a. SystemName: MemberAddFeeder b. DisplayName: Add to group c. Type: Reference (multi-value)
a. SystemName: MemberRemoveFeeder b. DisplayName: Remove from group c. Type: Reference (multi-value)
<
my:Grouping
my:Name
=
"GroupMembership"
my:Caption
"memberOf"
my:Enabled
"true"
my:Visible
>
my:Control
"GroupList"
my:TypeName
"UocListView"
my:ExpandArea
"false"
"Current Group Memberships"
my:Properties
my:Property
"ColumnsToDisplay"
my:Value
"DisplayName,Description"
/>
"EmptyResultText"
"User does not belong to any group"
"PageSize"
"10"
"ShowTitleBar"
"ShowActionBar"
"ShowPreview"
"ShowSearchControl"
"EnableSelection"
"SingleSelection"
"ListFilter"
"/Group[(ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%')]"
</
"MemberRemove"
"UocIdentityPicker"
"{Binding Source=schema, Path=MemberRemoveFeeder.DisplayName}"
my:Description
"{Binding Source=schema, Path=MemberRemoveFeeder.Description}"
my:RightsLevel
"{Binding Source=rights, Path=MemberRemoveFeeder}"
"ObjectTypes"
"Group"
"ResultObjectType"
"Value"
"{Binding Source=object, Path=MemberRemoveFeeder, Mode=TwoWay}"
"Mode"
"MultipleResult"
"Filter"
"/Group[(ExplicitMember='%ObjectID%')]"
"ListViewTitle"
"Select one or more group to remove."
"MemberAdd"
"{Binding Source=schema, Path=MemberAddFeeder.DisplayName}"
"{Binding Source=schema, Path=MemberAddFeeder.Description}"
"{Binding Source=rights, Path=MemberAddFeeder}"
"{Binding Source=object, Path=MemberAddFeeder, Mode=TwoWay}"
"UsageKeywords"
"Select one or more group to add."
1. UsageKeywords: Displays all search scope with the given usage keyword in the windows to select group. You are then able to search for groups even with custom filtering.
2. DefaultSearchScopeName: Specify exactly the search scope to use in the select group window. You are also able to do a custom search for groups with this property. This is the only way to search and resolve in integer attributes, also described in this forum post: http://social.technet.microsoft.com/Forums/en-US/79a70b41-898a-41e6-b966-1eeeb08e9a35/attributes-to-search-and-resolving#8a2d769c-143c-4388-a2db-ac94096f0cfb
3. Filter: Define an exclusively to use XPath filter for groups to display in the select group windows. You are not able to search for groups in the select group windows, only the group matching this filter will be displayed. (Use this for small amount of groups only).
a. DisplayName: FIM service account b. Criteria: User the match All criteria, ResourceID is “FIM service account person object”
a. DisplayName: Helpdesk Users b. Criteria: Built criteria that matches your helpdesk users, make sure the FIM service account does not belong to this set (Important!!!).
a. DisplayName: UserUI - add member to group and clear feeder attribute b. Add the Powershell activity to the workflow with the following script:
if (-not $fimwf)
{
Throw
"Failed to get workflow details from the FIM Request"
}
Write-Verbose
"Processing FIM WF with Request Details: $fimwf"
# Load Microsoft FIMAutomation SnapIn and PowerShell Modules from Craig Martin
"Loading SnapIns and Modules"
Add-PSSnapin FIMAutomation
Import-
Module
C:\FIMPowershellModule\FimPowerShellModule.psm1 -Verbose:$false
# Function to get Member AccountName from the Request Details
function GetObjectAccountName($ReqObject, $guid)
$SearchGuid =
"urn:uuid:"
+ $guid
$
Object
= $ReqObject | where { $_.ObjectId -eq $SearchGuid }
.AccountName
# Get Request from FIM-Service
"Getting the request object from FIMService"
$Request = Export-FIMConfig -Custom (
"/*[ObjectID='{0}']"
-F $fimwf.RequestId.Guid) | Convert-FimExportToPSObject
# Useful Information is found in the RequestParameter XML data
# The first object in the array is always the request.
$ReqParmList=$Request[0].RequestParameter
$Username=GetObjectAccountName $Request $fimwf.TargetId.Guid
# Process each of the member changes
"Processing application changes for this user"
foreach ($ReqParm in $ReqParmList)
$ReqParmXML = [XML]$ReqParm
if ($ReqParmXML.RequestParameter.PropertyName -like
"MemberAdd*"
-and $ReqParmXML.RequestParameter.Operation -eq
"Create"
)
switch ($ReqParmXML.RequestParameter.Mode)
"Add"
$GroupName = GetObjectAccountName $Request $ReqParmXML.RequestParameter.Value.
"#text"
New
-FimImportObject -ObjectType Group -State Put -Anchor @{AccountName=
'{0}' -F $GroupName} `
-Changes @(
-FimImportChange -Operation
'Add' -AttributeName 'ExplicitMember' -AttributeValue ('Person','AccountName',('{0}' -F $UserName))) -ApplyNow
default {
"Invalid Mode on UserUI group add"
c. Next add the Function Evaluator activity with the following parameters:
i. DisplayName: Clear MemberAddFeeder attribute ii. Destination: [//Target/MemberAddFeeder] iii. Value: String “ “ (must be a space in order to clear reference attributes)
a. DisplayName: UserUI - remove member from group and clear feeder attribute b. Add the Powershell activity to the workflow with the following script:
"MemberRemove*"
'Delete' -AttributeName 'ExplicitMember' -AttributeValue ('Person','AccountName',('{0}' -F $UserName))) -ApplyNow
"Invalid Mode on application group add"
i. DisplayName: Clear MemberRemoveFeeder attribute ii. Destination: [//Target/MemberRemoveFeeder] iii. Value: String “ “ (must be a space in order to clear reference attributes)
a. Requestor: FIM service account b. Operation: Add and Remove multi-value attribute c. Permission: Grants permission d. Target: All groups e. Attributes: Manually-managed Membership
a. Requestor: Helpdesk Users b. Operation: Add and Remove multi-value attribute c. Permission: Grants permission d. Target: All People e. Attributes: MemberAddFeeder, MemberRemoveFeeder
a. Requestor: Helpdesk Users b. Operation: Add multi-value attribute c. Target: All People d. Attributes: MemberAddFeeder e. Action Workflow: UserUI - add member to group and clear feeder attribute
a. Requestor: Helpdesk Users b. Operation: Add multi-value attribute c. Target: All People d. Attributes: MemberRemoveFeeder e. Action Workflow: UserUI - remove member from group and clear feeder attribute
a. Add Criteria: ResourceID not in FIM service account b. Make sure criteria is: Users that match All of the following criteria’s
Maheshkumar S Tiwari edited Revision 3. Comment: Added tags
Good info. Thanks for this.