Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • Alerting On Filter Changes In FIM Dynamic Groups

Alerting On Filter Changes In FIM Dynamic Groups

In this blog, I will describe how to send an email message when a dynamic group’s criteria (filter) changes. The email notification contains the display and account name of the group, the person making the change and both the old and new membership criteria filter. Having the previous filter definition can be invaluable if you need to revert back to a previous filter setting.

First, create a notification mail template similar to this –

Subject:

Filter change for group [//Target/DisplayName] ([//Target/Domain]\[//Target/AccountName]

Body:

The following group has changed membership criteria –

[//Target/DisplayName] ([//Target/Domain]\[//Target/AccountName]

<br/>

The Change was performed by [//Requestor/DisplayName]

<br/>

values changed:

<table style=”width: 80%”>

<tr>

<td>Attribute</td>

<td>Old Value</td>

<td>New Value</td>

</tr>

[//RequestParameter/AllChangesAuthorizationTable]

</table>

Next, create an authorization workflow containing a notification activity, and use the mail template you created above. It is necessary to execute this workflow in the authorization phase of the request in order to have access to the AllChangesAuthorizationTable attribute value.

Finally, create a Request Management Policy Rule (RMPR) to capture the change of filter criteria. Here is the configuration of the RMPR

  • Requestor – (set of all people who would make these changes)
  • Operation: modify a single-value attribute
  • Target before: all dynamic groups
  • Target after: all dynamic groups
  • Attributes: filter
  • Policy Workflow: <authorization workflow created above>

It is important to note that if the mail notification fails, the authorization workflow will fail and the request will roll back. In addition, when the change is submitted you will get a “Pending approval” message, which occurs anytime you run an authorization workflow. If the group update fails to occur, check the request log in the FIM portal for the details.

Check out my other blog on this topic here.