as a student is seen with that module and automatically delete when there are no more members.
Cheers
Andy
-----Original Message-----
From: Discussion for MS IDM tools liks ILM and FIM <[log in to unmask]> On Behalf Of Alistair Young
Sent: 30 March 2020 12:27
To: [log in to unmask]
Subject: Dealing with thousands of groups
I was wondering if there were tips for dealing with thousands of groups. At the moment, it's a few lines of code to create/populate AD groups based on course and module membership in the SRS. The portal seems to be a manual setup with criteria for membership. This isn't an option if there are thousands of groups. Is it possible to do this programatically in a DLL? "memberOf" is a read-only attribute in the metaverse so I can't influence membership that way. Finding the group in the metaverse doesn't seem to work either, to influence "member". Plus, if the group doesn't exist (a course newly created) there doesn't seem to be a way to create it on the fly as it doesn't relate to identity information. Or perhaps, during provisioning, add it to the metaverse during initial flow if it's required, based on a user's course/module enrolments, as seen by the DLL from their metaverse information.
thanks,
Alistair
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557557578&sdata=IzkRJbUqec6miwui%2FVaKS5D7NEXNBuAMhpXEI7sgSVQ%3D&reserved=0
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557557578&sdata=IzkRJbUqec6miwui%2FVaKS5D7NEXNBuAMhpXEI7sgSVQ%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents āCONFIDENTIALā
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents āCONFIDENTIALā
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jiscmail.ac.uk%2Fcgi-bin%2Fwebadmin%3FSUBED1%3DMICROSOFT-IDENTITY%26A%3D1&data=02%7C01%7Camys%40IDENTITYEXPERTS.CO.UK%7Cd2e18be699e54fb6359f08d7d4b3759b%7C1d962d68d4484434b62d5660971874c4%7C1%7C0%7C637211739557567571&sdata=TkyVMWmYHcFx1QZgr%2FEprokP9h0qObdkl%2Fgd5qWu0N0%3D&reserved=0
Given that changes in your requirements may occur, and that final performance will depend on a variety of factors, not all of which are known in detail at this stage, none of the statements in this email constitutes a representation for which Identity Experts (IE) can accept any liability. Any guidance or advice provided should only be binding on IE once further diligence and design are undertaken and a final contract setting out expressly agreed terms and conditions is signed between authorised representatives of our companies
Identity Experts Limited | Registered Office: The Media Centre, 7 Northumberland Street, Huddersfield, HD1 1RL, England | Registered Number: 9002786 | VAT number: GB189003893
This e-mail may contain confidential and/or legally privileged material for the sole use of the intended recipient. If you are not the intended recipient (or authorized to receive for the recipient) please contact the sender by reply e-mail and delete all copies of this message. If you are receiving this message internally within the group of Identity Expert companies, you should consider the contents āCONFIDENTIALā
########################################################################
To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=MICROSOFT-IDENTITY&A=1
|