I have an environment where a person can have an account in two different AD domains (Domain A and Domain B). It is also possible for a user account from Domain A to be a member in a group in Domain B. This is currently managed manually.
I'm working on a solution where this will be handled by FIM (actually MIM). The solution I envisioned would have an MA for each AD domain. Group membership will be determined by a third HR system so there will be an MA for that as well, which will
be authoritative. The person object in the MV would join to each AD MA, the FIM portal and the HR MA (ie 1 MV object per person). The challenge with this design is that I'm not sure it's possible to populate the Membership attribute of an
AD group using a synchronization rule in a way that distinguishes which domain a group member comes from. Does anyone know if this is possible and if so how would I set this up? A solution that I think would work is to create multiple objects for
a person in the MV (eg one for Domain A and one for Domain B). But I would prefer not to do that.
Thanks,
Moe
Thanks,
Moe