> On 28 Jul 2020, at 11:49, Alistair Young <[log in to unmask]> wrote:

> 

> thanks Matthew, I think that's something for the DBA to chew over.

> 

> "provisioning code to create these groups in your chosen directory (Active Directory?) and flow “member” into those group objects"

> that's the bit I couldn't get my head round at the start of working with MIM. A MA can't do that (or so I thought), hence the multi-value tables. Something to do with everything having to be present in the CS at the same time, otherwise I could just have done everything in the MA Extension based on attributes imported on the user into the CS.

> 

> Have I missed something in joining up user, group and member in a MA Extension?

> 

> if csEntry["modules"] contains "MOD101" -> create group MOD101 if not exist -> add user dn as member





From what I remember, the VIEWs the post describes outputs a dataset with two object types:



1. Person objects (just because they need referencing)

2. Group objects with "member" attributes which are DNs do the Person objects



The Person objects are JOINed to the MV but no attributes are flowed anywhere. The Group objects are Projected into the MV with their member attributes (which magic their DNs into MV DNs). So you end up with a Group object in the MV with members which are MV Person objects.



Once you have that, your MV Provisioning Code can provision the Group object into your AD Connector Space and flow member over.



Note: this is from memory from a few years ago now and I don't have the code to consult any more!









########################################################################



To unsubscribe from the MICROSOFT-IDENTITY list, click the following link:

https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=MICROSOFT-IDENTITY&A=1



This message was issued to members of www.jiscmail.ac.uk/MICROSOFT-IDENTITY, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/