Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • Alerting on FIM Group type changes

Alerting on FIM Group type changes

In this blog, I will describe how to send an email message when a group is changed from static membership to criteria (dynamic) membership. The email notification contains the display and account name of the group, the person making the change, and the previous static group membership.

When converting from static group membership groups to criteria based membership groups, the existing static group membership information is lost. The previous group membership information can be important to keep for archive purposes, especially if it is necessary to revert back to manual membership.

First, create a notification mail template similar to this –

Subject:

Static to Dynamic Change for Group [//Target/DisplayName] ([//Target/Domain]\[//Target/AccountName]

Body:

The following group has changed from Static to Dynamic –

[//Target/DisplayName] ([//Target/Domain]\[//Target/AccountName])

</br>

The Change was performed by [//Requestor/DisplayName]

</br>

The following users were members of the group before the change. [//Target/ExplicitMember]

Next, create an authorization workflow containing a notification activity, and use the mail template you created above. It is necessary to execute this workflow in the authorization phase of the request in order to have access to the ExplicitMember attribute value. If this workflow was run as an Action Workflow, the value of ExplicitMember would be lost.

Finally, create a Request Management Policy Rule (RMPR) to capture the change from static to dynamic. Here is the configuration of the RMPR

  • Requestor: (set of all people who would make these changes)
  • Operation: modify a single-value attribute
  • Target before: All static groups
  • Target after: All dynamic groups
  • Attributes: all
  • Policy Workflow: authorization workflow

This same concept can be applied to capture changes from a dynamic to a static membership group.

It is important to note that if the mail notification fails, the authorization workflow will fail and the request will roll back. In addition, when the change is submitted you will get a “Pending approval” message, which occurs anytime you run an authorization workflow. If the group update fails to occur, check the request log in the FIM portal for the details.

Check out my other blog on this topic here.