Introduction to User and Group Management

Applies To: Forefront Identity Manager 2010

The management of security and distribution groups is a basic task in a directory. Microsoft® Forefront® Identity Manager (FIM) 2010 introduces new features that simplify this task significantly. This document shows how you can use FIM 2010 to manage security and distribution groups in your environment.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

A description of how to set up FIM 2010 and AD DS is out of the scope of this document.

Audience

This guide is intended for IT professionals who are interested in learning about the new security group management features in FIM 2010.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete.

Note

These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.

Scenario Description

Fabrikam, a fictitious company, is investigating how to deploy and maintain the management of security and distribution groups. After working through the Declarative Provisioning scenario, Fabrikam has determined that FIM 2010 provides the required functionality for its users. However, it still must evaluate the functionality provided by FIM 2010 with regard to group scenarios. The decision was made to deploy a simple scenario in the corporate lab environment. The objective of this lab is to test the following essential requirement:

  • Criteria-based group assignment. At Fabrikam, there are several line-of-business (LOB) applications that full-time employees and contractors use. Some applications are similar, but some are very different. For this reason, full-time employees and contractors must be able to access and run different applications. However, for security reasons, Fabrikam does not want contractors to access some of the full-time employees’ applications. To prevent this from happening, two security groups, FTEApps and ConApps, exist in the Active Directory environment. Members of FTEApps can access all the required applications for full-time employees (FTEs) and members of the ConApps group can access all of the required applications for contractors. One problem area for making new users productive when they are hired is that they currently must be manually assigned to these security groups. By using FIM 2010, Fabrikam wants to add users automatically to either group, based on their employee type at the time that they are provisioned to AD DS. This operation makes it possible for the new employees to access their LOB applications on the first day.

Testing environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration shows the forest configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with the following software:

  • Windows Server® 2008 64-Bit Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • Microsoft SQL Server® 2008 64-bit Enterprise (SP1)

  • Windows® SharePoint® Services 3.0 (SP1), 64-bit

  • Windows PowerShell™ 1.0

  • FIM 2010

Note

A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of the installation process for FIM 2010, see Introduction to Outbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=165859).

Implementing the Procedures in this Document

To implement the procedures in this document, complete the following steps in order:

  1. Configuring the connected data sources

  2. Configuring the FIM Synchronization Service

  3. Configuring the FIM Service

  4. Initializing the testing environment

  5. Testing the configuration

Configuring the connected data sources

For the scenario in this document, you create a data file for the attribute-value pair management agent and an OU in AD DS to store the data.

The data file contains the source user objects for the scenario that is outlined in this document. All scenario objects are eventually provisioned into the OU.

Creating the data file

For the scenario in this document, create an attribute-value pair data file.

To create the data file

  1. Copy the records from the following data and then paste them into a new Notepad file.

    EmployeeID:10
    FirstName:Terry
    LastName:Adams
    UserID:tadams
    EmployeeType:Full Time Employee
    
    EmployeeID:11
    FirstName:Jimmy
    LastName:Bischoff
    UserID:jbischoff
    EmployeeType:Full Time Employee
    
    EmployeeID:12
    FirstName:Lola
    LastName:Jacobsen
    UserID:ljacobsen
    EmployeeType:Contractor
    
  2. Save the Notepad file on your local drive as C:\HRData.txt.

Creating the OU

For the scenario in this document, you create an OU that receives the newly created sample object.

To create the OU

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then, in the Open text box, type dsa.msc.

  2. In the console tree, right-click fabrikam.com, click New, and then click OU.

  3. In Name, type FIMObjects.

  4. To create the OU, click OK.

Configuring the FIM Synchronization Service

To configure the FIM 2010 R2 Synchronization Service, you perform the following steps:

  1. Creating the management agents

  2. Configuring the run profiles

  3. Enabling Synchronization Rule Provisioning

Creating the management agents

The scenario in this document includes three connected data sources:

  1. Human Resources (HR) database

  2. FIM 2010 R2 data store

  3. Fabrikam AD DS

From the three connected data sources, you must create three management agents:

  1. Fabrikam HRMA

  2. Fabrikam FIMMA

  3. Fabrikam ADMA

The following sections provide detailed instructions about creating the required management agents manually.

