Configuring FIM CM Groups, Templates, and Permissions

  • Article

Applies To: Forefront Identity Manager Certificate Management

Identifying Permission Assignment Locations

There are five different permission assignment locations that determine the actual authorization level of the requesting user, as shown in the following illustration. When you define a management policy workflow, you must determine whether permissions are necessary at each of the five locations.

AD Object Permissions for FIM CM

The five locations for permissions are as follows:

  1. On the service connection point: The service connection point permissions determine whether a user is assigned a management role in the FIM CM deployment. For example, if a user must initiate requests for other users, the user is assigned the FIM CM Request Enroll permission at the service connection point.

    Navigation: Active Directory Users and Computers\<Domain>\System\Microsoft\Certificate Lifecycle Manager\<Computer Name>.

  2. On the profile template object: The profile template permissions determine whether a user can read the contents of the profile template (to execute management policy workflows within the profile template) or receive certificates based on the management policies within the profile template. If a user is required to enroll certificates based on the profile template, the user must be assigned the FIM CM Enroll permissions on the profile template.

    Navigation: Active Directory Sites and Services\View\Show Services\Services\Public Key Services\Profile Templates.

  3. In users or groups: A user or group that is assigned a management role in the FIM CM environment must have permissions assigned on the users or groups that they will manage in the environment. For example, if you want to enable a manager to recover certificates that are issued to members of the GroupA users group, you must assign the manager or a group containing the manager the FIM CM Recover permission on the GroupA users group.

  4. In certificate templates: The user or group that submits enrollment and renewal requests to the certification authority must be assigned the Read and Enroll permissions on all certificate templates within a profile template.

    Navigation: Active Directory Sites and Services\View\Show Services Node\Services\Public Key Services\Profile Templates.

  5. Within the management policy: The user or group must be assigned their management role within the management policy. For example, if the user is given the task of with approving enrollment requests, you must assign the user the ability to Approve enrollment requests within the Enroll management policy.

Note

Management Policy permissions are located in the Profile Template property sheets. You can modify these permissions by using the FIM CM Portal.

FIM CM Active Directory Permission Walkthrough

This walkthrough results in the setup and configuration of essential users and services for your CA.

Setup Constrained Delegation

Update the FIM CM Server to trusted delegation of the rpcss service.

  1. Open the Active Directory Users and Computers snap-in.

  2. Click View, and then click Advanced Features.

  3. Expand the <domain name>, and then navigate to the Computers container or the organizational unit (OU) that contains your FIM CM server.

  4. Right-click the FIM CM server, click Properties, and then click the Delegation tab.

  5. Click Trust this computer for delegation to specified services only, select Use any authentication protocol, and then click Add.

  6. In Add Services, click Users or Computers.

  7. In Select Users or Computers, type the name of the CA, and then click OK.

  8. In Add Services, in the list of Available services, select rpcss, and then click OK.

Trust the clmWebPool for Delegation to the CA

Add Kerberos as a trusted service.

  1. Open Active Directory Users and Computers.

  2. Expand <domain name>, click Users, right click the account clmWebPool, and then click Properties.

  3. Click the Delegation tab, click Trust this user for delegation to specified services only, click Use Kerberos only, and then click Add.

  4. In Add Services, click User or Computers.

  5. In Select Users or Computers, type the name of the CA, and then click OK.

  6. In Add Services, in the list of Available services, select HOST, and then click OK.

CM Authorization Agent Permissions

This section describes in detail the permissions that the clmAuthAgent account must have to perform various actions and roles.

The clmAuthAgent account requires the following permissions:

  1. Read permissions on all users and groups that use the portal or that are subscribers. These permissions can be inherited from Authenticated Users if they are configured in step 3 in the Setup Constrained Delegation.

  2. Read permissions on the certificate templates that you can use with the profile templates

  3. Read and Write permissions on all existing profile templates

  4. Permission to create a child object on the profile templates container

Delegating Profile Template Administrator

Create a user called ProfileAdmin01,a Global Security group called ProfileAdmins and assign needed permissions.

  1. Service connection point: Assign FIM CM Audit permissions to the ProfileAdmins group.

  2. Profile template: Assign ProfileAdmins Full Control to the container, specifying that it apply to “This object and all descendant objects”.

  3. User or group: No permission must be granted to users or groups.

  4. Certificate template: No permission must be granted.

  5. Within the management policy: No permission must be granted.

Permission Assignment for Self-Service

Create a user named Subscriber1, a Global Security group named Subscribers and assign needed permissions.

  1. Service connection point: You do not have to assign explicit permissions to the service connection point because the inherited authenticated users Read permission is sufficient.

  2. Profile template: Assign the Subscribers group Read and FIM CM Enroll permissions on the profile templates that the user can enroll for.

