search

lithnet / googleapps-managementagent

Google Workspace Management Agent for MIM 2016
MIT License
12 stars 4 forks source link

Help for external member #47

Closed briuccio closed 4 years ago

briuccio commented 4 years ago

Hello, I'm trying to sync to google groups and membership from an On-premises Active Directory. Users are already created on Google and I need to provision new groups with fim and then add membership.

I'm able to create correctly new groups and add members that are already on Google but I'm not able to add external members (not of the domain defined on google tenant) defined on On-premises groups. Could you suggest me how to distinguish membership type?

ryannewington commented 4 years ago

I'm not going to lie, this scenario sucks.

You have to use the externalMembers attribute to put non-reference attributes in. This attribute accepts plain text strings.

However, you need to make sure email addresses in your domain don't appear in that attribute. Using the MA you can import all the domains in your google tenant into fim service and do something like a custom workflow when adding a value to the externalMembers attribute to ensure the domain does not exist in your tenant.

It's not pretty, but it's all we can do.

briuccio commented 4 years ago

Hello Ryan, thank you for your quick answer as always. Since from AD MA all members are imported as a distint member reference, It's not clear to me in which phase I have to distinguish the externalmembers from the "normal" members. I tried to set up a rule extension in the import phase of the AD MA, but it seems not possible to do a rule extension starting from a reference attribute. I also tried to read in the references during the provisioning phase, from AD MA but an exception is thrown:

System.InvalidOperationException: Unable to access attribute member. Reference values not accessible on MV objects.

ryannewington commented 4 years ago

If your source data has them as references, there's nothing you can do to change that.

You really only have two choices that I can see.

  1. Find a way to bring the external members into FIM as string attributes. You'd need to do something like create a powershell based MA and import the groups, filtering to the members you want, and passing them through as string values. You could then join to the 'real' group, and pass the filtered string based membership into the externalMembers attribute.

  2. Get the objects into google so you can treat them as references.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.