Creating the Fabrikam HRMA

The Fabrikam HRMA is a management agent for the Attribute-value pair text file. To create this management agent, you use the Create Management Agent Wizard.

To create the Fabrikam HRMA

  1. In FIM 2010, open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Attribute-value pair text file

    • Name: Fabrikam HRMA

  4. On the Select Template Input File page, provide the following settings, and then click Next:

    • Template Input File: C:\HRData.txt

    • Code Page: Western European (Windows)

  5. On the Configure Attributes page, provide the following settings, and then click Next:

    1. To open the Set Anchor dialog box, click Set Anchor.

    2. In the Attributes list, click Employee ID, and then click Add.

    3. To close the Set Anchor dialog box, click OK.

  6. On the Define Object Types page, click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Join and Projection Rules page, click Next.

  9. On the Configure Attribute Flow page, click Next.

  10. On the Configure Deprovisioning page, click Next.

  11. On the Configure Extensions page, click Next.

Creating the Fabrikam FIMMA

The Fabrikam FIMMA is a management agent for FIM 2010 R2 Service management agent. To create this management agent, you use the Create Management Agent Wizard.

Important

To create the FIM 2010 R2 management agent, you need a separate user account.

To create a user account for the Fabrikam FIMMA

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then in the Open text box, type dsa.msc.

  2. In the console tree, click the Users container.

  3. To open the New Object – User dialog box, on the Action menu, click New, and then point to Users.

  4. In the First name text box, type fimma.

  5. In the User logon name text box, type fimma, and then click Next.

  6. In the Password and the Confirm password text boxes, type a password of your choice.

  7. Clear the User must change password at next logon check box.

  8. Select Password never expires, and then click Next.

  9. To create the user account, click Finish.

To create the Fabrikam FIMMA

  1. In FIM 2010, open Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service management agent

    • Name: Fabrikam FIMMA

  4. On the Connect to Database page, provide the following settings, and then click Next:

    • Server: .

    • Database: FIMService

    • FIM Service base address: https://localhost:5725

    • Authentication mode: Windows Integrated Authentication

    • User name: fimma

    • Password: <account password>

    • Domain: fabrikam

  5. On the Selected Object Types page, verify that the object types that are listed below are selected, and then click Next:

    • ExpectedRuleEntry

    • DetectedRuleEntry

    • SynchronizationRule

    • Group

    • Person

  6. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.

    2. To open the Mapping dialog box, click Add Mapping.

    3. In the Metaverse object type list, select person.

    4. To close the Mapping dialog box, click OK.

    5. In the Data Source Object Type list, select Group.

    6. To open the Mapping dialog box, click Add Mapping.

    7. In the Metaverse object type list, select group.

    8. To close the Mapping dialog box, click OK.

  9. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

    1. Select Person as Data source object type.

    2. Select person as Metaverse object type.

    3. Select Direct as Mapping Type.

    4. For each row in the following table, complete the following steps.

      Flow direction Data source attribute Metaverse attribute

      Import

      AccountName

      accountName

      Import

      DisplayName

      displayName

      Import

      EmployeeID

      employeeID

      Import

      EmployeeType

      employeeType

      Import

      ExpectedRulesList

      expectedRulesList

      Import

      FirstName

      firstName

      Import

      LastName

      lastName

      Export

      AccountName

      accountName

      Export

      DisplayName

      displayName

      Export

      Domain

      domain

      Export

      EmployeeID

      employeeID

      Export

      EmployeeType

      employeeType

      Export

      FirstName

      firstName

      Export

      LastName

      lastName

      Export

      ObjectSID

      objectSid

      1. Select the Flow Direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

    5. Select Group as Data source object type.

    6. Select group as Metaverse object type.

    7. Select Direct as Mapping Type.

    8. For each row in the following table, complete the following steps.

      Flow direction Data source attribute Metaverse attribute

      Import

      AccountName

      accountName

      Import

      DisplayName

      displayName

      Import

      ExpectedRulesList

      expectedRulesList

      Import

      Member

      member

      Export

      AccountName

      accountName

      Export

      DisplayName

      displayName

      Export

      Member

      member

      1. Select the Flow Direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

  10. On the Configure Deprovisioning page, click Next.

  11. To create the management agent, on the Configure Extensions page, click Finish.

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, use the Create Management Agent Wizard.