  3. User or group: No permission must be granted to users or groups.

  4. Certificate template: Assign the Subscribers Group Read and Enroll permission in the certificate template that the user is enrolling for as part of the profile template.

  5. Within the management policy: Activate Self Service under the Workflow General Settings for the FIM CM Operation to be performed (for example, Enroll and Revoke Policy).

Permission Assignment for Initiating a Request

Create a user named Initiator01, a Global Security group named Initiators and assign needed permissions.

  1. Service connection point: Assign the Initiators group the FIM CM Request set of permissions that is related to the Request operation that they will be initiating (for example, FIM CM Request Enroll, and so on).

  2. Profile template: Grant Read permissions to the Initiators group on the profile template.

  3. User or group: Assign permissions to the Subscribers Security group so that Initiators can Read and perform the FIM CM Request operations on all members of this group.

  4. Certificate template: No explicit permissions must be granted to certificate templates.

  5. Within the management policy: In the profile template, grant the Initiators group rights to Workflow: Initiate RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Permission Assignment for Approving a Request

Create a user named Approver01, a Global Security group named Approvers and assign needed permissions.

  1. Service connection point: Grant Approvers FIM CM Audit and Read permissions.

  2. Profile template: Assign the Approvers group Read permissions on the profile template.

  3. User or group: Ensure that each approver account receives Read permission (all properties) on each subscriber user account. These permissions could be propagated through existing group memberships (for example, if the Pre-Windows 2000 Compatible Access group is in use). Permissions can be assigned to an Approvers security group and then granted on all subscriber objects by granting permissions on the organizational units (OUs) where user accounts are assigned..

    Note

    • If you have subscriber users in the default Users container or at the domain level(s) of your directory structure, you will either have to move those accounts into an OU structure or assign permissions to the Approvers security group at the Domain level.

    • For more information about the Pre-Windows 2000 Compatible Access group, see Restricting Anonymous Access (https://go.microsoft.com/fwlink/?LinkId=205139).

  4. Certificate template: No explicit permissions must be granted to certificate templates.

  5. Within the management policy: In the profile template, grant the Approvers group rights to Workflow: Approve RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Permission Assignment for an Enrollment Agent

Create a user named EnrollAgent01 and a Global Security group named EnrollmentAgents.

  1. Service connection point: Assign the EnrollmentAgents group Read permissions on the Profile Templates container. Assign the EnrollmentAgents group Read and FIM CM Enroll rights on each of the Profile Templates for which they enroll..

  2. Profile template: Grant Read permissions on the profile templates container to the EnrollmentAgents. Grant EnrollmentAgents Read and FIM CM Enroll rights on each of the profile templates that they need to enroll for.

  3. User or group: Assign permissions to the Subscribers Security group so that Enrollment Agents are given Read and FIM CM Enrollment Agent permissions.

  4. Certificate template: Assign the EnrollmentAgents group Read and Enroll rights on all certificate templates that are configured in the profile template.

  5. Within the management policy: In the profile template, grant the EnrollmentAgents group rights to Workflow: Enroll Agent for RequestType Request (where RequestType is Enroll, Duplicate, and so on).

Configuring Active Directory Users and Groups

For information about how to perform basic user and group tasks, see the following articles:

By default, FIM CM uses the Active Directory infrastructure and supports three user roles. The following table shows these roles.

User roles in FIM CM

User role Description

user

Any authenticated user in FIM CM.

certificate manager

A user who is granted at least one FIM CM management extended permission.

administrator

A certificate manager who is granted permission to edit profile templates.

You should add users and certificate managers to groups to reflect their respective roles. You can create multiple groups for each role, and you can create new application roles by selectively granting FIM CM management extended permissions. Immediately after you add a certificate managers group to the Security tab for a users group, you must grant the certificate managers group FIM CM management extended permissions for that users group.

Create a users group for FIM CM

We recommend that you use a users group to configure FIM CM permissions and roles. Using a users group ensures that you are setting permissions globally for your users, and it makes it easier to manage user permissions in AD DS.

To create a users group for FIM CM

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click the Users container or the organizational unit (OU) where you want to create the new group.

  3. Right-click the Users container or OU, point to New, and then click New Group.

  4. In New Group, provide a relevant, unique name for the group.

  5. Under Group Scope, select either Global or Universal.

  6. Under Group Type, select Security.

Note

You must use security groups to configure extended permissions.

Important

FIM CM does not support domain local groups.

You can now grant the group extended permissions and permissions. To finish enrollment, the certificate subscribers group requires Read permission and the FIM CM Request Enroll extended permission for a certificate template.

Create a certificate managers group

To create a certificate managers group, you create a new group in AD DS, and then assign this group all, or a subset of, the available FIM CM management extended permissions.

