Introduction to Management Policy Rules

Applies To: Forefront Identity Manager 2010

In Microsoft® Forefront® Identity Manager (FIM) 2010, Management Policy Rules (MPRs) provide a mechanism for modeling business processing rules for incoming requests to a server running FIM 2010 R2. MPRs control the permissions for requesting operations on FIM 2010 R2 objects together with the workflows that are triggered by these requests. You can use them to define a response to state transitions of your resources. The objective of this document is to introduce you to the basic MPR types based on a simple lab environment.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Before You Begin

This document assumes that you already have a working instance of FIM 2010 running on a computer. For more information about installing FIM 2010, see the FIM Installation Guide.

Prerequisite Knowledge

This document assumes that you have a basic understanding of Management Policy Rules, workflows, and sets. For more information, see Designing Business Policy Rules.

Audience

This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 MPRs and workflows in a lab environment.

Scope

The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping the reader obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.

Time requirements

The procedures in this document require 30 to 45 minutes for a new user to complete. These time estimates assume that the testing environment is already configured. They do not include the time required to set up the test environment.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 discussion forum.

Scenario Description

Fabrikam, a fictitious company, is investigating how to easily manage entitlements by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new MPR concept in the corporate lab environment based on a simple scenario. The goal of this scenario is to get a first hands-on impression of how set transition and request-based MPRs work.

To test the basic MPR types, Fabrikam has set up the following scenarios:

  1. When the department attribute of a user is updated, a notification e-mail message is sent.

  2. When the department attribute of a user is set to Helpdesk, in addition to sending the notification e-mail message, the affected user becomes a member of the All Helpdesk Members set, and the description attribute of the affected user is updated.

The following sections describe the scenario design, the scenario preparation, and the scenario steps.

Scenario Design

To implement the simple lab solution in this document, the following conceptual elements are required:

FIM User

FIM user:

  • Britta Simon. Sample user for this scenario.

7fe695f8-0f5a-406c-8650-964f53c245e2

Sets:

  • All Helpdesk Members. Set with dynamic membership for all user objects with a department attribute value of Helpdesk.

abc6f41f-fcbf-426c-bcfe-126f6ddb752e

Workflows:

  • Send Notification Workflow. Workflow that sends a notification e-mail message.

  • Update Description Workflow. Workflow that sets the description field of a resource to a specific value.

716b3510-4a5e-4b2a-a3ca-7881a2dfe5ab

Management Policy Rules:

  • New Helpdesk Member TMPR. MPR that is triggered when a user transitions into the All Contractors set and triggers the Update Description For TMPR Workflow as a response.

  • Update Department RMPR. MPR that is triggered when the department attribute of a user is updated and triggers the Send Notification for RMPR Workflow as a response.

Testing Environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory® forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with the following software:

  • Windows Server® 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • Microsoft SQL Server® 2008 64-bit Standard or Enterprise, SP1 or later

  • Microsoft Exchange Server 2010

  • Windows SharePoint® Services 3.0 SP1, 64-bit

  • Windows PowerShell™ 1.0

  • FIM 2010

Note

A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide .

Scenario Roadmap

The scenario roadmap in this document consists of two main building blocks:

  1. Configuring the scenario. In this section, you create all required scenario components, including the required MPRs and workflows.

  2. Testing the scenario. In this section, you verify whether the MPRs generate the desired results.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  1. Creating the scenario user

  2. Creating the scenario set

  3. Creating the workflows

  4. Creating the MPRs

The following sections provide detailed instructions for each configuration building block.

Creating the scenario user

For the scenario in this document, you need to create one sample user in the FIM 2010 R2 Portal.

The following table lists the attributes of the sample users:

Attribute Value

First name

Britta

Last name

Simon

Display name

Britta Simon

Domain

Fabrikam

To create the scenario users

  1. To open the FIM 2010 R2 Portal, open Windows Internet Explorer®, and then navigate to https://localhost/identitymanagement/default.aspx.