To create the Fabrikam ADMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Active Directory Domain Services

    • Name: Fabrikam ADMA

  4. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

    • Forest name: fabrikam.com

    • User name: administrator

    • Password : the administrator password

    • Domain: fabrikam

  5. On the Configure Directory Partitions page, perform the following steps, and then click Next:

    1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

    2. To open the Select Containers dialog box, click Containers.

    3. To clear all selected nodes, click the DC=Fabrikam,DC=com node.

    4. Click the FIMObjects node.

    5. To close the Select Containers dialog box, click OK.

  6. On the Configure Provisioning Hierarchy page, click Next.

  7. On the Select Object Types page, perform the following steps, and then click Next:

    1. In the Object types list, select user and group.
  8. On the Select Attributes page, provide the following settings, and then click Next:

    1. Select Show All.

    2. In the Attributes list, select the following attributes:

      • displayName

      • employeeID

      • employeeType

      • givenName

      • groupType

      • member

      • objectSid

      • sAMAccountName

      • sn

      • unicodePwd

      • userAccountControl

  9. On the Configure Connector Filter page, click Next.

  10. On the Configure Join and Projection Rues page, click Next.

  11. On the Configure Attribute Flow page, click Next.

  12. On the Configure Deprovisioning page, click Next.

  13. On the Configure Extensions page, click Finish.

Configuring run profiles

This topic provides instructions for creating and configuring the required run profiles. For the scenario in this document, you configure run profiles for all management agents.

Creating run profiles for the Fabrikam HRMA management agent

Before you can start with the configuration of the run profiles for this management agent, you must copy the import data file that you have already created in a previous section into the management agents’ data folder.

To copy the management agent’s data file

  1. Click Start, and then click Run.

  2. In the Open text box, type copy "C:\HRData.txt" "%programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\Fabrikam HRMA".

The following table shows the run profiles that you create for the MyHR MA management agent.

Profile Run profile name Step type

Profile 1

Full import

Full import (stage only)

Profile 2

Full synchronization

Full synchronization

To create run profiles for the Fabrikam HRMA management agent

  1. In FIM 2010, open Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agent list, click Fabrikam HRMA.

  3. On the Actions menu, click Configure Run Profiles to open the Configure Run Profiles for dialog box.

  4. To open the Configure Run Profile Wizard, click New Profile.

  5. In the Name text box, type Full Import, and then click Next.

  6. In the Type list, select Full Import (Stage Only), and then click Next.

  7. In the Input file name text box, type HRData.txt.

  8. To create the run profile, click Finish.

  9. To open the Configure Run Profile Wizard, click New Profile.

  10. In the Name text box, type Full Synchronization, and then click Next.

  11. In the Type list, select Full Synchronization, and then click Next.

  12. To create the run profile, click Finish.

  13. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam ADMA management agent

The following table lists the run profiles that you create for the Fabrikam ADMA management agent.

Profile Run profile name Step type

Profile1

Full import

Full import (stage only)

Profile2

Full synchronization

Full synchronization

Profile3

Delta import

Delta import (stage only)

Profile4

Delta synchronization

Delta synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam ADMA management agent

  1. In FIM 2010, open Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agents list, click Fabrikam ADMA.

  3. To open the Configure Run Profiles dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous table procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam FIMMA management agent

The following table lists the run profiles that you create for the Fabrikam FIMMA management agent.