To create a certificate managers group

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click the Users container or the OU where you want to create the new group.

  3. Right-click the Users container or OU, point to New, and then click New Group.

  4. In the New Group dialog box, type a relevant, unique name for the group.

  5. Under Group Scope, select either Global or Universal.

  6. Under Group Type, select Security.

Note

You must use security groups to configure extended permissions.

Important

FIM CM does not support domain local groups.

You can now grant FIM CM extended permissions to the new group. For information about how to do this, see Configure permissions for the certificate managers group. To grant a certificate managers group the ability to manage FIM CM functionality for a users group, you must first create a users group.

If your Active Directory deployment contains multiple domains, you can use a combination of universal and global groups. You can do this by granting extended permissions and user rights to the single universal group, and then adding each domain’s global group to the membership of the universal group.

Configuring FIM CM Access Control

You must carefully adjust access control in FIM CM to ensure that the correct users and groups can complete their tasks. You can use the topics in this section to assist you with defining your FIM CM access control requirements.

  • FIM CM extended permissions

  • Configuring access control for users and groups

  • Required access control settings for specific users

FIM CM extended permissions

To enable detailed control of FIM CM management delegation, FIM CM uses a set of extended permissions that are added to AD DS through schema extension. The following table shows these extended permissions.

FIM CM extended permissions added through schema extension

Extended permission Description

FIM CM Audit

Enables generation and display of FIM CM policy templates, defining management policies within a profile template, and generating FIM CM reports.

FIM CM Enroll

Enables the user to run the workflow and provide the data collected while issuing certificates using the template.

Note

This extended permission applies only to profile templates.

FIM CM enrollment agent

Enables the user or group to request certificates on behalf of another user. The issued certificate’s subject contains the target user’s name, not the requester’s name.

The user or group who is assigned the FIM CM enrollment agent permission does not perform the enrollment. The enrollment is performed by the enrollment agent account on behalf of the user who is requesting the operation. This extended permission applies to users or groups for whom particular enrollment agents will issue profiles.

FIM CM Request Enroll

Initiate, run, or complete an enrollment request.

FIM CM Request Recover

Initiate encryption key recovery from the CA.

The user or group who is assigned the CLM Request Recover permission does not perform the actual recovery. The recovery is performed by the key recovery agent account on behalf of the user who is requesting the operation.

FIM CM Request Renew

Initiate, run, or complete a renew request. The renewal request replaces a user’s certificate that is near its expiration date with a new certificate with a new validity period.

FIM CM Request Revoke

Enables the revocation of a certificate before the expiration of the certificate’s validity period. For example, this might be necessary if a user’s computer or smart card is compromised (stolen).

FIM CM Request Unblock Smart Card

Enables a smart card’s user PIN to be reset. This enables key material on a smart card to be reestablished.

Extended permissions assignment locations

When you assign permissions in a FIM CM environment, there are five permission assignment locations that determine a requesting user's authorization level. When you define a management policy workflow, you must determine whether permissions are necessary at each of these locations.

Important

Omitting a required permission assignment at any of these locations can result in a workflow failure within a management policy.

The following table shows locations where you can assign extended permissions.

Where you can assign extended permissions

Permissions assignment location Description

Service connection point

Determines whether a user is assigned a management role within the FIM CM deployment. For example, if a user must initiate requests for other users, the user is assigned the FIM CMRequest Enroll permission at the service connection point.

Profile template object

Determines whether a user is a certificate subscriber or a certificate manager and whether the user can enroll certificates based on the profile template. If a user is required to enroll certificates based on the profile template, the user must be assigned the CLM Enroll permission on the profile template.

Users or groups

Determines a user's user role. A user or group who is assigned a management role within the FIM CM environment must have permissions assigned on the users and groups that they manage in the environment. For example, if you want to enable a manager to recover certificates issued to members of the EFS Users group, you must assign either the manager or a group that contains that manager the CLM Request Recover permission on the EFS Users group.

Note

EFS is Encrypting File System.

Certificate templates

Determines which users or groups can successfully submit enroll and renewal requests to the CA. These users must be assigned the Read permission and the FIM CMRequest Enroll permission on all certificate templates in a profile template.

Management policy

Determines a user's management role in FIM CM. The user or group must be assigned the applicable management role in the management policy. For example, if you want the user to approve enrollment requests, you must assign the user the ability to approve enroll requests in the enroll management policy.

Note

All users who participate in the FIM CM workflow require Read permission on the service connection point to enable them to read the permission assignments. If a user does not have Read permission, that user cannot access the FIM CM Portal.

Important

To enable the user to recover encryption certificates, you must assign the CLM Request Recover permission on the service connection point and to the EFS Users group. If you assign the CLM Request Recover permission only to the EFS User group and not on the service connection point, certificate managers cannot recover encryption certificates.

