Group

  • Article

Defines a group of FIM resources.

Schema

<?xml version="1.0"?><xs:schema xmlns:rm="https://schemas.microsoft.com/2006/11/ResourceManagement" targetNamespace="https://schemas.microsoft.com/2006/11/ResourceManagement" version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:complexType name="Group">
    <xs:sequence>
      <xs:element minOccurs="0" name="ObjectID" type="rm:ReferenceType" />
      <xs:element minOccurs="1" name="ObjectType">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="1" name="CreatedTime" type="xs:dateTime" />
      <xs:element minOccurs="0" name="Creator" type="rm:ReferenceType" />
      <xs:element minOccurs="0" name="MVObjectID">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="DeletedTime" type="xs:dateTime" />
      <xs:element minOccurs="0" name="Description">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="DetectedRulesList" type="rm:ReferenceCollectionType" />
      <xs:element minOccurs="0" name="DisplayName">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="ExpectedRulesList" type="rm:ReferenceCollectionType" />
      <xs:element minOccurs="0" name="ExpirationTime" type="xs:dateTime" />
      <xs:element minOccurs="0" name="Locale">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="ResourceTime" type="xs:dateTime" />
      <xs:element minOccurs="0" name="ComputedMember" type="rm:ReferenceCollectionType" />
      <xs:element minOccurs="0" name="AccountName">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value="^[^&quot;/\\[\]:;|=,+/*?&lt;&gt;]{1,64}$" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="1" name="Domain">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="DisplayedOwner" type="rm:ReferenceType" />
      <xs:element minOccurs="0" name="DomainConfiguration" type="rm:ReferenceType" />
      <xs:element minOccurs="0" name="Email">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value=".{0,448}" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="ExplicitMember" type="rm:ReferenceCollectionType" />
      <xs:element minOccurs="0" name="Filter" type="xs:string" />
      <xs:element minOccurs="0" name="MailNickname">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value="^[^@ ]{1,64}$" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="1" name="MembershipAddWorkflow">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value="^(None|Custom|Owner Approval)?$" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="1" name="MembershipLocked" type="xs:boolean" />
      <xs:element minOccurs="0" name="ObjectSID" type="xs:base64Binary" />
      <xs:element minOccurs="0" name="Owner" type="rm:ReferenceCollectionType" />
      <xs:element minOccurs="1" name="Scope">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value="^(DomainLocal|Global|Universal)$" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
      <xs:element minOccurs="0" name="SIDHistory" type="rm:BinaryCollectionType" />
      <xs:element minOccurs="0" name="Temporal" type="xs:boolean" />
      <xs:element minOccurs="1" name="Type">
        <xs:simpleType>
          <xs:restriction base="xs:string">
            <xs:pattern value="^(Distribution|Security|MailEnabledSecurity)$" />
          </xs:restriction>
        </xs:simpleType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Properties

The following table lists the properties of the Group resource:

Property Description

AccountName

Optional String property. Account name of the group. Must conform to the xs:pattern ^[^&quot;/\\[\]:;|=,+/*?&lt;&gt;]{1,64}$ (see W3C XML Schema. Length of string must be between 1 and 64 characters.

ComputedMember

Optional ReferenceCollection property that contains references to resources that are members of the Group. These resources are computed as the union of ExplicitMember and resources that are in the scope of the Filter.

DisplayedOwner

Optional property. Reference to a Person resource that will be shown as the owner of the group in applications in which only one owner can be displayed (such as Microsoft Outlook and Microsoft Exchange Server). With default FIM permissions, the DisplayedOwner of the group does not have any special permissions to perform actions on the group. In order to make the DisplayedOwner have the permissions given to Owners of the group, the Person referenced by the DisplayedOwner property must also be referenced by the Owner property.

Domain

Optional String property. Domain where the Group exists or will be created. The String length must be no more than 448 characters.

DomainConfiguration

Optional property. Contains a Reference to the parent Domain resource for this resource.

Email

Optional property. The e-mail address for the Group. The String length must be no more than 448 characters.

ExplicitMember

Optional multi-valued Reference property. This property defines static members of the Group.

Filter

Optional String property. Defines a WS-Enumeration Filter type (wsen:Filter) (see Enumeration Endpoint) that manages the membership of the group. Filter is used to specify the scope of criteria-based membership of a dynamic group. See FIM XPath Filter Dialect.

MailNickname

Optional String property. The e-mail alias for the Group. The String length must be between 1 and 64 characters.

Tip

It is recommended that the customer follow the naming conventions of the destination e-mail service (for example, Exchange) to ensure than synchronization between FIM Service and the e-mail service works correctly.

MembershipAddWorkflow

Required property. String that indicates whether a workflow will be performed when members join the group. See MemberShipAddWorkflow Property table.

MembershipLocked

Required Boolean property. See MembershipLocked Property table.

ObjectSID

Optional property of type base64Binary. A binary value that specifies the security identifier (SID) of the security group or e-mail-enabled security group. The SID is a unique value used to identify the user as a security principal.

Scope

Optional property. String that defines the range of values, each of which corresponds to the associated Active Directory group scope. Valid values are: DomainLocal, Global, and Universal.

Warning

These values are case-sensitive.

SIDHistory

Optional multi-valued Binary property. Contains previous SIDs used for the resource if the resource was moved from another domain.

Temporal

Optional Boolean property. If true, membership in the group is based on a time filter. Temporal sets cannot be updated when transactions occur, as other sets do; they need to be periodically updated since the passing of time can cause a resource to enter or leave the set. This property is read only.

Type

Required property. Indicates the group type. Type is used to indicate in FIM what properties the group should have in Active Directory and Microsoft Exchange. See Type Property table below.

MembershipAddWorkflow Property

Value Description

None

Indicates that adding members to this group resource do not require approval.

Custom

Indicates that a custom workflow is used when the user requests to join this group.

OwnerApproval

Indicates that a group owner must approve all membership requests to this group.

MembershipLocked Property

The following table lists values for the MembershipLocked property:

Value Description

True

Indicates a Dynamic Group. A Dynamic Group is a group with criteria-based membership. Group membership is automatically maintained by the FIM Service based on the Filter property.

False

Indicates a Static Group. A Static Group has manually-managed membership. Group membership can be modified by updating the ExplicitMembers property of the group.

Type Property

The following table lists values for the Type property:

Value Description

Distribution

Distribution group type.

Security

Security group type.

MailEnabledSecurity

Mail-enabled security group type.

Parent Elements

None

Remarks

All of the resource types in FIM have the same attribute bindings as the Resource type by default. For more information, see Forefront Identity Manager Schema.

See Also

Concepts

Schema Data Types
How to: Retrieve the FIM Service Schema Using WS-MetadataExchange
Set

Other Resources

Forefront Identity Manager Schema