Hi there,
We’re going live with our FIM solution in a few weeks – we are only controlling staff at the moment, but this is what we have built – it’s entirely in the sync service, we are not using the group functionality
in the portal.
We have a relatively small number of groups (at the moment) and these have already been created in AD. When a person is imported into the metaverse from HR, we use logic in advanced attribute flows to work out
which groups they are allowed access to, based on their role, department and location. We then populate a multi-valued attribute on the person with the sAMAccountNames of the groups they should be a member of. After this, we run a ‘reflector ma’ to populate
the group membership. The MA queries the metaverse and returns a list of employeeIDs for each group based on the multi-valued attribute we set earlier. We then pass the employeeIDs into the ‘members’ attribute of the group as reference objects. However I expect
we could also get the reflector to create a new groups in the metaverse by setting up inbound attribute flows for all the required properties, and then export the new groups out to AD.
The logic we use to work out to decide which groups a person is allowed access to is held in number of cross reference tables – for example we have one table which has a column for the job role and another column
for the group name: a role can have many entries depending on how many groups are associated with it. We’re planning to build a web application to allow easy maintenance of these tables but haven’t had time as yet.
Hope this is of interest!
Kind regards,
Lee
From: Discussion
for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]]
On Behalf Of Andy Swiffin (Staff)
Sent: 13 November 2015 10:32
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools
Further to what Ian said:
Our current mechanism is still using a portal that works against our legacy eDirectory cluster, traditionally groups get sync’d over to AD through Novell IDM. The base set of groups Ian mentioned are the first
to get flowed through using FIM, although they are still populated in eDirectory.
There is a perl script there which iterates over all groups and lists reading an ldap filter on the group (schema extended) and (de)populating the group as required. Like you, we’ve been battling with how to
move that forward. The best solution we can currently think of is to create a FIM maintained ADLDS instance and run the perl engine (or rewrite in something else) there to still use LDAP and the filter on the groups.
But how to maintain that filter without the existing tools?
I reckon this is one of the biggest issues facing large sites migrating to FIM!
(I did remember Grouper the other day, we’d previously ignored it as we have a perfectly fine solution, thanks, but perhaps we should have another look, I can’t even remember whether it does autogroups and on
what criteria).
Cheers
Andy
(also Dundee)
From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]]
On Behalf Of Akers, Steve
Sent: 13 November 2015 10:02
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools
Thanks Ian, nice to know we’re not alone !!
Kind Regards
Steve
From: Discussion
for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]]
On Behalf Of Ian Swift (Staff)
Sent: 13 November 2015 09:52
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools
Hi Steve,
This is something we’re battling with at the moment too. We’ve just gone through a university wide restructure so have created a base set of groups/lists to reflect this along similar lines to you and are now
wondering what to do about more bespoke requests (one option is just telling them no I guess
J ).
We’d initially wanted to devolve creation of groups/lists to our users but they use such a wide variety of operating systems and browsers that the IE dependent FIM portal is totally unusable for many of them.
We had a look at Condrey Groupsymmetry but it can only operate directly against Active Directory. We don’t want to put all the attributes we’d need to build these groups into AD so would rather have something that could operate against a ‘private’ ADLDS
instance with all the necessary attributes. We’d then sync the resultant groups back to AD with FIM.
We’re very interested to hear what others are doing too.
Ian Swift
University of Dundee
From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]]
On Behalf Of Akers, Steve
Sent: 13 November 2015 09:11
To: [log in to unmask]
Subject: Group management with FIM/MIM or other tools
Hi all,
I’m interested in how other people do group management, whether they use FIM/MIM or other utilities (such as Grouper). We’ve been using FIM and standard AD tools in combination, we use FIM mainly for automated / criteria based groups.
We have a base set of standard groups for things like “everyone in department X” or “all staff” which we can use for security or emailing but they’re very generic. Recently we’ve had a request for much more granular groups for security and distribution groups.
For example “all students on course X, studying module Y who started in academic year 2015”. With the number of courses and modules we have I can see this requiring 1000’s of groups. Though FIM is capable of doing these I’m wondering if it is the right tool
for the job as getting the groups set up (especially doing this in an automated way) doesn’t feel like an “out of the box” feature of FIM (what I mean by that is for example every time a new module appears in our student record system we automate the creation
of a new group in FIM that is set up as a criteria based). I know it is certainly possible by setting the XPath filter attribute etc but it does requires a fair bit of work. I’m also a little concerned about performance in the portal with 1000’s of criteria
based groups, we’ve had performance issues in the past.
I’m wondering whether FIM is the right way to go or whether we might be best off looking at a different tool / solution. I’m just interested in what other people are doing in this area.
Any feedback welcome.
KR
Steve
======================
Steve Akers
Senior Solutions Developer
Development and Integration Services
IT Services
University of Leicester
T: 0116 223 1703
E:
[log in to unmask]ac.uk
The University of Dundee is a registered Scottish Charity, No: SC015096
The University of Dundee is a registered Scottish Charity, No: SC015096