ACI and dynamic groups

Similar Messages

• Trouble with ACIs and dynamic groups

  Hi!
  Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
  Example:
  A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
  The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
  BUT
  A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
  The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
  Has anyone any suggestions?

  Hi!
  Does Dirctory Server stop searching for subgroups after evaluating a dynamic group?
  Example:
  A User "uid=A,o=company" is member of a dynamic group "cn=dyn,o=company" via memberURL: "ldap:///o=company??sub?(uid=A)".
  The dynamic group "cn=dyn,o=company" is member of a static group "cn=stat,o=company" via uniquemember: "cn=dyn,o=company".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=stat,o=company") user A gets that permission.
  BUT
  A User "uid=B,o=company" is member of a static group "cn=static,o=company" via uniquemember: "uid=B,o=company".
  The static group "cn=static,o=company" is member of a dynamic group "cn=dynamic,o=company" via memberURL: "ldap:///o=company??sub?(cn=static)".
  If I grant any permission using an ACI with (groupdn = "ldap:///cn=dynamic,o=company") user B does not get the permission.
  Has anyone any suggestions?

• ACI and embedded groups

  I'm wondering how the "embedded group" feature works from an ACI point of view.
  I've defined an ACI bades on groupdn = "ldap:///cn=group_A,ou=groups,dc....
  If group_A is a static group containing group_B, it works fine if group_B it a static group that uses objectclass=groupofuniquenames and RDN = cn (I mean using uniquemember attribute is not enough).
  If group_A is a static group containing group_B and group_B is dynamic - filter = (&(objeclass=person)(uid=testuser)) - it works fine too.
  But - maybe I mis use the feature - : if group_A is a dynamic group containg - through filter = (&(objectclass=groupofuniquename)(cn=group_B)) - and group_B is either dynamic or static, it doesn't work.
  Does it mean that dynamic groups used within ACI can only contain users and not groups or that the "embedded group" feature doesn't work with dynamic group concept unless the dynamic group is the last one of the chain and therefore contains users ?
  I'm sure I don't understand something but I can't figure what.
  Regards,
  Christian

  ismemberof only works for static groups.
  My main objective so to use dynamic groups to setup some ACI.
  eg: allow user w/ attribute gidNumber=400 full read/write.Have you considered using filtered roles ?

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide

• Identity Service LDAP with dynamic grouping

  Hi all,
  We are developing an enterprise application with oc4j and bpel.
  First we managed to handle user management with XML based JAZN tool.
  After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
  But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
  When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
  We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
  There is a section in is_config.xml like:
  <roleControls>
  <property name="nameattribute" value="cn"/>
  <property name="objectclass" value="groupOfUniqueNames"/>
  <property name="membershipsearchscope" value="onelevel"/>
  <property name="memberattribute" value="uniquemember"/>
  <search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
  </roleControls>
  I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
  Hope somebody has already done that..

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• Dynamic group not working

  Hi,
  I'm trying to get a dynamic group working with the oracle directory server enterprise edition 11.1.1.5.0 .
  I've created a dynamic group like this:
  dn: cn=employees,ou=groups,dc=example,dc=com
  cn: employees
  objectclass: top
  objectclass: groupOfURLs
  ou: groups
  memberURL: ldap:///ou=people,dc=example,dc=com??sub?(uid=*)
  but when I check for the membership, I'm just getting the dn of the user with uid = "me", but nothing else.
  ldapsearch -h localhost -p 389 -D "cn=Directory Manager" -w password \
    -b dc=example,dc=com "(uid=me)" isMemberOf
  There was a similar question like that in the forum, but no useful answer.
  Does anyone know how dynamic groups work correctly?
  best regards, solst_ice

  Hi,
  Ismemberof is supported for static groups only in DSEE. Dynamic group are group definition that client apps can retrieve but there is no built-in membership evaluation in the core server.
  You might want to consider Oracle Unified DIrectory that support ismemberOf for static and dynamic groups
  See http://docs.oracle.com/cd/E37116_01/index.htm  and Managing Users and Groups - 11g Release 2 (11.1.2)
  Regards,
  -Sylvain

• Administration group vs Dynamic group in 12c

  Hi All,
  I was going thru 12cR2 documentation, and description for Administration group and Dynamic group looks same to me.
  Do any one of you know what's the real difference between them?
  Any one of you started using this new feature in 12c?
  Thanks in advance....

