Delegating Group Management – Using the Lithnet FIM PowerShell Module
Jon Bryan Classic Flow Rules, Code Sample, Gist, Group Management, Portal Management, PowerShell 0 Comments
Within my AD structure, group management is delegated within certain OU’s, I now need to replicate that functionality in the FIM portal.
The is no real way of identifying which groups should be managed by whom, except the OU within which the group currently resides.
So, to start off with I need to get the parent OU of the group into the portal:
Import the OU into the MV:
Case "adOU-Group-ADMA-Import" | |
mventry("adOU").Value = Replace(csentry.DN.ToString, csentry.RDN.ToString & ",", "") |
Setup an export flow for adOU into the portal.
Then, by using the Lithnet PowerShell Module, we can create all the sets and MPR’s required, below is a sample for creating one delegated “collection”. In production, my XML file is much bigger – delegating group management to around ten different groups.
Note, that you first need to create references to all users who might be given the rights to manage groups. This includes the FimServiceAdmin and FimServiceAccount – referenced by their ObjectID, the others are referenced by their AccountName. All members referenced in this section, are added to the __Set:GroupValidationBypassSet. This set is defined in the non-administrators set – not in this set – this bypasses the group validation workflow:
Create a set of groups to be managed – the filter being the OU that the groups belong to & MembershipLocked=False
Create a set of administrators for this delegation – adding the explicit members
Then create the two MPR’s to allow the members of the administrative set to manage those groups – the first MPR allows modification (Read, Add and Remove) of the ExplicitMember attribute, while the second allows creation and deletion.
<?xml version="1.0" encoding="utf-8" ?> | |
<Lithnet.ResourceManagement.ConfigSync> | |
<Variables> | |
<Variable name="#domain#" value="%userdomain%"/> | |
<Variable name="#PATH#" value ="C:\some-path\" /> | |
</Variables> | |
<Operations> | |
<!-- Create a Bunch of References to Recipients --> | |
<ResourceOperation operation="None" resourceType="Person" id="user1"> | |
<AnchorAttributes> | |
<AnchorAttribute>AccountName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="none" name="AccountName">user1</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create Reference to Recipient --> | |
<ResourceOperation operation="None" resourceType="Person" id="user2"> | |
<AnchorAttributes> | |
<AnchorAttribute>AccountName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="none" name="AccountName">user2</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create Reference to Recipient --> | |
<ResourceOperation operation="None" resourceType="Person" id="user3"> | |
<AnchorAttributes> | |
<AnchorAttribute>AccountName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="none" name="AccountName">user3</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create Reference to Recipient --> | |
<ResourceOperation operation="None" resourceType="Person" id="FIMServiceAccount"> | |
<AnchorAttributes> | |
<AnchorAttribute>ObjectID</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="none" name="ObjectID">1009a2cb-e7f8-4db9-9f02-04b91b1d966d</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create Reference to Recipient --> | |
<ResourceOperation operation="None" resourceType="Person" id="FIMServiceAdmin"> | |
<AnchorAttributes> | |
<AnchorAttribute>ObjectID</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="none" name="ObjectID">7fb2b853-24f0-4498-9534-4e10589723c4</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- MPR's Sets etc: --> | |
<!-- GroupValidation Bypass Set --> | |
<ResourceOperation operation="Add Update" resourceType="Set" id="GroupValidationBypassSet"> | |
<AnchorAttributes> | |
<AnchorAttribute>DisplayName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="replace" name="DisplayName">__Set:GroupValidationBypassSet</AttributeOperation> | |
<AttributeOperation operation="replace" name="Description">This set bypasses Group Management Workflow</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user2</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user1</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">FIMServiceAccount</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">FIMServiceAdmin</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user3</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create ABC Manual Groups Set --> | |
<ResourceOperation operation="Add Update" resourceType="Set" id="ABCManualGroupsSet"> | |
