Hi there,

 

We’re going live with our FIM solution in a few weeks – we are only controlling staff at the moment, but this is what we have built – it’s entirely in the sync service, we are not using the group functionality in the portal.

 

We have a relatively small number of groups (at the moment) and these have already been created in AD. When a person is imported into the metaverse from HR, we use logic in advanced attribute flows to work out which groups they are allowed access to, based on their role, department and location. We then populate a multi-valued attribute on the person with the sAMAccountNames of the groups they should be a member of. After this, we run a ‘reflector ma’ to populate the group membership. The MA queries the metaverse and returns a list of employeeIDs for each group based on the multi-valued attribute we set earlier. We then pass the employeeIDs into the ‘members’ attribute of the group as reference objects. However I expect we could also get the reflector to create a new groups in the metaverse by setting up inbound attribute flows for all the required properties, and then export the new groups out to AD.

 

The logic we use to work out to decide which groups a person is allowed access to is held in number of cross reference tables – for example we have one table which has a column for the job role and another column for the group name: a role can have many entries depending on how many groups are associated with it. We’re planning to build a web application to allow easy maintenance of these tables but haven’t had time as yet.

 

Hope this is of interest!


Kind regards,

 

Lee

 

 

From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]] On Behalf Of Andy Swiffin (Staff)
Sent: 13 November 2015 10:32
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools

 

Further to what Ian said:

 

Our current mechanism is still using a portal that works against our legacy eDirectory cluster, traditionally groups get sync’d over to AD through Novell IDM.   The base set of groups Ian mentioned are the first to get flowed through using FIM, although they are still populated in eDirectory.

 

There is a perl script there which iterates over all groups and lists reading an ldap filter on the group (schema extended) and (de)populating the group as required.   Like you, we’ve been battling with how to move that forward.   The best solution we can currently think of is to create a FIM maintained ADLDS instance and run the perl engine (or rewrite in something else) there to still use LDAP and the filter on the groups.

 

But how to maintain that filter without the existing tools?   

 

I reckon this is one of the biggest issues facing large sites migrating to FIM!

 

(I did remember Grouper the other day, we’d previously ignored it as we have a perfectly fine solution, thanks, but perhaps we should have another look, I can’t even remember whether it does autogroups and on what criteria).

 

Cheers

Andy

(also Dundee)

 

From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]] On Behalf Of Akers, Steve
Sent: 13 November 2015 10:02
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools

 

Thanks Ian, nice to know we’re not alone !!

 

Kind Regards

 

Steve

 

From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]] On Behalf Of Ian Swift (Staff)
Sent: 13 November 2015 09:52
To: [log in to unmask]
Subject: Re: Group management with FIM/MIM or other tools

 

Hi Steve,

 

This is something we’re battling with at the moment too.   We’ve just gone through a university wide restructure so have created a base set of groups/lists to reflect this along similar lines to you and are now wondering what to do about more bespoke requests (one option is just telling them no I guess J ).

We’d initially wanted to devolve creation of groups/lists to our users but they use such a wide variety of operating systems and browsers that the IE dependent FIM portal is totally unusable for many of them.    We had a look at Condrey Groupsymmetry but it can only operate directly against Active Directory.  We don’t want to put all the attributes we’d need to build these groups into AD so would rather have something that could operate against a ‘private’ ADLDS instance with all the necessary attributes.  We’d then sync the resultant groups back to AD with FIM.

 

We’re very interested to hear what others are doing too.

 

Ian Swift

University of Dundee

 

 

 

 

 

From: Discussion for MS IDM tools liks ILM and FIM [mailto:[log in to unmask]] On Behalf Of Akers, Steve
Sent: 13 November 2015 09:11
To: [log in to unmask]
Subject: Group management with FIM/MIM or other tools

 

Hi all,

 

I’m interested in how other people do group management, whether they use FIM/MIM or other utilities (such as Grouper).  We’ve been using FIM and standard AD tools in combination, we use FIM mainly for automated / criteria based groups. We have a base set of standard groups for things like “everyone in department X” or “all staff” which we can use for security or emailing but they’re very generic. Recently we’ve had a request for much more granular groups for security and distribution groups. For example “all students on course X, studying module Y who started in academic year 2015”. With the number of courses and modules we have I can see this requiring 1000’s of groups.  Though FIM is capable of doing these I’m wondering if it is the right tool for the job as getting the groups set up (especially doing this in an automated way) doesn’t feel like an “out of the box” feature of FIM (what I mean by that is for example every time a new module appears in our student record system we automate the creation of a new group in FIM that is set up as a criteria based).  I know it is certainly possible by setting the XPath filter attribute etc but it does requires a fair bit of work. I’m also a little concerned about performance in the portal with 1000’s of criteria based groups, we’ve had performance issues in the past.

 

I’m wondering whether FIM is the right way to go or whether we might be best off looking at a different tool / solution.  I’m just interested in what other people are doing in this area.

 

Any feedback welcome.

 

KR

 

Steve

 

======================

 

Steve Akers

Senior Solutions Developer

Development and Integration Services

IT Services

University of Leicester

T: 0116 223 1703

E: [log in to unmask]ac.uk

 


The University of Dundee is a registered Scottish Charity, No: SC015096


The University of Dundee is a registered Scottish Charity, No: SC015096

University of Cumbria E-mail Disclaimer
University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.

Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.

Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.

Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.