  Hi,
  Administration groups and dynamic groups are similar in that their membership is dynamic, i.e. you specify the membership criteria based on target properties, and Enterprise Manager will automatically add the targets into the appropriate administration group and/or dynamic group(s) if the targets' properties match their criteria.
  However, administration groups have additional semantics. As it is mentioned in the doc: "Administration groups greatly simplify the process of setting up targets for management in Enterprise Manager by automating the application of management settings such as monitoring settings or compliance standards. Typically, these settings are manually applied to individual target, or perhaps semi-automatically using custom scripts. However, by defining administration groups, Enterprise Manager uses specific target properties to direct the target to the appropriate administration group and then automatically apply the requisite monitoring and management settings. This level of automation simplifies the target setup process and also enables a datacenter to easily scale as new targets are added to Enterprise Manager for management."
  So you use administration groups primarily to automate the process of setting up your targets for monitoring/management. Once a target joins an administration group, then Enterprise Manager automatically applies to the target the monitoring templates and/or compliance standards and/or cloud policies that you have associated with your administration group. Because of this feature, a target can belong to at most one administration group. This is to prevent conflicting scenarios where a target is part of multiple administration groups that have different associated monitoring templates.
  Both dynamic groups and administration groups support group operations -- running jobs, reports, etc.
  So if you want to leverage the automation of target setup provided by administration groups/template collections... then use administration groups.
  If you want to leverage the dynamic membership of groups and have requirements that a target needs to be part of multiple of such groups, use dynamic groups.
  Regards,
  Ana

• SQL Query for members of dynamic group - Need to include Name, Path and Type

  Hello,
  I built a custom dynamic group that has all my SQL databases in it using SCOM 2012 SP1.  The group works fine as I can see the Name(ie, Database name), Health State, Path (ie, hostname/instance) and Types (ie; SQL 2005).  Now I'm trying to
  build a custom report based off this same information using a SQL query.   I'm no DBA and could use some help.  So far this is what i have
  use
  select
  SourceObjectDisplayName as
  'Group Name',
  TargetObjectDisplayName,TargetObjectPath
  from RelationshipGenericView
  where isDeleted=0
  AND SourceObjectDisplayName
  like
  'SQL_Databases_All'
  ORDERBY TargetObjectDisplayName
  This gets me the Group Name (which i really don't care about), database name, and hostname/instance. What I am missing is the Health State and most importantly the Type (ie, SQL Server 2005 DB, SQL Server 2008DB).
  If someone could assist me here I would appreciate it. I believe I need to do some type of INNER JOIN but have no idea where the SQL type info lives or the proper structure to use. Thanks
  OperationsManager

  Here's the updated Query for OpsMan 2012 R2:
  To find all members of a given group (change the group name below):
  select SourceObjectDisplayName as 'Group Name', TargetObjectDisplayName as 'Group Members' 
  from RelationshipGenericView 
  where isDeleted=0 
  AND SourceObjectDisplayName = 'Agent Managed Computer
  Group' 
  ORDER BY TargetObjectDisplayName

• Using Dynamic Groups in Ldap for Accounts and Roles

  Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

  Thanks tim ... will check, but Oracle are saying :
  Oracle Universal Content Management - Version: 7.5.1
  Information in this document applies to any platform.
  Product: Content Server
  Version: 6.0
  Goal
  Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
  Solution
  The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
  to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
  Billy, you may well be right, just got a cashflow problem over here !

• Dynamic Groups in LDAP and Calendar

  Folks,
  I have defined a dynamic group in LDAP. I would like for that group to be invited to an event. When I add an event and search I find the group. When I check the group and click 'OK' it doesn't show the group as invited. When I search again, it says the group is included but no one is invited.
  Also, how do I protect a group from being used by anybody???
  keith

  Thanks tim ... will check, but Oracle are saying :
  Oracle Universal Content Management - Version: 7.5.1
  Information in this document applies to any platform.
  Product: Content Server
  Version: 6.0
  Goal
  Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
  Solution
  The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
  to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
  Billy, you may well be right, just got a cashflow problem over here !