Profile Run profile name Step type

Profile1

Full import

Full import (stage only)

Profile2

Full synchronization

Full synchronization

Profile3

Delta import

Delta import (stage only)

Profile4

Delta synchronization

Delta synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam FIMMA management agent

  1. In FIM 2010, open Synchronization Service Manager, and, on the Tools menu, click Management Agents.

  2. In the Management Agent list, select Fabrikam FIMMA.

  3. To open the Configure Run Profiles dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous, complete the following steps:

    1. To open the Configure Run Profile Wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, click the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Enabling synchronization rule provisioning

The scenario in this document takes advantage of the new declarative provisioning feature to implement the object and attribute flow between the connected data sources. To enable declarative provisioning, enable synchronization rule processing in the FIM 2010 R2 Synchronization Service Manager.

To enable synchronization rule provisioning

  1. Open the Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Configuring the FIM Service

For the scenario in this document, you complete the following configuration steps in the FIM 2010 R2 Service:

  1. Enabling the required Management Policy Rules (MPRs)

  2. Creating the HR inbound synchronization rule

  3. Creating the Active Directory user synchronization configuration triple

  4. Creating the Active Directory security group synchronization configuration triple

  5. Creating security groups

Enabling the required MPRs

For the scenario in this document, you enable some of the preconfigured MPRs in FIM 2010. Enabling these MPRs is required to grant the synchronization account access to the components that are required to synchronize the identity data for this scenario.

To enable the required MPRs

  1. On the FIM 2010 R2 Portal home page, in the navigation bar, click Management Policy Rules to open the Management Policy Rules page.

  2. In the Search for text box, type Synchronization account, and then click the Search for button.

  3. For each MPR that is listed as disabled, complete the following steps:

    1. To open the Configuration dialog box, click the Display Name of the disabled MPR.

    2. Clear Policy is disabled.

    3. Click OK.

    4. On the Summary page, click Submit.

In addition to this, you must also enable the following MPRs if they are not yet enabled:

  • General: Users can read schema related resources

  • General: Users can read non-administrative configuration resources

  • User management: Users can read attributes of their own

Creating the HR inbound synchronization rule

The objective of the HR inbound synchronization rule is to populate the HR data objects in FIM 2010 R2. To configure the HR inbound synchronization rule, you use the related wizard pages.

To create the HR inbound synchronization rule

  1. On the FIM 2010 R2 Portal home page, on the navigation bar, click Administration.

  2. To open the Synchronization Rules page, click Synchronization Rules.

  3. To open the Create Synchronization Rule wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: HR inbound synchronization rule

    • Data Flow Direction: Inbound

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam HRMA

    • External System Resource Type: person

  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

    2. Create Resource in FIM: selected

  7. On the Inbound Attribute Flow page, perform the following steps, and then click Next:

    Flow rule Source Destination

    Rule 1

    EmployeeID

    employeeID

    Rule 2

    EmployeeType

    employeeType

    Rule 3

    FirstName

    firstName

    Rule 4

    LastName

    lastName

    Rule 5

    UserID

    accountName

    1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To set the displayName attribute, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select FirstName.

      3. Click Concatenate Value.

      4. In the Attributes list, select String, and then type a space in the related text box.

      5. Click Concatenate Value.

      6. In the Attributes list, select LastName.

      7. On the Destination tab, in the Attributes list, select displayName.

      8. To apply the attribute flow configuration, click OK.

  8. On the Summary tab, click Submit.

Creating the Active Directory user synchronization configuration triple

Active Directory users in this scenario originate in the HR data file. This creates an outbound-facing object and attribute flow from the metaverse to the Active Directory connector space. For an outbound-facing synchronization operation, you link an outbound synchronization rule to all affected objects. In FIM 2010 R2, workflows are used to add or remove managed objects from the scope of an outbound synchronization rule. A third component, an MPR, is required to determine when a workflow must be activated. The combination of an outbound synchronization rule, a workflow, and an MPR that is used to add or remove a managed object from the scope of an outbound synchronization rule is also known as a synchronization configuration triple.

The following illustration shows the dependencies of the synchronization configuration triple components:

d433f6fd-a5e9-42aa-aaac-8a940c3b4453

For the scenario in this document, you configure a synchronization configuration triple for the sample user objects.

So that the scenario users can access the portal, the account, and the domain, the security identifier (SID) attributes must be populated on a FIM 2010 R2 user object. The domain and the SID attribute are contributed by Active Directory Domain Services (AD DS). This is why the synchronization rule that is used to manage the user objects in this scenario is a combination of an inbound synchronization rule and an outbound synchronization rule.