<AnchorAttributes> | |
<AnchorAttribute>DisplayName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="replace" name="DisplayName">__Set:ABC Manual Groups</AttributeOperation> | |
<AttributeOperation operation="replace" name="Description">Use this set to allow ABC helpdesk staff to administer these groups.</AttributeOperation> | |
<AttributeOperation operation="replace" name="Filter" type="filter">/Group[(adOU = 'OU=Manual Groups,OU=ABC,DC=blah,DC=ac,DC=uk') and (MembershipLocked = False)]</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- Create ABC Manual Group Administrators Set --> | |
<ResourceOperation operation="Add Update" resourceType="Set" id="ABCManualGroupsAdministratorsSet"> | |
<AnchorAttributes> | |
<AnchorAttribute>DisplayName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="replace" name="DisplayName">__Set:ABC Manual Groups Administrators</AttributeOperation> | |
<AttributeOperation operation="replace" name="Description">Use this set to allow ABC helpdesk staff to administer these groups.</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user1</AttributeOperation> | |
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user2</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- ABC Manual Group Modify MPR --> | |
<ResourceOperation operation="Add Update" resourceType="ManagementPolicyRule" id="ABCManualGroupModifyMPR"> | |
<AnchorAttributes> | |
<AnchorAttribute>DisplayName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="replace" name="DisplayName">__MPR:Group management: ABC Manual Group administrators can update ABC Manual group resources</AttributeOperation> | |
<AttributeOperation operation="replace" name="Description">Allows ##xmlref:ABCManualGroupsAdministratorsSet:DisplayName## members to modify membership of ABC Manual Groups</AttributeOperation> | |
<AttributeOperation operation="replace" name="Disabled">false</AttributeOperation> | |
<AttributeOperation operation="replace" name="GrantRight">true</AttributeOperation> | |
<AttributeOperation operation="replace" name="ManagementPolicyRuleType">Request</AttributeOperation> | |
<AttributeOperation operation="replace" name="PrincipalSet" type="xmlref">ABCManualGroupsAdministratorsSet</AttributeOperation> | |
<AttributeOperation operation="replace" name="ResourceCurrentSet" type="xmlref">ABCManualGroupsSet</AttributeOperation> | |
<AttributeOperation operation="replace" name="ResourceFinalSet" type="xmlref">ABCManualGroupsSet</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionType">Read</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionType">Add</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionType">Remove</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionParameter">ExplicitMember</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
<!-- ABC Manual Group Create/Delete MPR --> | |
<ResourceOperation operation="Add Update" resourceType="ManagementPolicyRule" id="ABCManualGroupCreateDeleteMPR"> | |
<AnchorAttributes> | |
<AnchorAttribute>DisplayName</AnchorAttribute> | |
</AnchorAttributes> | |
<AttributeOperations> | |
<AttributeOperation operation="replace" name="DisplayName">__MPR:Group management: ABC Manual Group administrators can create and delete ABC Manual group resources</AttributeOperation> | |
<AttributeOperation operation="replace" name="Description">Allows ##xmlref:ABCManualGroupsAdministratorsSet:DisplayName## members to Create and Delete ABC Manual Groups</AttributeOperation> | |
<AttributeOperation operation="replace" name="Disabled">false</AttributeOperation> | |
<AttributeOperation operation="replace" name="GrantRight">true</AttributeOperation> | |
<AttributeOperation operation="replace" name="ManagementPolicyRuleType">Request</AttributeOperation> | |
<AttributeOperation operation="replace" name="PrincipalSet" type="xmlref">ABCManualGroupsAdministratorsSet</AttributeOperation> | |
<AttributeOperation operation="replace" name="ResourceCurrentSet" type="xmlref">ABCManualGroupsSet</AttributeOperation> | |
<AttributeOperation operation="replace" name="ResourceFinalSet" type="xmlref">ABCManualGroupsSet</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionType">Create</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionType">Delete</AttributeOperation> | |
<AttributeOperation operation="add" name="ActionParameter">*</AttributeOperation> | |
</AttributeOperations> | |
</ResourceOperation> | |
</Operations> | |
</Lithnet.ResourceManagement.ConfigSync> |
Use Import-RMConfig -File <PathToXML> -Preview -Verbose to validate your xml and see what it would do. Drop the “-Preview” to make the change