• OID Dynamic Groups and J2EE security roles

  Hi
  I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
  Thanks
  Adam

  Hi,
  Let me know if you find answer of your question.
  thanks

• Pivot and dynamic SQL

  Hi Team,
  I need to write a SQL to cater the requirements. Below is my requirements:
  pagename fieldname fieldvalue account_number consumerID
  AFAccountUpdate ArrangementsBroken dfsdff 1234 1234
  AFAccountUpdate ArrangementsBroken1 dfsdff 1234 1234
  AFAccountUpdate ArrangementsBroken2 dfsdff 1234 1234
  AFAccountUpdate ArrangementsBroken2 dfsdff 12345 12345
  AFAccountUpdate ArrangementsBroken1 addf 12345 12345
  Create table test_pivot_dynamic
  pagename varchar(200),
  fieldname Varchar(200),
  fieldvalue varchar(500),
  N9_Router_Account_Number bigint,
  TC_Debt_Item_Reference bigint
  --Input
  insert into test_pivot_dynamic Values('AFAccountUpdate','ArrangementsBroken','addf',1234,1234)
  insert into test_pivot_dynamic Values('AFAccountUpdate','ArrangementsBroken1','dfsdff',1234,1234)
  insert into test_pivot_dynamic Values('AFAccountUpdate','ArrangementsBroken2','fder',1234,1234)
  insert into test_pivot_dynamic Values('AFAccountUpdate','ArrangementsBroken2','dfdfs',12345,12345)
  insert into test_pivot_dynamic Values('AFAccountUpdate','ArrangementsBroken1','dfdwe',12345,12345)
  insert into test_pivot_dynamic Values('AFAccountUpdate1','Arrangements','addf',1234,1234)
  insert into test_pivot_dynamic Values('AFAccountUpdate1','Test1','dfsdff',1234,1234)
  --Expected output:
  Select 1234,1234,'AFAccountUpdate','ArrangementsBroken','addf','ArrangementsBroken1','dfsdff','ArrangementsBroken2','fder','ArrangementsBroken2','fder'
  Select 12345,12345,'AFAccountUpdate','ArrangementsBroken','addf','ArrangementsBroken1','dfdwe','ArrangementsBroken2','dfdfs'
  Select 1234,1234,'AFAccountUpdate1','Arrangements','addf','Test1','dfsdff'
  so basically we have to pivot and dynamic sql and insert the expected output to a common table which will have all the required fields
  Thanks,Ram.
  Please don't forget to Marked as Answer if my post solved your problem and use Vote As Helpful if a post was useful. It will helpful to other users.

  This should give you what you're looking for
  SELECT N9_Router_Account_Number,TC_Debt_Item_Reference,PageName,
  MAX(CASE WHEN SEQ = 1 THEN fieldname END) AS fieldname1,
  MAX(CASE WHEN SEQ = 1 THEN fieldvalue END) AS fieldvalue1,
  MAX(CASE WHEN SEQ = 2 THEN fieldname END) AS fieldname2,
  MAX(CASE WHEN SEQ = 2 THEN fieldvalue END) AS fieldvalue2,
  MAX(CASE WHEN SEQ = 3 THEN fieldname END) AS fieldname3,
  MAX(CASE WHEN SEQ = 3 THEN fieldvalue END) AS fieldvalue3,
  MAX(CASE WHEN SEQ = 4 THEN fieldname END) AS fieldname4,
  MAX(CASE WHEN SEQ = 4 THEN fieldvalue END) AS fieldvalue4
  FROM
  SELECT *,ROW_NUMBER() OVER (PARTITION BY N9_Router_Account_Number,TC_Debt_Item_Reference,PageName ORDER BY PageName) AS SEQ,*
  FROM test_pivot_dynamic
  )t
  GROUP BY N9_Router_Account_Number,TC_Debt_Item_Reference,PageName
  To make it dynamic see
   http://www.beyondrelational.com/modules/2/blogs/70/posts/10791/dynamic-crosstab-with-multiple-pivot-columns.aspx
  Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

• V I Engineering, Inc has immediate needs for Systems Engineers (Contract) and Senior Systems Engineers (Contract) (reporting to the Test Software and Integration Group Manager)