Creating the Active Directory user synchronization rule

To configure the Active Directory user synchronization rule, you use the related wizard pages.

To create the Active Directory user synchronization rule

  1. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  2. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory user synchronization rule

    • Data Flow Direction: Inbound and outbound

  3. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: user

  4. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

    2. Create Resource in External System: selected

  5. On the Workflow Parameters tab, click Next.

  6. On the Outbound Attribute Flow tab, perform the following steps, and then click Next:

    1. For each row in the following table, perform the following steps.

      Source Destination

      accountName

      sAMAccountName

      displayName

      displayName

      employeeID

      employeeID

      employeeType

      employeeType

      firstName

      givenName

      lastName

      sn

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To configure the distinguished name (also known as DN), perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select String, and then type CN= into the associated text box.

      3. Click Concatenate Value.

      4. In the Attributes list, select displayName.

      5. Click Concatenate Value.

      6. On the Source tab, in the Attributes list, select String, and then type ,OU=FIMObjects,DC=Fabrikam,DC=com into the associated text box.

      7. To apply the attribute flow configuration, click OK.

    3. To configure the userAccountControl, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select Number, and the type 512 into the associated text box.

      3. On the Destination tab, in the Destination list, select userAccountControl.

      4. To apply the attribute flow configuration, click OK.

    4. To set a password, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select String, and then type P@ssW0rd into the associated text box.

      3. On the Destination tab, in the Destination list, select unicodePwd.

      4. To apply the attribute flow configuration, click OK.

    5. Set Initial Flow Only for the following flows:

      • “CN=”+firstName+” “+lastName+”,OU=FIMObjects,DC=Fabrikam,DC=com” =>dn

      • 512=>userAccountControl

      • “P@ssW0rd”=>unicodePwd

  7. On the Inbound Attribute Flow tab, provide the following information, and then click Finish:

    1. For each row in the following table, perform the following steps.

      Source Destination

      objectSid

      objectSid

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To set the domain attribute, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select String, and then type FABRIKAM into the associated text box.

      3. On the Destination tab, in the Destination list, select domain.

      4. To apply the attribute flow configuration, click OK.

  8. To submit your request, click Submit.

Creating the Active Directory user workflow

In the context of a synchronization configuration triple, the objective of a workflow is to add or remove an identity object from the scope of a synchronization rule. This section provides instructions for configuring the Active Directory user workflow. To configure the Active Directory user workflow, you use the related wizard pages.

To create the Active Directory user workflow

  1. To open the Workflows page, on the FIM 2010 R2 Portal home page, in the Management Policy Rules section of the navigation bar, click Workflows.

  2. To open the Create Workflow Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Workflow Name: Active Directory user workflow

    • Workflow Type: Action

  4. On the Activities tab, perform the following steps, and then click Finish:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, select AD User Outbound Synchronization Rule, and then click Save.

  5. On the Summary tab, click Submit.

Creating the All Contractors and FTEs set

One option for triggering an MPR is using the set membership. For the scenario in this document, the Active Directory user MPR is triggered when a new user is added to the All Contractors and FTEs set. This section provides the steps for configuring this set. To configure the All Contractors and FTEs set, you use the related wizard pages.

To create the All Contractors and FTEs set

  1. To open the FIM 2010 R2 Portal, start Windows Internet Explorer®, and then navigate to https://localhost/identitymanagement/default.aspx.

  2. To open the Sets page, in the Management Policy Rules section on the navigation bar, click Sets.

  3. To open the Create Set Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: All Contractors and FTEs
  5. On the Criteria-based Members page, provide the following information, and then click Finish:

    1. Select Enable criteria-based membership in current set.

    2. In the Select statement, click all resources, and then, in the resources list, select user.

    3. In the Select statement, click all, and then, in the match list, select any.

    4. Click Add Statement.

    5. Click <Click to select attribute>, and then, in the Attributes list, select Employee Type.

    6. Click <click to select value>, and then type Contractor in the text box.

    7. Click Add Statement.

    8. Click <Click to select attribute>, and then, in the Attributes list, select Employee Type.

    9. Click <click to select value>, and then, in the text box, type Full Time Employee.

  6. On the Summary tab, click Submit.

Creating the Active Directory user MPR

To configure the MPR, you use the related wizard pages.