Configuring access control for users and groups

To configure access control for FIM CM, you must perform one of the following tasks:

  • Configure permissions for the FIM CM users group

  • Configure permissions for the certificate managers group

  • Configure permissions on a new profile template object

  • Configure sharing permissions on a profile template object

Configure permissions for the FIM CM users group

The FIM CM users group requires Read permissions on the profile template.

To set permissions for the FIM CM users group

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, locate the OU or container that contains the FIM CM users group.

  3. Right-click the FIM CM users group, and then click Properties.

  4. On the Security tab, click Add, and then add the FIM CM users group.

  5. Set the required permissions for the appropriate FIM CM transactions, and then click OK.

To view any FIM CM profile templates, the certificate subscribers group must have Read permissions for FIM CM enroll transactions on all existing profile template objects in AD DS.

To grant the FIM CM users group Read permission on the profile template objects

  1. Click Start, point to Administrative Tools, and then double-click Active Directory Sites and Services.

  2. In Active Directory Sites and Services, click View, and then click Show Services Node. This option remains enabled after you close the console.

  3. In the console tree, double-click Services, double-click Public Key Services, and then click Profile Templates.

  4. Right-click Profile Templates, and then click Properties.

  5. On the Security tab, click Add.

  6. In Select Users and Groups, add the certificate subscribers group, and then click OK.

  7. On the Security tab, verify that the certificate managers group has Read permissions assigned, and then click OK.

Configure permissions for the certificate managers group

The first three steps of the following procedure depend on where you created the directory entry that AD DS uses to store FIM CM configuration information. The following procedure assumes that you used the default directory entry settings.

To grant permissions to a certificate managers group

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, click Advanced Features.

  3. Verify that the Advanced Features check box is selected. This check mark indicates that the advanced features are enabled in MMC.

  4. In the console tree, double-click DomainName, and then click the System container.

    DomainName is the name of the domain.

  5. Double-click System, double-click Microsoft, double-click Certificate Management, and then click CMServer.

    CMServer is the NetBIOS name of the server that is hosting FIM CM.

  6. Right-click CMServer, and then click Properties.

  7. On the Security tab, add the certificate managers group, and then grant the group FIM CM extended permissions.

    ManagersGroup is the name of the certificate managers group.

FIM CM uses software-based certificates and hardware-based certificates. For hardware-based certificates that reside on a smart card, you must set suitable permissions (Allow/Deny) for FIM CM to function correctly.

For more information about FIM CM extended permissions, see FIM CM extended permissions.

To view FIM CM profile templates, the certificate managers group must have Read permissions on profile template objects in AD DS.

To assign Read permissions on profile template objects for the certificate managers group

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. On the View menu, verify that Show Services Node is selected.

  3. In the console tree, double-click Services, and then double-click Public Key Services.

  4. Right-click Profile Templates, and then click Properties.

  5. On the Security tab, click Add.

  6. In Select Users and Groups, add the certificate managers group, and then click OK.

  7. On the Security tab, verify that the certificate managers group has Read permissions assigned, and then click OK.

Configure permissions on a new profile template object

To set permissions on a new FIM CM profile template, you must be a member of the Enterprise Admins group or a member of the root domain's Domain Admins group in AD DS.

Note

You can create a new profile template by copying an existing template that is close to the configuration of the new template that you want, and then configuring the new template's properties.

To configure permissions on a new profile template

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. On the View menu, verify that Show Services Node is selected.

  3. In the console tree, double-click Services, double-click Public Key Services, and then click Profile Templates.

  4. In the details pane, right-click a profile template, and then click Properties.

  5. On the Security tab, make any necessary permission changes, and then click OK.

Even though profile templates might contain Version 2 certificate templates that can be created and duplicated in Microsoft® Windows Server® 2003, Standard Edition, certificates based on Version 2 templates can be issued only by a certification authority that is running Microsoft® Windows Server® 2003, Enterprise Edition or Microsoft® Windows Server® 2003, Datacenter Edition.

After you duplicate a profile template object, you must add your user or group and verify that the permissions are modified.

Configure sharing permissions on a profile template object

By default, FIM CM assigns Read permissions to any new groups that you add to the Security tab of a FIM CM profile template. It is up to you to adjust a security group's permissions based on its relevant roles.

Profile template object sharing permissions for FIM CM groups

Group Permission

users group

You must assign the Read permission and the FIM CMRequest Enroll permission to the users group. Subscribers use the permissions to read the properties and settings of the template, and to enroll any certificate templates that are included in the profile template.

certificate managers group

You must assign the Read permission and the Write permission to the certificate managers group.

Previous topic

Configuring the CA for FIM CM

Next topic

Configuring the FIM CM Service