  Company: V I Engineering, Inc.
  Locations: Various - USA
  Salary/Wage: $negotiable
  Status: Hourly Contractor
  Relevant Work Experience: 5+ years system integration (LabVIEW/TestStand experience required)
  Career Level: Intermediate/Experienced
  Education Level: Bachelor's Degree
  Residency/Citizenship: USA Citizenship or Greencard required
  Driving Business Results through Test Engineering
  V I Engineering, Inc. has a vision for every client we engage. That vision is to achieve on-time and on-budget program launch more efficiently that the competition. To realize this vision, customers need to achieve predictable test systems development, eliminate waste in test information management, and drive increased leverage of test assets. An underlying requirement for all of these areas is metrics tracking and measurement based decision making.
  Job Description
  Ready to make a difference? Bring your experiences and skills to the industry leading test organization. Help us to continue to shape the way the world views test. We are seeking a talented Systems Engineer Contractor to be responsible for technical execution of successful projects in the Medical, Military, Transportation, Consumer Electronics and Aerospace Industries. The position will have very high visibility to customers and vendors. This is a very fast paced team with close customer contact and strong career development opportunities. A large part of the position is to identify, own and drive technical design, development and installation of test systems. You will work alongside other like-minded and equally talented engineers, and be creative in a fast-paced and flexible environment that encourages you to think outside the box. You will be available to spend extended periods at our customer sites to complete system installations.
  Required
  5+ years of Systems Integration experience
  3+ years LabVIEW experience
  1+ years TestStand experience
  Experience in Implementation and Delivery of Test Systems, including integration
  Experience in ATE usage and development
  Experience in building and Integrating Mechanical Fixtures
  Experience in Understanding the design of Circuit Boards as they relate to a total system, and their fault-finding
  Experience in Taking Part in Technical Teams throughout All Phases of Project Lifecycle
  Experience in Interfacing with Sub-vendors and Customers
  Ability to Multitask
  Comfortable Working on Various Team Sizes
  Excellent Communication Skills
  Desired
  Requirements generation and review experience
  National Instruments Hardware knowledge
  Experience with Source Code Control (SCC)
  Experience executing verification and validation for projects
  Experience generating and/or reviewing cost proposals
  RF Technology (DAQ, General RF Theory)
  FPGA (with LabVIEW)
  Professional software engineering processes and metrics experience
  TortoiseSVN
  V I Package Manager (VIPM)
  Experience with Projects for Regulated Industries
  MS Project
  Formal Education
  Technical degree (BS Engineering, Computer Science, Physics, Math)
  National Instruments Courses a plus
  National Instruments certification a plus
  Notes:
  Expected Travel Time is up to 50%.
  V I Engineering, Inc. offers a dynamic work environment and the flexibility of a small company.
  The Test Software and Integration Group values innovation, out-of-the-box thinking, high-tech toys and a fun / amazingly collaborative working environment. We're a National Instruments Select Integrator, and we're the closest you can get to playing with all the pre-released and new NI toys without joining the NI R&D team - and we get to play with them in the real world.
  To apply for this position, email a cover letter and resume to [email protected] with the subject "TSIG Systems Engineer (Contract) employment application".
  Copyright © 2004-2015 Christopher G. Relf. Some Rights Reserved. This posting is licensed under a Creative Commons Attribution 2.5 License.

  Edit
  Jeff

• V I Engineering, Inc has immediate needs for Systems Engineers and Senior Systems Engineers (reporting to the Test Software and Integration Group Manager)

  Company: V I Engineering, Inc.
  Locations: Positions available in our Farmington Hills, MI Office
  Salary/Wage: $negotiable
  Status: Full Time, Employee
  Relevant Work Experience: 5+ years system integration (LabVIEW/TestStand experience preferred, but not required)
  Career Level: Intermediate (Non-Manager)
  Education Level: Bachelor's Degree
  Residency/Citizenship: USA Citizenship or Greencard required
  Driving Business Results through Test Engineering
  V I Engineering, Inc. has a vision for every client we engage. That vision is to achieve on-time and on-budget program launch more efficiently that the competition. To realize this vision, customers need to achieve predictable test systems development, eliminate waste in test information management, and drive increased leverage of test assets. An underlying requirement for all of these areas is metrics tracking and measurement based decision making.
  Job Description
  Ready to make a difference? Bring your experiences and skills to the industry leading test organization. Help us to continue to shape the way the world views test. We are seeking a talented Systems Engineer to be responsible for technical execution of successful projects in the Medical, Military, Transportation, Consumer Electronics and Aerospace Industries. The position will have high visibility to customers and vendors. This is a very fast paced team with close customer contact and strong career development opportunities. A large part of the position is to identify, own and drive technical design and development of test systems. You will work alongside other like-minded and equally talented engineers, and be creative in a fast-paced and flexible environment that encourages you to think outside the box.
  Required
  5+ years of Systems Integration experience
  Experience in Design and Implementation of Test Systems, including integration
  Experience in ATE usage and development
  Experience in reviewing of Mechanical Fixtures
  Experience in understanding the design of Circuit Boards as they relate to a total system
  Experience in Taking Part in Technical Teams throughout All Phases of Project Lifecycle
  Experience in Interfacing with Sub-vendors and Customers
  Ability to Multitask
  Comfortable Working on Various Team Sizes
  Excellent Communication Skills
  Desired
  Requirements generation and review experience
  National Instruments Hardware knowledge
  LabVIEW/TestStand experience
  Experience with Source Code Control (SCC)
  Experience executing verification and validation for projects
  Experience generating and/or reviewing cost proposals
  RF Technology (DAQ, General RF Theory)
  FPGA (with LabVIEW)
  Professional software engineering processes and metrics experience (statement coverage, code size, reuse measurement, etc)
  TortoiseSVN
  V I Package Manager (VIPM)
  UML
  Experience with Projects for Regulated Industries
  MS Project
  Formal Education
  Technical degree (BS Engineering, Computer Science, Physics, Math)
  National Instruments Courses a plus
  National Instruments certification a plus
  Notes:
  Expected Travel Time is up to 25%Re
  location assistance is possible.
  V I Engineering, Inc. offers incredible opportunities to grow and advance your career, a dynamic work environment and the flexibility of a small company.
  The Test Software and Integration Group values innovation, out-of-the-box thinking, high-tech toys and a fun / amazingly collaborative working environment. We're a National Instruments Select Integrator, and we're the closest you can get to playing with all the pre-released and new NI toys without joining the NI R&D team - and we get to play with them in the real world.
  To apply for this position, email a cover letter and resume to [email protected] with the subject "TSIG Systems Engineer employment application".
  Copyright © 2004-2015 Christopher G. Relf. Some Rights Reserved. This posting is licensed under a Creative Commons Attribution 2.5 License.