To create the Active Directory user MPR

  1. On the FIM 2010 R2 Portal home page, on the navigation bar, click Management Policy Rules to open the Management Policy Rules page.

  2. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory user MPR
  4. On the Requestors and Operations tab, perform the following steps, and then click Next:

    1. Select Specific Set of Requestors, and in the Requestors text box, type All People, and then click the Validate button.

    2. Select Create resource as Operation.

  5. On the Target Resources tab, perform the following steps and then click Next:

    1. In the Target Resource Definition After Request text box, type All Contractors and FTEs, and then click the Validate button.

    2. Select Create resource as Operation.

    3. In the Resource Attributes options, select All Attributes.

  6. On the Policy Workflows tab, perform the following steps, and then click Next:

    • In the Action Workflows list, select AD User Workflow.

Creating the Active Directory security group synchronization configuration triple

In the previous section, you were introduced to the concept of a synchronization configuration triple. You must also create a related configuration triple for the group object because groups are also outbound facing when they are published in AD DS.

Creating the Active Directory security group outbound synchronization rule

To push group data out to AD DS, use an outbound synchronization rule. To configure the Active Directory security group outbound synchronization rule, you use the related wizard pages.

To create the Active Directory security group outbound synchronization rule

  1. To open the Administration page in the FIM 2010 R2 Portal, click Administration, and then click Synchronization Rules.

  2. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory security group outbound synchronization rule

    • Data Flow Direction: Outbound

  4. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: Group

    • External System: Fabrikam ADMA

    • External System Resource Type: group

  5. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

    2. Create Resource in External System: selected

  6. On the Workflow Parameters tab, click Next.

  7. On the Outbound Attribute Flow tab, provide the following information, and then click Finish:

    1. For each row in the following table, perform the following steps.

      Source Destination

      accountName

      sAMAccountName

      displayName

      displayName

      member

      member

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To configure the distinguished name, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select String, and then type CN= into the associated text box.

      3. Click Concatenate Value.

      4. In the Attributes list, select displayName.

      5. Click Concatenate Value.

      6. On the Source tab, in the Attributes list, select String, and then type ,OU=FIMObjects,DC=Fabrikam,Dc=com in the associated text box.

    3. To set the groupType, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the Attributes list, select Number, and then type -2147483646 into the associated text box.

      3. On the Destination tab, in the Destination list, select groupType.

      4. To apply the attribute flow configuration, click OK.

    4. Select Initial Flow Only for the following flows:

      • “CN=”+displayName+”,OU=FIMObjects,DC=Fabrikam,DC=com” =>dn

      • 2147483650=>groupType

      • accountName=>sAMAccountName

  8. On the Summary tab, click Submit.

Creating the Active Directory security group outbound workflow

To configure the Active Directory distribution list outbound workflow, you use the related wizard pages.

To create the Active Directory security group outbound workflow

  1. To open the Workflows page, on the FIM 2010 R2 Portal home page, in the Management Policy Rules section of the navigation bar, click Workflows.

  2. To open the Create Workflow Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Workflow Name: Active Directory security group outbound workflow

    • Workflow Type: Action

  4. On the Activities tab, perform the following steps, and then click next:

    1. In the Activity Picker, select Synchronization Rule Activity, and then click Select.

    2. In the Synchronization Rules list, select AD Security Group Outbound Synchronization Rule.

    3. In the Action Selection options, select Add.

    4. Click Save.

  5. On the Summary tab, click Submit.

Creating the Active Directory security group outbound MPR

To configure the MPR, you use the related wizard pages.

