Forefront Identity Manager 2010 Certificate Management Schema Changes
Forefront Identity Manager 2010 Certificate Management Schema Changes
The following table is a list of the schema changes made by the modifyschema.vbs file.
FIM CM Schema Additions
| Name | Type | Description |
|---|---|---|
CN=ms-Clm-Data,CN=Schema,CN=Configuration,DC=company,DC=com |
Attribute |
Allows storing XML policy definition for the FIM CM Profile Template. |
CN=ms-Clm-Profile-Template,CN=Schema,CN=Configuration,DC=company,DC=com |
Object Class |
Allows storing FIM CM Profile Templates in the directory. |
CN=ms-Clm-Service-Connection-Point,CN=Schema,CN=Configuration,DC=company,DC=com |
Object Class |
Allows storing system-wide privilege configuration data for the FIM CM. |
CN=ms-Clm-Audit,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Enables generation and display of FIM CM policy templates, defining management policies within a profile template, and generating FIM CM reports. |
CN=ms-Clm-Enroll,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Enables the user to run the workflow and provide the data collected while issuing certificates using the template. Note This extended permission applies only to profile templates. |
CN=ms-Clm-Enrollment-Agent,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Enables the user or group to request certificates on behalf of another user. The issued certificate’s subject contains the target user’s name, not the requester’s name. The user or group who is assigned the FIM CM enrollment agent permission does not perform the enrollment. The enrollment is performed by the enrollment agent account on behalf of the user who is requesting the operation. This extended permission applies to users or groups for whom particular enrollment agents will issue profiles. |
CN=ms-Clm-Subscriber-Enroll,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Initiate, run, or complete an enrollment request. |
CN=ms-Clm-Recover,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Initiate encryption key recovery from the CA. The user or group who is assigned the CLM Request Recover permission does not perform the actual recovery. The recovery is performed by the key recovery agent account on behalf of the user who is requesting the operation. |
CN=ms-Clm-Renew,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Initiate, run, or complete a renew request. The renewal request replaces a user’s certificate that is near its expiration date with a new certificate with a new validity period. |
CN=ms-Clm-Revoke,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Enables the revocation of a certificate before the expiration of the certificate’s validity period. For example, this might be necessary if a user’s computer or smart card is compromised (stolen). |
CN=ms-Clm-SmartCard,CN=Extended-Rights,CN=Configuration,DC=company,DC=com |
Extended Permission |
Enables a smart card’s user PIN to be reset. This enables key material on a smart card to be reestablished. |