  Edit
  Jeff

• Use Granfeldts Create Object to create dynamic groups

  Trying to use Sorens Granfeldts, Create Object WF activity to create dynamic groups.
  In a standard function evaluator activity I generate the Filter as [//WorkflowData/Filter]
  The "string" I set it to is:
  &lt;Filter xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; Dialect=&quot;http://schemas.microsoft.com/2006/11/XPathFilterDialect&quot; xmlns=&quot;http://schemas.xmlsoap.org/ws/2004/09/enumeration&quot;&gt;/Person[ObjectID
  = /*[ObjectID = &apos;8dfcb5e8-ff01-400c-8ca7-2a0002d2d2d4&apos;]/ComputedMember]&lt;/Filter&gt;
  In the CreateObject activity I then just have [//WorkflowData/Filter],Filter among the initial values.
  The creation works if I remove this attribute so the rest of the attributes seems to be working.
  The creation fails however end I get the error below in the Forefront Identity Manager event log.
  System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WFActivities.Resolver.GetDisplayStringFromGuid(Guid id, String[] expansionAttributes)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceGuidWithTemplatedString(Match m)
     at System.Text.RegularExpressions.RegexReplacement.Replace(MatchEvaluator evaluator, Regex regex, String input, Int32 count, Int32 startat)
     at System.Text.RegularExpressions.Regex.Replace(String input, MatchEvaluator evaluator)
     at Microsoft.ResourceManagement.WFActivities.Resolver.GetStringAttributeValue(Object attribute)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.Workflow.Hosting.ResolverEvaluationServiceImpl.ResolveLookupGrammar(Guid requestId, Guid targetId, Guid actorId, Dictionary`2 workflowDictionary, Boolean encodeForHTML, String expression)
     at Microsoft.ResourceManagement.Workflow.Activities.ResolveGrammarActivity.Execute(ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
     at System.Workflow.Runtime.Scheduler.Run()
  Have anyone used this WF activity to create dynamic groups and can tell how to set the Filter?

  Hey Kent!
  I did the same thing, with Søren`s Create Object WF. I did it like this on the filter part:
  <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(Department = '[//Target/ObjectID]')]</Filter>,Filter
  The whole thing looks like this:
  (I use Function evaluator to generate a AccountName for groups based on a clean version of DisplayName).
  [//Target/DisplayName],DisplayName
  SEC_[//WorkFlowData/CleanAccountName],AccountName
  [//Target/Manager],Owner
  Security,Type
  DOMAIN_STRING,Domain
  Universal,Scope
  [//Target/DisplayName]_SecGroup,Description
  [//Target/Manager],DisplayedOwner
  None,MembershipAddWorkflow
  True,MembershipLocked
  [//Target/CleanAccountName],MailNickname
  <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(Department = '[//Target/ObjectID]')]</Filter>,Filter
  Regards, Remi www.iamblogg.com