• State Suggested Answer
  • +2 person also asked this people also asked this
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 97 subscribers
  • Views 9447 views
  • Users 0 members are here
Options
Related

Powershell Connector M:N Membership Provisions fail

julian.siebert
over 6 years ago

Hi,

I'm trying to get provisioning of group memberships to work in a powershell dpr project.

 

Synchronization to Identity Manager works as expected, provisioning of users too, but when I finally got the provisioning on membership changes to trigger, I received the following error:

 

What do I have to implement to get this to work?

The ADSample.xml mentions the interface "IPSParameterConverter" but there is nothing about it in the documentation and i haven't found it through visual studio's object browser in System Debugger.

 

I am using a custom powershell module to connect to a custom target system, the connector definition is closely modeled after the ADSample.xml, so there are commands for add, remove and replace of the members property.

The members are stored in a multi value string attribute of the group objects and are mapped to a virtual M:N property of a class based on UNSGroupB.

I have followed the instructions from the documentation about "Synchronizing and Provisioning Memberships" and have activated "Single Membership Provisioning".

 

I hope somebody has done something similar and has some insight.

 

Best regards

Julian Siebert

  • 0 over 6 years ago

    Hi Julian,

    during the provisioning process modifications of several kinds are send to the connector depending on the configuration/process. Such modifications can be of type Add, Remove or Replace. To handle this, the following method should help you out:

    1. Create a Custom cmdlet that looks similar to the following one. Make sure, that it has at least the parameters Mode, AddItems, RemoveItems and ReplaceItems. Further parameters (such as the identity of the "group" can be added as required)

    function Set-Members
    {
     param (
     [parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)]
     [ValidateNotNullOrEmpty()]
     [String]$identity,
    [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
     [ValidateNotNullOrEmpty()]
     [String]$Mode,
     
     [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
     [String[]]$AddItems,
     
     [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
     [String[]]$RemoveItems,
     
     [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
     [String[]]$ReplaceItems
     )
     
     switch($mode.ToUpper())
     {
     "MODIFY" #add/remove
     {
     if($AddItems -ne $null)
     {
     #custom cmdlet/script calls to add items
     }
     
     if($RemoveItems -ne $null)
     {
     #custom cmdlet/script calls to remove items
     }
     }
     "REPLACE"
     {
     #custom cmdlet/script calls to replace all existing items
     }
     default
     {
     throw "Invalid mode $mode"
     }
     }
    }

    2. When you define the property itself (i.e. "Members", make sure that you use the CustomMVP converter)

    <Property Name="Members" DataType="String" IsMultivalue="true">
     <ReferenceTargets>
       <ReferenceTarget Class="YourClass1" Property="Identifier" />
       <ReferenceTarget Class="YourClass2" Property="Identifier" />
     </ReferenceTargets>
     <ReturnBindings>
       <Bind CommandResultOf="Get-Group" Path="Members" />
     </ReturnBindings>
     <ModifiedBy>
       <ModBy Command="Set-Members" />
     </ModifiedBy> 
     <CommandMappings>
       <Map ToCommand="Set-Members" Converter="CustomMVP"/>
     </CommandMappings>
     </Property>

    3. Add a call to "Set-Members" to your Insert/Update command sequence (don't forget to add the mappings required for the other parameters of Set-Members such as Identity)

     

    Hope that helps,

    Stefan

  • 0 over 6 years ago
    Hi Stephan,

    your answer helped me a lot as I had similar issue. The one thing I've noticed using the Browse is that I always get the Mode = REPLACE, I wasn't able to get the MODIFY action.
    Is it the Browser limitation or is there anything else to configure?

    Thanks,
    Piotr
  • 0 over 6 years ago
    Hi Piotr,

    unfortunately the Browser always sends "Replace" modifications. When I write those PowerShell definitions I usually create the CustomCommand as script in the PowerShell ISE and test it there in the different modes before putting it in the XML.

    Regards,
    Stefan
  • 0 over 6 years ago

    Hi Stefan,

    I guess this might be due to some mapping issue, but Provisioning is also always sending REPLACE.

    Log:

    Mapping configuration:

    The mapping has "Maps objects referenced by multi-reference (...)" set.

     

  • +2 over 6 years ago
    You need to check the "Enable relative complement handling (requred for member rules)" Option and use the "Multi reference rule" for mapping. The engine then calculates the adds/removes and there should be no replace anymore.

    @Rob: The "Enable Merging" mode just supresses the difference calculation and just sends the new "adds" or new "removes" stored in DPRMembershipAction to the connector. This prevents overwriting changes, that were done directly in the target system.
  • 0 over 3 years ago in reply to Stefan.Boerner

    Hi

    what exactly do you mean with "don't forget to add the mappings required for the other parameters of Set-Members such as Identity"?

    Do you mean f.e. the unique key for the users (members)? But this is automatically provided from OIM with the "AddItems" or "RemoveItems" parameter isn't it?

    I am asking because in my case the "Set member" function isn not called anymore after I have done the changes in the Mapping that you have requested.

    Do you have an idea what could be the problem?

    Thanks and kind regards

    Kirsten