I’ve recently been working on-site and thinking about how to best automate the creation of groups for a list organizations that are managed within another system. Each organization, for the purposes of access controls for an application, has to have a series of criteria based groups defined. So, the question became, how can I automate the creation of the groups?
My solution was to perform the following tasks:
- Create an XMA that:
- Read the SQL view for the unique list of organizations and their names.
- Created a series of entries in the input file for the AVP section of the MA which would create a “group” entry for each group required.
- Configured the synchronization rules so that the groups were pushed into the metaverse.
- Configured the FIM MA to manage groups. This caused the group objects within the metaverse that were created by the MA to project to FIM. FIM would then populate the group membership via the filter criteria which were created as part of the developed XMA.
- The group membership flows back into the metaverse by configured flow rules and are then created out in the appropriate AD system for the access controls.
There are a couple reasons I like this solution. The first is that I can easily modify the list of filters which will then create, update or remove the search filters for the groups defined as well as new organizations which are added to the SQL view.
The second reason was that I am managing group identities from an external system. My best practice is that any management of identities where the base information is sourced from somewhere other than “direct” human input into the FIM Service portal should be handled and managed by the synchronization engine. It is after all, what it does.