  2. To open the Users page, on the navigation bar, click Users.

  3. To open the Create User wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • First Name: Britta

    • Last Name: Simon

    • Display Name: Britta Simon

    • Domain: FABRIKAM

  5. To open the Summary tab, click Finish.

  6. On the Summary tab, click Submit.

Tip

To display the available users, click the Search for button.

Creating the scenario set

In this section, you create the required scenario set. For the scenario in this document, the purpose of the set is to track all users who are part of the Helpdesk department. A user becomes a member of this set when the user’s department attribute is set to Helpdesk.

To create the scenario set

  1. On the FIM 2010 R2 Portal, to open the Sets page, in the navigation bar, click Sets.

  2. To open the Create Set Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: All Helpdesk Members
  4. On the Criteria-based Members tab, provide the following information, and then click Finish:

    1. In the filter statement, click All resources, and then in the resource list, select user.

    2. To add a new template statement to the filter statement, in the filter statement, click Add Statement.

    3. In the filter statement, click <Click to select attribute>, and then in the resource list, select Department.

    4. In the filter statement, click <click to select value>, and then in the text box, type Helpdesk.

  5. On the Summary tab, click Submit.

Creating the workflows

In this section, you create the required workflows. For the scenario in this document, two workflows are required:

  • Send Notification Workflow

  • Update Description Workflow

Creating the Send Notification Workflow

The objective of this workflow is to send a notification e-mail message when an update to the department attribute was applied. For the scenario in this document, this workflow is intended to be triggered by the request-based MPR.

To create the Send Notification Workflow

  1. In the FIM 2010 R2 Portal, to open the Workflows page, on the Administration bar, click Workflows.

  2. To open the Create Workflow Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Workflow name: Send Notification Workflow

    • Workflow type: Action

  4. On the Activities tab, provide the following information, and then click Next:

    • In the Activity Picker, select Notification, and then click Select.

    • To set the Recipients, in the Recipients text box, type administrator, and then click the Validate and resolve button.

    • To select an Email Template:

      1. To open the Select Resources dialog box, click the Browse button.

      2. To display a list of the available Notification Email Templates, click the Search for button.

      3. Select one of the listed Notification Email Templates.

      4. Click OK to select the template.

    • To add the activity, click Save.

  5. To open the Summary page, click Finish.

  6. On the Summary tab, click Submit.

Creating the Update Description for TMPR Workflow

The objective of this workflow is to set the description of a target user to a specific value. For the scenario in this document, this workflow is intended to be triggered by the set transition–based MPR.

To create the Update Description for TMPR Workflow

  1. In the FIM 2010 R2 Portal, in the Administration bar, click Workflows to open the Workflows page.

  2. To open the Create Workflow wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Workflow name: Update Description Workflow

    • Workflow type: Action

  4. On the Activities tab, provide the following information, and then click Next:

    • In the Activity Picker, select Function Evaluator, and then click Select.

    • In the Activity Display Name text box, type Update Description.

    • To open the Add Workflow Parameter Lookup dialog box, click Lookup.

    • From the Workflow Parameter list, select Target.

    • In the Parameter Attribute list, select Description.

    • To close the Add Workflow Parameter Lookup dialog box, click OK.

    • To set the Value, click Concatenate Value.

    • In the items list, select String, and then type Your TMPR was applied in the text box.

    • To save the activity, click Save.

  5. To go to the Summary tab, click Finish.

  6. On the Summary tab, click Submit.

Creating the MPRs

In this section, you create the required MPRs. For the scenario in this document, you create two MPRs:

  1. New Helpdesk Member TMPR – This MPR is triggered when a user transitions into the All Helpdesk Members set.

  2. Update Department RMPR – This MPR is triggered when the department attribute of a user is updated.

Creating the New Helpdesk Member TMPR

The objective of this section is to create a MPR that is triggered when a user transitions into the All Helpdesk Members set.

