Hi Peter
I had a similar query recently so this still is fresh in my head.
My research found that the modification of group membership, admin roles, provisioning roles (ie all relationships based) is not supported by bulk load.
To successfully establish the relationship we should use a PX to set this by the bulk load.
Alternatively, we could use a ldif file to populate the relationship directly in the directory.
As part of my research I have tried adding a group to a user (with Modify User task / User as managed object). While the entry on the user itself is updated (imGroupsMemberOf), The entry on the Group is not updated (uniqueMember) therefore makes it an incomplete reference. This is of course a different behavior to when triggering the same task via the UI, then the background logic takes care of the relationship between the group and the members.
The most straight forward way to achieve this is with an ldif file. While this is operation is not utilizing Identity Manager UI, it is quick and straight forward to process the data.
Below is a sample of an ldif file - call it group1.ldif:
==========================================
version: 1
dn: cn=Group1,ou=groups,ou=im,ou=ca,o=com
changetype: modify
add: uniqueMember
uniqueMember: uid=Zebra10,ou=people,ou=org2,ou=im,ou=ca,o=com
uniqueMember: uid=Zebra11,ou=people,ou=org2,ou=im,ou=ca,o=com
dn: uid=Zebra10,ou=people,ou=org2,ou=im,ou=ca,o=com
changetype: modify
add: imGroupsMemberOf
imGroupsMemberOf: cn=Group1,ou=groups,ou=im,ou=ca,o=com
dn: uid=Zebra11,ou=people,ou=org2,ou=im,ou=ca,o=com
changetype: modify
add: imGroupsMemberOf
imGroupsMemberOf: cn=Group1,ou=groups,ou=im,ou=ca,o=com
==========================================
As you can see, we are first adding the members on the group level (one uniqueMember per user), then we are adding the group to the user entry.
We are using the 'add' to ensure no data is overwritten but only added to existing groups.
This ldif is then processed via ldapmodify.exe (which can be found under Provisioning Server/bin folder as well as Provisioning Manager/bin folder)
We process it either manually or via a scheduled command in a way similar to the following
C:\CA\Identity Manager\Provisioning Manager\bin>ldapmodify.exe -h <directory host> -p <directory port> -D <directory admin> -w <directory admin password> -f <path to group1.ldif>
In parallel, we would highly recommend raising an idea (AKA Enhancement Request) via our community, to add support for the Bulk Load to handle relationship as it does when the task is used in the UI.
Hope this is useful
Regards
Rinat Matityahu
Principal Support Engineer
Broadcom Technical Support - EMEA
Original Message:
Sent: 05-07-2020 07:56 AM
From: Peter Foehns
Subject: Bulkload groupmembers
Hi
Is it possible to bulkload groupmembers in IM ?
Im hitting a wall with the following CSV file
Action, %GROUP_NAME%,%GROUP_MEMBERSHIP%
Modify,"Group name","USER ID"
Primary object is set to "GROUP"
Task goes to "Audited", so it doesn't seem like any change is seen by IM.
Venlig hilsen / best regards
Peter Lysén Føhns
IAM Specialist
ICY Security
Vandtårnsvej 62A
1. sal E, Lokale 20
2860 Søborg
www.icysecurity.dk
+45 2619 9934
peter.foehns@icysecurity.dk