Now the FIM WAL is public we can play with some good ideas without the need to develop your own custom activity or go for PowerShell. Here is the scenario
I have a security group and I do not want the membership to exceed 2. Preferably I want this validation to occur when the submit button is pressed and not after.
- Create an Authorization Workflow activity.
- In the workflow activity, select the request validation option (this is added when FIM WAL is installed)
- In the condition line add the code to
- Check the number of current members – Count([//Target/ExplicitMember]) – a
- Check the number of adds = Count([//Delta/ExplicitMember/Added]) – b
- Check the number of removes – Count([//Delta/ExplicitMember/Removed]) – c
- a + b – c < 3 so it should be something like this
LessThan(Subtract(Add(Count([//Target/ExplicitMember]) , Count([//Delta/ExplicitMember/Added])), Count([//Delta/ExplicitMember/Removed]) ),3)
On the Right hand side add an error message like “You cannot have more than 2 members in the Security Group [//Target/DisplayName]”
- Setup an MPR to trigger the workflow when an Add is done to the Security group. The Target set is one that contains the SG you want to limit (If there isn’t one you can create a set) and the Target attribute is ExplicitMember.
- Now when someone tries to add members and the Net result will be greater than 2 members they will get “Access Denied”