First published on MSDN on Jan 26, 2015
Please be sure to read the first part of the series Understanding Group Management - Intro to Group Synchronization and attribute Management prior to configuring your Inbound Group Synchronization Sync Rule. I would also recommend reading Introducing Synchronization Rules - Part 1 and Part 2 to assist in the understanding of how data is synchronized with the Metaverse and connected data sources.
as well as Understanding the FIM Service Management Agent (FIM MA) and Configuring the FIM MA
In this post we will discuss the attribute flows needed to synchronize groups into the Metaverse from Active Directory.
Understanding Group Management - Inbound Group Synchronization
Configuring an Inbound Group Synchronization Rule
Thus far, we have created a means for getting users out of Active Directory and into the portal, as well as provisioned from the Portal to Active Directory. Now we will address groups. Though the process is similar (SR, MPR, WF), there is some added complexity with regard to the custom expressions that are required for groups to flow correctly.
To begin, navigate to the Portal home screen:
In the right-hand menu, select “Synchronization Rules”
This will open the Synchronization Rules menu.
In the top menu, click “New”
On the “General” tab, enter the following Information
Under the “Scope” tab, for “Metaverse Resource Type” select “group”. For “External System”, select the Active Directory management agent you wish to use. For “External System Resource Type”, select “group”. Click “Next” to continue.
For the “Relationship” tab, use the drop-down menu below “MetaverseObject:group(Attribute)” to select “accountName”. For “ConnectedSystemObject:group(Attribute)”, select “sAMAccountName”.
If you would like to create the object in the FIM Portal if it does not exist, be sure to place a check in the box next to “Create resource in FIM”, then click “Next” to continue.
Now we must configure “Inbound Attribute Flows”. Most of these are straight forward, with a few exceptions
Suggested Attribute flow Environment Dependent: Direct Attribute Flows
Note: Any Attribute that will be managed by the FIM Portal such as MembershipLocaked and MembershipAddWorkflow which are used to determine the type of group must have a supporting attribute flow configured on the FIMMA. Please see referenced links at the beginning of this post.
s
Source |
Destination |
description |
description |
objectSid |
objectSid |
samAccountName |
accountName |
managedBy |
displayOwner |
managedBy |
owner |
member |
member |
Source (customExpression) |
Destination |
IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal","Universal")) |
scope |
IIF(Eq(BitOr(14,groupType),14),"Distribution","Security") |
type |
IIF(IsPresent(displayName),displayName,cn) |
displayName |
IIF(IsPresent(extensionAttribute1),extensionAttribute1,"None") |
membershipAddWorkflow |
IIF(IsPresent(extensionAttribute2),extensionAttribute2,"false") |
membershipLocked |
Additionally the Domain attribute is also a required attribute which you could set with a constant string value or use something like custom expression that was posted in a previous blog.
Exceptions:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.