When is a static FIM set dynamic?

Sometimes FIM can build you up just to cut you back down.  Just when you think you’ve designed the perfect set-based policy, with your custom schema and workflow activities written and tested, how many times do you discover that try as you might you can’t create that set filter you need?  That’s right – you come face to face with the dreaded unsupported filter definition.

For those of you for whom this has yet to happen, consider the following scenario – you have an AD group that is not managed by FIM, but you want to write some policy that fires for every user added to this group.  So you think at first that all you need to do is import/sync this group to FIM and write your set … but like Steffen here you come unstuck.  You can write your xpath statement in a search scope and it works fine, but not as a set filter!

So when this happens, what can you do?  Sure you can look at the above linked post, and others like it, and you too will work out that FIM needs you to maintain a redundant reference property in order to define a valid set definition to do the job.  I’ve done this plenty of times myself, and come up with a number of ways to achieve this outcome … ranging from custom workflows to using the sync engine and something like my Replay MA idea.

However, I’ve come up with another idea … the dynamic static set :).

Just because you can’t write a valid filter doesn’t mean you have to give up on your policy … just use a static set instead, and write a workflow to recalculate and update this static membership whenever you need to do this – e.g. use a request-based MPR to fire for your group object whenever it’s sync’d membership changes.

So what tools do you need to do this?

You could almost do this with the OOTB FIM Function Evaluator … if only it would do the following 2 things for you

  1. allow updates for objects other than those in context of a Request; and
  2. allow the update of a multi-value attribute (member) with the resource identifiers of all objects returned in your xpath.

Since you can’t do either of these with the OOTB component, like myself, you are going to have to write yourself a custom activity to do the above.  However, if you’ve followed my blog for a while you’ll have already seen my previous post on re-usable CRUD workflow activities, and you already have your own written by now :).

In any case, with a little imagination you too can overcome dynamic set limitations with “dynamic static sets”.


About bobbradley1967

Microsoft Identity and Access Professional with 2 decades of successful IAM implementations in APAC, specialising in MIM and its predecessors (FIM/ILM/MIIS) and now with SoftwareIDM. A Microsoft IAM MVP prior to that with a background in MS.Net applications development/SI. Now with a particular interest how Identity and HyperSync Panel provide the Identity and Access orchestration presently missing in the Azure Entra Suite to effectively enforce Zero Trust on the M365 platform.
This entry was posted in FIM (ForeFront Identity Manager) 2010 and tagged . Bookmark the permalink.

1 Response to When is a static FIM set dynamic?

  1. Finally with the release of the MIMWAL project (see https://social.technet.microsoft.com/Forums/en-US/8035c823-596a-439e-80ab-a19ef08f7dc6/mimwal-project-information?forum=Mimwal) there is now a publicly available set of workflows that you can now use for your FIM “CRUD”, so you can now do the above sort of thing without having to write your own workflows any more.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.