ILM2 RC0 – Importing AD groups into ILM

I’d like to be able to manage groups through the Portal but, unlike in the one published walkthrough on group management with ILM2, I don’t want to start from scratch. I want to start by importing all the existing groups from AD, and then, well we’ll see how we go.

Getting information about my AD users into the ILM Portal went well. I just added a bunch of export flow rules to my ILM MA, ran an Export, and voila! all my users were visible in the Portal.

Unfortunately the groups did not go so well. I kept running into the export error failed-creation-via-web-services, with no idea as to why. Eventually I found a post on the MS Connect newgroup for ILM2 which pointed me in the right direction (I can’t link to the post, but if you search for “failed-via-web-services tips” you’ll find it) – it was to do with the group object schema in the ILM Portal.

Checking the schema requirements

So what you want to do is find out which attributes are essential for the object type you’re trying to export, and what restrictions there are on the possible values.

  1. In the ILM Portal, open the Schema Management page (found under Administration).
  2. Click the All Bindings icon.
  3. Click on Advanced Search.
  4. Enter the search criteria:
    • The Binding’s ObjectTypeDescription is Group
    • Attribute IsRequired is True

     

  5. You should now see a list of the required attributes. You can click on each one to find out more about them. In particular you should check for a regular expression on the Validation tab. Your data must pass the regex (note you can change the regex here if you need to add more possible values).

 
Populating the values

Some of the required values, like the display name, you can just flow straight from AD. There are a couple of others you can just flow a constant value to – though as you don’t appear to be able to do Advanced rules from the ILM MA you will have to flow the values into the metaverse first from the AD MA.

The Type and Scope will have to be calculated from the groupType attribute in AD, and you will have to set them using the exact terms from the Portal Schema attributes. The following code can be used with advanced import flow rules on the AD MA (the classic type, which I’ve gone back to for the time being).
 

 Case "import_type"
     If csentry("groupType").IntegerValue < 0 Then
         mventry("type").Value = "Security"
     Else
         mventry("type").Value = "Distribution"
     End If

 Case "import_scope"
     Dim groupScope As Long
     If csentry("groupType").IntegerValue < 0 Then
         groupScope = csentry("groupType").IntegerValue + 2147483648
     Else
         groupScope = csentry("groupType").IntegerValue
     End If
     Select Case groupScope
         Case 2
            mventry("scope").Value = "Global"
         Case 4
            mventry("scope").Value = "DomainLocal"
         Case 8
            mventry("scope").Value = "Universal"
     End Select

Once the values are all attached to the group objects in the metaverse it is a simple matter to create the export flow rules on the ILM MA.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.