To create the New Helpdesk Member TMPR

  1. To open the Management Policy Rules page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Management Policy Rules.

  2. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    1. Display Name: New Helpdesk Member TMPR

    2. Type: Set transition

  4. On the Transition Definition tab, provide the following information, and then click Next:

    1. Transition Set: All Helpdesk Members

    2. Transition Type: Transition In

    Note

    You need to click the Validate and resolve button after typing the name of the transition set into the textbox.

  5. On the Policy Workflows tab, provide the following information, and then click Next:

    1. Action Workflows: Update Description Workflow
  6. On the Summary tab, click Submit.

Creating the Update Department RMPR

The objective of this section is to create a request-based MPR that is triggered when an update request to the department attribute of a user is processed.

To create the Update Department RMPR

  1. To open the Management Policy Rules page, on the FIM 2010 R2 Portal homepage, in the navigation bar, click Management Policy Rules.

  2. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    1. Display Name: Update Department RMPR

    2. Type: Request

  4. On the Requestors and Operations tab, provide the following information, and then click Next:

    1. Requestors: Specific Set of Requesters - Administrators

      Note

      You need to click the Validate and resolve button after typing the name into the Resource Picker.

    2. Operation: Modify a single-valued attribute

  5. On the Target Resources tab, provide the following information, and then click Next:

    1. Target Resource Definition Before Request: All Users and Groups

    2. Target Resource Definition After Request: All Users and Groups

      Note

      You need to click the Validate and resolve button after typing the name into a Resource Picker.

    3. Select specific Attributes: - Department

      You need to click the Validate and resolve button after typing the name into a Resource Picker.

  6. On the Policy Workflows tab, provide the following information, and then click Next:

    1. Action Workflows: Send Notification Workflow
  7. On the Summary tab, click Submit.

Testing the Scenario

The goal of the scenario in this document is to test the functionality of the two basic MPR types – request and transition.

The following sections provide instructions for testing each MPR type.

Testing the request MPR

The objective of the request MPR in this scenario is to invoke a workflow that sends a notification e-mail message when the department attribute of a user is updated. For the scenario in this document, you verify the functionality of the request MPR by updating the department attribute of the sample user Britta Simon to Finance.

To verify whether the set transition MPR works as expected, perform the following tasks:

  1. Update the department attribute of the sample user

  2. Review the request queue

  3. Verify the effect of the MPR

In the following sections, you will find the related test instructions.

Updating the department attribute of the sample user

The objective of this step is to set the department attribute to Finance.

To update the department attribute of the sample user

  1. To open the Users page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Users.

  2. To retrieve a list of the existing users, click the Search for button.

  3. To open the Britta Simon property page, in the Display Name column, select Britta Simon.

  4. In the Department text box, type Finance.

  5. To open the Summary page, click OK.

  6. To update the Britta Simon properties, click Submit.

Review the request queue

The attempt to update Britta Simon's department attribute generates a request object in FIM 2010 R2. The FIM 2010 R2 Service should have applied two MPRs to this request:

  1. Administration: Administrators can read and update Users – This MPR grants permission to update a user's attributes

  2. Updated Department RMPR – This MPR is triggered by the update request for Britta Simon's department attribute.

The objective of this section is to verify whether the request has been processed as expected.

To review the request queue

  1. To open the Manage My Requests page, in the Requests & Approvals section of the navigation bar, click Manage My Requests.

  2. To open the request properties, in the Request list, select Update to Person: 'Britta Simon' Request.

  3. Click the Detailed Content tab, and verify that the request content has the following details:

    • Attribute: Department

    • Operation: Modify

    • Type: String

    • Value: Finance

  4. Click the Applied Policy tab, and verify that the Matched Management Policy Rules list contains the following MPRs:

    • Administration: Administrators can read and update Users

    • Update Department RMPR

  5. Click the General tab, and verify that Status displays Completed.

Verify the effect of the MPR

The last verification step is checking your inbox for a notification e-mail message.