To create the Active Directory security group outbound MPR

  1. To open the Management Policy Rules page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Management Policy Rules.

  2. To open the Create Management Policy Rule Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory security group outbound MPR
  4. On the Requestors and Operations tab, perform the following steps, and then click Next:

    1. Select Specific Set of Requestors. In the Requestors text box, type All People, and then click Validate.

    2. Select Create resource as Operation.

  5. On the Target Resources tab, perform the following steps, and then click Next:

    1. In Target Resource Definition After Request, type All Security Groups text box, and then click the Validate button.

    2. In the Resource Attributes options, select All Attributes.

  6. On the Policy Workflows tab, perform the following steps, and then click Next:

    • In the Action Workflows list, select AD Security Group Outbound Workflow.

Creating security groups

The objective of the scenario in this section is to populate two security groups, based on attribute values of the processed user objects. Because the source objects have two different employee types, one security group is required for each employee type.

Creating the FTE Applications security group in the FIM Portal

The FTE Applications security group is required to group FTEs. To create the FTE Applications security group in the FIM 2010 R2 Portal, you use the related wizard pages.

To create the FTE Applications security group in the FIM Portal

  1. To open the Security Groups page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Security Groups.

  2. To open the Create Security Group Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: FTE Applications

    • Domain:: FABRIKAM

    • Account Name: FTEApps

    • Scope: Global

    • Member Selection: Criteria-based

  4. On the Members tab, perform the following steps, and then click Finish:

    1. In the Select statement, click Resource ID, and then, in the Attributes list, select Employee Type.

    2. Click <click to select value>, and then type Full Time Employee.

    3. On the Summary tab, click Submit.

  5. On the Summary tab, click Submit.

Creating the Contractors Applications security group in the FIM Portal

The Contractors Applications security group is required to group contractors. To create the Contractors Applications security group in the FIM 2010 R2 Portal, you use the related wizard pages.

To create a Contractors Applications security group in the FIM Portal

  1. To open the Security Groups page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Security Groups.

  2. To open the Create Security Group Wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: Contractors applications

    • Domain: FABRIKAM

    • Account Name: ConApps

    • Scope: Global

    • Member Selection: Criteria-based

  4. On the Members tab, perform the following steps, and then click Finish:

    1. In the Select statement, click Resource ID, and then, in the Attributes list, select Employee Type.

    2. Click <click to select value>, and then type Contractor.

  5. On the Summary tab, click Submit.

Initializing the testing environment

Before you can test your configuration with test data, you must initialize the testing environment. The following steps are part of this process:

  • Initializing the Fabrikam ADMA

  • Initializing the Fabrikam FIMMA

  • Configuring attribute flow precedence

Initializing the Fabrikam ADMA

To initialize the Active Directory management agent, you run a full import and a full synchronization on it. The full import is required to bring the OU, FIMObjects, which is used as a target for the sample objects, into the connector space. The full synchronization is required because the synchronization rules changed when the new synchronization rules were projected from the FIM 2010 R2 connector space into the metaverse.

Step Run profile name

1

Full import

2

Full synchronization

To initialize the Fabrikam ADMA

  1. Open Synchronization Service Manager, and, on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam ADMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the previous table, complete the following steps:

  5. To start the run profile, click OK.

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

Initializing the Fabrikam FIMMA

To initialize the Fabrikam FIMMA, you run a complete synchronization cycle on this management agent. The complete cycle consists of the run profile runs in the following table.

Step Run profile name

1

Full import

2

Full synchronization

3

Export

4

Delta import

To initialize the Fabrikam FIMMA

  1. Open Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the previous table, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  5. To start the run profile, click OK.

When the initialization of the Fabrikam FIMMA is complete, the new security groups are provisioned to the connector space of the Fabrikam ADMA. To complete the initialization, these objects must be synchronized to the Fabrikam FIMMA.

Step Run profile name

1

Export

2

Delta import

To synchronize the new group objects

  1. In the Management Agents list, select Fabrikam ADMA.

  2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  3. For each row in the previous table, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  4. To start the run profile, click OK.

Configuring attribute flow precedence

During the initialization of the management agent, the two configured synchronization rules were brought into the metaverse. Because the sample HR data source is authoritative for certain attributes, the attribute flow precedence must be adjusted for the attributes that were contributed by this management agent to make sure that these attributes can flow into the metaverse and later into the FIM 2010 R2 data store.

