Manage group owners with MIMWAL

Group management with FIM/MIM is easy when everything is set up. If you have approval and escalation workflows defined, end users can easily request group membership for themselves. But what happens, when an employee who is also the owner of say 30 groups  leaves the company and is deleted from FIM/MIM portal? Usually, he is silently removed from the group Owner attribute and every join request onward is rejected.

To address this issue, we will take advantage of the powerful MIMWAL workflow library and re-assign group ownership to the original owner’s manager.

Create workflow containing Update Resource activity:

First, we need to query Groups, where Owner or Displayed Owner is our user in the process of leaving company:

  • Displayed Owner Xpath:

    /Group[DisplayedOwner = ‘[//Target]’]

    (get all groups where user is specified as displayed owner)

  • Owner Xpath:

    /Group[Owner = ‘[//Target]’]

    (get all groups where user is specified as owner)

Second, we need to update the groups with the new owner:

  • RemoveValues([//Target])

    from

    [//Queries/GroupsOwner/Owner]

    (remove target from owned groups)

  • InsertValues([//Target/Manager])

    into

    [//Queries/GroupsOwner/Owner]

    (adds manager as owner of queried groups)

  • [//Target/Manager]

    into

    [//Queries/GroupsDisplayedOwner/DisplayedOwner]

    (replaces displayed owner with manager  – Displayed owner is single-valued attribute).

Lastly, we just need to trigger created workflow with an MPR:

  1. Set transition: Automatic process (e.g. When user becomes member of Disabled Users set)
  2. Request based: If you want to manually specify a new user taking the position of the previous one (It that case, don’t forget to change /Target/Manager with your own value).