To verify the effect of the MPR

  1. Go to your Microsoft Office Outlook® Inbox.

  2. Verify that a notification e-mail message has arrived in your Inbox.

Testing the set transition MPR

The objective of the set transition MPR in this scenario is to invoke a workflow that sets the description of a user to a specific value when the user has transitioned into the All Helpdesk Members set. For the scenario in this document, you verify the functionality of the set transition MPR by updating the department attributes of the sample user Britta Simon to Helpdesk, which makes Britta Simon a member of the All Helpdesk Members set. When Britta Simon has become a member of the All Helpdesk Members set, her description attribute should be set to Your TMPR was applied.

To verify whether the set transition MPR works as expected, perform the following tasks:

  1. Update the department attribute of the sample user.

  2. Verify the set membership.

  3. Review the request queue.

  4. Verify the effect of the MPR.

In the following sections, you will find the related test instructions.

Updating the department attribute of the sample user

The objective of this step is to make the sample user a member of the All Helpdesk Members set.

To update the department attribute of the sample user

  1. To open the Users page, on the FIM 2010 R2 Portal home page, on the navigation bar, click Users.

  2. To retrieve a list of the existing users, click the Search for button.

  3. To open the Britta Simon properties page, select Britta Simon from the Display Name column.

  4. In the Department text box, type Helpdesk.

  5. To open the Summary page, click OK.

  6. To update the Britta Simon properties, click Submit.

Verify the set membership

Setting Britta Simon's department attribute to Helpdesk should have made Britta Simon a member of the All Helpdesk Members set.

The objective of this section is to verify whether this is true.

To verify the set membership

  1. To open the Sets page, in the Management Policy Rules section of the navigation bar, click Sets.

  2. To open the All Helpdesk Members property page, in the DisplayName list, click All Assistance Members.

  3. To display the list of calculated members, click the Criteria based Members tab, and then click View Members.

  4. Verify that Britta Simon appears in the list.

Note

In the View Members list, the Description box for Britta Simon should read Your TMPR was applied.

Review the request queue

The attempt to update Britta Simon's Employee Type attribute generates a request object in FIM 2010 R2. The FIM 2010 R2 Service should have applied two MPRs to this request:

  1. Administration: Administrators can read and update Users – This MPR grants permission to update a user's attributes

  2. New Helpdesk Member TMPR – This MPR is triggered by the set transition of Britta Simon into the All Helpdesk Members set.

  3. Updated Department RMPR – This MPR is triggered when a request to update the department attribute of a user is processed.

The objective of this section is to verify whether the request has been processed as expected.

To review the request queue

  1. To open the Manage My Requests page, in the Requests & Approvals section of the navigation bar, click Manage My Requests.

  2. To open the request properties, in the Request list, select Update to Person: 'Britta Simon' Request.

  3. Click the Detailed Content tab, and verify that the request content has the following details:

    • Attribute: Department

    • Operation: Modify

    • Type: String

    • Value: Helpdesk

  4. Click the Applied Policy tab, and verify that the Matched Management Policy Rules list contains the following MPRs:

    • Administration: Administrators can read and update Users

    • New Helpdesk Member TMPR

    • Update Department RMPR

  5. Click the General tab, and verify that Status has the following value: Completed.

Verify the effect of the MPR

You should have already seen the updated description value when reviewing the membership of the All Helpdesk Members set. In addition, you should also review Britta Simon's attribute values.

To verify the effect of the MPR

  1. To open the Users page, on the FIM 2010 R2 Portal home page, click Users on the navigation bar.

  2. To retrieve a list of the existing users, click the Search for button.

  3. To open the Britta Simon properties page, in the Display Name column, select Britta Simon.

  4. Click the Advanced View button.

  5. Verify that the Description attribute has a value of Your TMPR was applied.

Note

You should also receive another notification e-mail message in your Inbox because updating Britta Simon’s department attribute also triggers the Update Department RMPR.

See Also

Reference

Designing Business Policy Rules