Powershell Connector M:N Membership Provisions fail

Hi,

I'm trying to get provisioning of group memberships to work in a powershell dpr project.

 

Synchronization to Identity Manager works as expected, provisioning of users too, but when I finally got the provisioning on membership changes to trigger, I received the following error:

 

What do I have to implement to get this to work?

The ADSample.xml mentions the interface "IPSParameterConverter" but there is nothing about it in the documentation and i haven't found it through visual studio's object browser in System Debugger.

 

I am using a custom powershell module to connect to a custom target system, the connector definition is closely modeled after the ADSample.xml, so there are commands for add, remove and replace of the members property.

The members are stored in a multi value string attribute of the group objects and are mapped to a virtual M:N property of a class based on UNSGroupB.

I have followed the instructions from the documentation about "Synchronizing and Provisioning Memberships" and have activated "Single Membership Provisioning".

 

I hope somebody has done something similar and has some insight.

 

Best regards

Julian Siebert

Parents
  • Hi Julian,

    during the provisioning process modifications of several kinds are send to the connector depending on the configuration/process. Such modifications can be of type Add, Remove or Replace. To handle this, the following method should help you out:

    1. Create a Custom cmdlet that looks similar to the following one. Make sure, that it has at least the parameters Mode, AddItems, RemoveItems and ReplaceItems. Further parameters (such as the identity of the "group" can be added as required)

    function Set-Members
    {
    param (
    [parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)]
    [ValidateNotNullOrEmpty()]
    [String]$identity,
    [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
    [ValidateNotNullOrEmpty()]
    [String]$Mode,

    [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
    [String[]]$AddItems,

    [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
    [String[]]$RemoveItems,

    [parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
    [String[]]$ReplaceItems
    )

    switch($mode.ToUpper())
    {
    "MODIFY" #add/remove
    {
    if($AddItems -ne $null)
    {
    #custom cmdlet/script calls to add items
    }

    if($RemoveItems -ne $null)
    {
    #custom cmdlet/script calls to remove items
    }
    }
    "REPLACE"
    {
    #custom cmdlet/script calls to replace all existing items
    }
    default
    {
    throw "Invalid mode $mode"
    }
    }
    }

    2. When you define the property itself (i.e. "Members", make sure that you use the CustomMVP converter)

    <Property Name="Members" DataType="String" IsMultivalue="true">
    <ReferenceTargets>
    <ReferenceTarget Class="YourClass1" Property="Identifier" />
    <ReferenceTarget Class="YourClass2" Property="Identifier" />
    </ReferenceTargets>
    <ReturnBindings>
    <Bind CommandResultOf="Get-Group" Path="Members" />
    </ReturnBindings>
    <ModifiedBy>
    <ModBy Command="Set-Members" />
    </ModifiedBy>
    <CommandMappings>
    <Map ToCommand="Set-Members" Converter="CustomMVP"/>
    </CommandMappings>
    </Property>

    3. Add a call to "Set-Members" to your Insert/Update command sequence (don't forget to add the mappings required for the other parameters of Set-Members such as Identity)

     

    Hope that helps,

    Stefan

  • Hi

    what exactly do you mean with "don't forget to add the mappings required for the other parameters of Set-Members such as Identity"?

    Do you mean f.e. the unique key for the users (members)? But this is automatically provided from OIM with the "AddItems" or "RemoveItems" parameter isn't it?

    I am asking because in my case the "Set member" function isn not called anymore after I have done the changes in the Mapping that you have requested.

    Do you have an idea what could be the problem?

    Thanks and kind regards

    Kirsten

Reply
  • Hi

    what exactly do you mean with "don't forget to add the mappings required for the other parameters of Set-Members such as Identity"?

    Do you mean f.e. the unique key for the users (members)? But this is automatically provided from OIM with the "AddItems" or "RemoveItems" parameter isn't it?

    I am asking because in my case the "Set member" function isn not called anymore after I have done the changes in the Mapping that you have requested.

    Do you have an idea what could be the problem?

    Thanks and kind regards

    Kirsten

Children
No Data