I have already talked about creating a FIM Bulk User tool in the portal. I want to look at an example of using this tool to update an attribute in the Portal. The tool is based on the PowerShell workflow engine as discussed. I will take the Manager field which is an interesting and perhaps not-so straight forward a field to update. We will discuss why its like this.
The manager field is a single-value reference attribute. In the FIM Portal you cannot delete a single-value reference attribute via OOB PowerShell. (FYI, if you are using Lithnet PowerShell you do not need the extra gyration I have below, you update it like any other attribute) The only way to clear an existing value is to use the OOB function evaluator and put a space string value in it.
If we have to update the manager field of a number of users, we cannot do a replace for a single value reference value, we have to do two operations, one is to clear the existing value and the second is to put the new value.
- Create a new indexed string attribute for the User object called “RequestRemoveManager”
- Update the Administrators can Update User MPR and the Admin filter Permission MPR with this new attribute.
- Create a Set called “Request Remove Manager”. Criteria should be user matched all, “RequestRemoveManager” is “Yes”.
- Create a Workflow called “Request Remove Manager”. Select Function Evaluator for activity. Name: Remove Manager, Destination:[//Target/Manager], Value: String;enter a space.
- Create a Transition in MPR. Target Set is “Request Remove Manager”. Attach the Request Remove Manager workflow.
- Write PowerShell script to read user information from a file, use XPath filter to get the object Id, then set the RequestRemoveManager attribute to “Yes”. This will trigger the workflow to clear the Manager field.
- If you want to replace the existing Manager value with another value. Then write a PowerShell script to read user information from a file, parse out the user identifier and the new field value. The identifier can be Email, EmployeeID or SAM. The new manager value should be in line with the identifier chosen, so if you are using SAM for identifier put the manager’s SAM and the user’s SAM. You will use XPath to get the ObjectID for the user and manager. Set the RequestRemoveManager to “Yes” to clear the Manager field, then set the Manager field to the new value read from the file. Due to the fact that you are triggering a workflow to clear the field first, you may put a 5 second sleep in your script to give the workflow time to run before you update the Manager field.