Introduction to Set Management

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront Identity Manager 2010 uses Sets to group together FIM resources for management rules and workflow purposes. Membership in Sets can be criteria-based or manually-managed. Set memberships exist only in the FIM Portal, and are independent of Active Directory groups. Some examples of Sets could be:

• All Sales Groups

• All Users in Chicago

• All Distribution Lists owned by a specific user

This document discusses how to create Sets and add members using the FIM Portal.

This document assumes that you have a basic understanding of how to create Users using the FIM Portal.

This document is intended for IT planners, systems administrators, architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

The procedures in this document require less than 30 minutes to complete.

Depending on the size of your FIM Service Database, creating a Set or Group with thousands of members will sometimes cause a timeout through the FIM Portal. This has been observed in Sets or Groups that have a direct membership of over 10,000 objects. Editing a Set or Group that results in thousands of members being added to it will result in the same behavior.Users should refrain from creating Sets or Groups with large memberships, however if it is absolutely necessary then you should adjust the timeout values within the FIM resource management service configuration file beyond the 58 second timeout to longer values as needed to complete the creation of the Set or Group.

At large scaled environment, that is, 10,000 users or more, the effects of performing queries or creating Sets or Groups with specific filter types becomes more pronounced. In general, filters with a single clause using a NOT condition will result in extremely poor query performance. If the NOT operator is to be used, it should be done in conjunction with other clauses which use other non-negation operators.Additionally, the Contains operator should be avoided when performing queries or creating Sets or Groups. When possible, use exact equality matching (is) or starts with, as Contains is known to cause a server performance degradation in query performance. Again, if the Contains operator must be used, it is recommended to be used in conjunction with additional equality based clauses which will appropriately scope down the result set upon which the Contains operator will be evaluated.

Do not, under any circumstances, remove the following Users and Sets.

1. Administrator (or the user who installed FIM 2010.)

2. Built-in Synchronization Account

3. Administrators Set

4. All Button Viewable Set

5. User Administrators Set

6. Approvals Approve Reject Viewable Set

Deleting these will cause irreversible changes to FIM 2010 and may result in loss of data.

Fabrikam, a fictitious corporation, wants to create Sets to identify All Managers, Selected Computers, and All Contractors whose expiration date is within 30 days. In addition, they want to create a Set that contains all employees who report directly to a specified manager.

To perform the procedures in this document, your environment should have the following characteristics:

• A server computer that is a member of the Fabrikam forest and hosts the FIM 2010 server components.

• A custom resource in the FIM 2010 data store named “Computer”, and several Computer resources named Comp_1, Comp_2, etc. For more information, see the Introduction to Schema Management document in the FIM 2010 documentation set.

• The following users:

  Expand table

  User name	Attributes
  User_TopLevel	DisplayName/Account Name – User_TopLevel Job Title - Manager
  User_MiddleLevel	DisplayName/Account Name – User_MiddleLevel Job Title - Manager Manager – User_TopLevel
  User_BottomLevel	DisplayName/Account Name – User_BottomLevel Job Title - Consultant Manager – User_MiddleLevel
  IsManager	DisplayName/Account Name – IsManager Job Title - Manager Manager – User_MiddleLevel
  NotManager	DisplayName/Account Name – NotManager Job Title - Consultant Manager – IsManager
  ShortTermContractor	DisplayName/Account Name – ShortTermContractor Employee End Date – 2 weeks from the current date Employee Type - Contractor
  LongTermContractor	DisplayName/Account Name – LongTermContractor Employee End Date – 2 months from the current date Employee Type - Contractor

In this section, you will create four Sets:

• All Managers

• Selected Computers

• All Contractors whose expiration date is within the next 30 days

• All users who report directly to User_MiddleLevel

In this procedure you will create a new Set called All Managers that uses a criteria-based membership filter.

To create the “All Managers” Set

1. Log on to the FIM Portal as Administrator.

2. On the FIM Portal home page, under Management Policy Rules, click Sets.

3. On the Sets page, click New.

4. On the General page, input the following information in the fields listed below:

   • Display name – All Managers

   • Description – Enter a user-friendly description for the Set that you are creating, for example, All users with job title of Manager.

5. Click Next.

6. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

7. Make sure is is selected. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Job Title.

8. Click click to select value, enter Manager and then click View Members .

9. You should see the following users in the preview list:

   • IsManager

   • User_MiddleLevel

   • User_TopLevel

10. Click Finish.

11. The Summary page provides is an overall view of the Set you created.

12. Click Submit.

In this procedure you will create a new Set entitled Selected Computers and manually manage the members.

To Create the “Selected Computers” Set

1. On the FIM Portal home page, in the left hand side Navigation Bar area, under Management Policy Rules, click Sets.

2. On the Sets page, click New.

3. On the General page, input the following information in the fields listed below:

   • Display name – Selected Computers

   • Description – Enter a user friendly description for the Set that you are creating, for example, Selected Computers in the organization.

