I get the FIM design team’s speech that a FIM SET is a configuration object and a security group is a managed object. But that there is really no OOB way to link the two objects makes it funny and not so funny. So you cannot add an SG to a Set and vice versa. Here is a work around, you will need the PowerShell workflow activity avaliable on Codeplex.
- Create a Set that has exactly the same display name as the SG
- Create a Set called “Sync SG with Set”. Add a criteria to include groups that the resource id matches the ones you want to sync. So lets say you are syncing “FIMPortalUserAdmin”, you have created such a set in (1). In the Sync SG with Set, criteria will be “group” matches “any“, criteria is “Resource ID” is “FIMPortalUserAdmin”. Anytime in the future you have another SG you want to sync, just add it to the criteria.
- Create an action workflow to trigger a PowerShell script. The PowerShell script will
- Read the members of the SG and Members of the set.
- If there are any members of the SG that isn’t in the SET, add them
- If there are any members of the SET who are not in the SG remove them from the SET
- Create an MPR to be called when the membership field of the members of Sync SG with Set is changed. Attach the workflow to this MPR.
With the MIM WAL now been released to the public, here is a way to do the above with the WAL