The following table lists the affected attributes.

Step Attribute name

1

accountName

2

displayName

3

employeeID

4

employeeType

5

firstName

6

lastName

To configure the attribute flow precedence

  1. In Synchronization Service Manager, on the Tools menu, click Metaverse Designer.

  2. In the Object types list, select person.

  3. For each row in the previous table, complete the following steps:

    1. In the Attributes list, click the attribute shown for that row in the table.

    2. To open the Configure Attribute Flow Precedence dialog box, on the Actions menu, click Configure Attribute Flow Precedence.

    3. Select Use equal precedence.

    4. To close the Configure Attribute Flow Precedence dialog box, click OK.

Testing the configuration

To test the configuration, you will publish the objects from your HR data file to FIM 2010 R2 and then to AD DS. As a result of the synchronization cycle to FIM 2010 R2, the group membership is updated, and the new users and the updated group membership are published in AD DS. After that, you will log on as Terry Adams and create a distribution list (DL). Next, you will log in as Lola Jacobsen and try to create a DL. This attempt should fail. Complete the following steps to test the configuration:

  1. Synchronizing HR objects to FIM 2010 R2

  2. Synchronizing HR objects to AD DS

  3. Verifying the group creation constraints

Synchronizing HR objects to FIM

To synchronize the HR objects to FIM 2010 R2, you run the run profile sequence, as shown in the following table.

Step Run profile name Management agent

1

Full import

Fabrikam HRMA

2

Full synchronization

Fabrikam HRMA

3

Export

Fabrikam FIMMA

4

Delta import

Fabrikam FIMMA

After you complete the run profile sequence, you verify that the users are created in FIM 2010 R2 and that the membership in the security groups that are part of the scenario in this document has been updated.

To populate the HR objects in the FIM Portal

  1. Open the Synchronization Service Manager. On the Tools menu, click Management Agents.

  2. For each row in the previous table, complete the following steps:

    1. Select the management agent that is shown for that row in the table.

    2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  3. To start the run profile, click OK.

As a result of a successful synchronization cycle, the objects from the HR data file are populated in the FIM 2010 R2 data store. In addition to this, Terry Adams and Jimmy Bischoff became members of the FTE Applications security group and Lola Jacobsen became a member of the Contractors Applications security group. You should verify the group membership of these objects in both FIM 2010 R2 security groups.

To verify the FIM Portal security group membership

  1. Log on to the FIM 2010 R2 Portal as an administrator.

  2. To open the Security Groups page, in the navigation bar, click Security Groups.

  3. To list the available security groups, click the Search for button.

  4. To display the configuration of the Contractors Applications security group, select Contractors Applications, and then on the toolbar, click the Details button.

  5. To display the members of the security group, select the Members tab, and then click View Members.

  6. Verify that the required users are members of this security group.

  7. To close the dialog box, click OK.

  8. Repeat this step sequence for the FTE Applications security group.

Synchronizing HR objects to AD DS

After you synchronize the HR data to FIM 2010 R2, you can now also synchronize these objects to AD DS. To synchronize the scenario objects to AD DS, you run the run profiles in the following table.

Step Run profile name Management agent

1

Delta import

Fabrikam FIMMA

2

Delta synchronization

Fabrikam FIMMA

3

Export

Fabrikam ADMA MA

4

Delta import

Fabrikam ADMA

5

Export import

Fabrikam FIMMA

6

Delta import

Fabrikam FIMMA

After completing the run profile sequence, you verify that the users are created in AD DS and that the memberships in the security groups that are part of the scenario in this document have been updated.

To verify the Active Directory security group membership

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then, in the Open text box, type dsa.msc.

  2. In the console tree, double-click fabrikam.com, and then select the FIMObjects OU.

  3. Right-click the FTE Applications group, and then click Properties.

  4. On the Members tab, you should see two users, Jimmy Bishoff and Terry Adams.

  5. Click OK.

  6. Right-click the Contractor Applications group, and then click Properties.

  7. On the Members tab, you should see one user, Lola Jacobsen.