4. Click Next.

5. Deselect Enable criteria-based membership in current set, and click Next.

6. In Members to add, click the Browse icon.

7. In Search within:, select All Resources. In Search for: type comp, then click the Search icon.

8. Select the boxes next to Comp_1 and Comp_2, then click OK.

9. Click Next.

10. The Summary page provides is an overall view of the Set you created.

11. Click Submit.

In this section you will create a Set that contains all Contractors whose EmployeeEndDate is within the next 30 days.

To create the “All Contractors whose expiration date is within the next 30 days” Set

1. On the FIM Portal home page, under Management Policy Rules, click Sets.

2. On the Sets page, click New.

3. On the General page, input the following information in the fields listed below:

   • Display name – All Contractors who expire in 30 days

   • Description – Enter a user friendly description for the Set that you are creating, for example, All Contractors who expiration date is within the next 30 days.

4. Click Next.

5. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

6. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Employee Type.

7. Make sure is is selected for the operator. Click click to select value, enter Contractor and press Enter.

8. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Employee End Date.

9. Click after, then click prior to.

10. Click click to select value and select X days hence.

11. Click 1, enter 30 and click View Members.

12. You should see the following user in the preview list:

    • ShortTermContractor

    Important

    When viewing the membership of any sets whose membership conditions are time-based (such as the above example), you may see members that are not in the set yet, and you should expect the membership to be corrected based on the configured schedule of the SQL agent.

13. Click Finish.

14. The Summary page provides is an overall view of the Set you created.

15. Click Submit.

In this procedure you will create a new Set called Reports to User_MiddleLevel that contains all users that report directly or indirectly to User_MiddleLevel.

To create the “Reports to User_MiddleLevel” Set

1. Log on to the FIM Portal as Administrator.

2. On the FIM Portal home page, under Management Policy, click Sets.

3. On the Sets page, click New.

4. On the General page, input the following information in the fields listed below:

   • Display name – Reports to User_MiddleLevel

   • Description – Enter a user-friendly description for the Set that you are creating, for example, All users that report directly to User_MiddleLevel.

5. Click Next.

6. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

7. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Manager.

8. Make sure is is selected as the operator. Click click to select value. In Select Resource, in Search for: enter User_ and then click the search icon.

9. Select the box next to User_MiddleLevel, click OK, then click View Members.

10. You should see the following users in the preview list:

    • IsManager

    • User_BottomLevel

11. Click Finish.

12. The Summary page provides is an overall view of the Set you created.

13. Click Submit.

In this procedure you will create a new Set with manually-managed members. These members are manually selected as there is not a clean filter that can express this relationship.

To create the “Workgroup for LongTermContractor” as a set that includes criteria-based members

1. Log on to the FIM Portal as Administrator.

2. On the FIM Portal home page, under Management Policy, click Sets.

3. On the Sets page, click New.

4. On the General page, input the following information in the fields listed below:

   1. Display name – Workgroup for LongTermContractor

   2. Description– Enter a user-friendly description for the Set that you are creating, for example, All users that work with LongTermContractor

5. Click Next.

6. On the Criteria-based Members page, deselect the check box beside Enable criteria-based membership in current set and click Next.

7. On the Manually-managed Members page, add the members in the Members to Add box by performing following steps:

   1. Click the Browse icon located next to the input box.

   2. In the search box, enter ShortTermContractor, and then press Enter or click the search icon. Make sure Search within box has All Users selected.

   3. Under Search Result, check the box beside ShortTermContractor. Click OK.

      -or-

      You can also type ShortTermContractor and press Ctrl+K or click the validate icon. Sometimes there is more than one matching result. You can select the desired item in the list shown.

   Repeat this step to add User_BottomLevel.

8. Click Finish.

9. The Summary page provides is an overall view of the Set you created.

10. Click Submit.

When deleting a set, all references to the set in other MPRs, Workflows and other resources will be cleared. This may lead to these resources not function as expected. You should always do a thorough search of where the set is being referenced and fix these links before deleting the set. However, if you really need to preserve the set but enable the criteria-based membership part of the set, you can do so following these instructions listed below.

To change the “Workgroup for LongTermContractor” set to a set that includes criteria-based members

1. Log on to the FIM Portal as Administrator.

2. On the FIM Portal home page, under Management Policy, click Sets.

3. On the Sets page, enter Workgroup for LongTermContractor in the search box above and click the search icon.

4. In the results page generated from above search, click Workgroup for LongTermContractor.

5. Click Advanced View on the bottom of the page that displays the detail of the set.

6. On the Extended Attributes page, in the Filter attribute paste in following text:

   <Filter xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" Dialect="https://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="https://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[JobTitle = 'Manager']</Filter>
   

   The Filter attribute takes a XML wrapped XPath expression. The XML wrapper format is always in following format:

   <Filter xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" Dialect="https://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="https://schemas.xmlsoap.org/ws/2004/09/enumeration">XPath Expression</Filter>
   

   The XPath expression /Person[JobTitle = 'Manager'] means All people whose job title indicate that he/she is a Manager

7. Click Ok.

8. The Summary page provides is an overall view of the Set you created.

9. Click Submit.

After completing the procedures in this guide, you have successfully used the FIM Portal to create both criteria-based and manually-managed Sets in the FIM database. As a next step, use the Introduction to Management Policy Rules document that accompanies the FIM 2010 document set to use these sets to define permissions and workflows.