Introduction to Management Policy Rules
Applies To: Forefront Identity Manager 2010
In Microsoft® Forefront® Identity Manager (FIM) 2010, Management Policy Rules (MPRs) provide a mechanism for modeling business processing rules for incoming requests to a server running FIM 2010 R2. MPRs control the permissions for requesting operations on FIM 2010 R2 objects together with the workflows that are triggered by these requests. You can use them to define a response to state transitions of your resources. The objective of this document is to introduce you to the basic MPR types based on a simple lab environment.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This document assumes that you already have a working instance of FIM 2010 running on a computer. For more information about installing FIM 2010, see the FIM Installation Guide.
This document assumes that you have a basic understanding of Management Policy Rules, workflows, and sets. For more information, see Designing Business Policy Rules.
This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 MPRs and workflows in a lab environment.
The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping the reader obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.
The procedures in this document require 30 to 45 minutes for a new user to complete. These time estimates assume that the testing environment is already configured. They do not include the time required to set up the test environment.
If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 discussion forum.
Fabrikam, a fictitious company, is investigating how to easily manage entitlements by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new MPR concept in the corporate lab environment based on a simple scenario. The goal of this scenario is to get a first hands-on impression of how set transition and request-based MPRs work.
To test the basic MPR types, Fabrikam has set up the following scenarios:
When the department attribute of a user is updated, a notification e-mail message is sent.
When the department attribute of a user is set to Helpdesk, in addition to sending the notification e-mail message, the affected user becomes a member of the All Helpdesk Members set, and the description attribute of the affected user is updated.
The following sections describe the scenario design, the scenario preparation, and the scenario steps.
To implement the simple lab solution in this document, the following conceptual elements are required:
![]() |
FIM user:
|
![]() |
Sets:
|
![]() |
Workflows:
|
![]() |
Management Policy Rules:
|
The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory® forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.
To perform the procedures in this document, the domain controller has been configured with the following software:
Windows Server® 2008 or Windows Server 2008 R2 64-bit Standard or Enterprise
Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
Microsoft SQL Server® 2008 64-bit Standard or Enterprise, SP1 or later
Microsoft Exchange Server 2010
Windows SharePoint® Services 3.0 SP1, 64-bit
Windows PowerShell™ 1.0
FIM 2010
Note
A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide .
The scenario roadmap in this document consists of two main building blocks:
Configuring the scenario. In this section, you create all required scenario components, including the required MPRs and workflows.
Testing the scenario. In this section, you verify whether the MPRs generate the desired results.
The configuration of the scenario in this document consists of the following building blocks:
Creating the scenario user
Creating the scenario set
Creating the workflows
Creating the MPRs
The following sections provide detailed instructions for each configuration building block.
For the scenario in this document, you need to create one sample user in the FIM 2010 R2 Portal.
The following table lists the attributes of the sample users:
Attribute | Value |
---|---|
First name |
Britta |
Last name |
Simon |
Display name |
Britta Simon |
Domain |
Fabrikam |
To open the FIM 2010 R2 Portal, open Windows Internet Explorer®, and then navigate to https://localhost/identitymanagement/default.aspx.
To open the Users page, on the navigation bar, click Users.
To open the Create User wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
First Name: Britta
Last Name: Simon
Display Name: Britta Simon
Domain: FABRIKAM
To open the Summary tab, click Finish.
On the Summary tab, click Submit.
Tip
To display the available users, click the Search for button.
In this section, you create the required scenario set. For the scenario in this document, the purpose of the set is to track all users who are part of the Helpdesk department. A user becomes a member of this set when the user’s department attribute is set to Helpdesk.
On the FIM 2010 R2 Portal, to open the Sets page, in the navigation bar, click Sets.
To open the Create Set Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
- Display Name: All Helpdesk Members
On the Criteria-based Members tab, provide the following information, and then click Finish:
In the filter statement, click All resources, and then in the resource list, select user.
To add a new template statement to the filter statement, in the filter statement, click Add Statement.
In the filter statement, click <Click to select attribute>, and then in the resource list, select Department.
In the filter statement, click <click to select value>, and then in the text box, type Helpdesk.
On the Summary tab, click Submit.
In this section, you create the required workflows. For the scenario in this document, two workflows are required:
Send Notification Workflow
Update Description Workflow
The objective of this workflow is to send a notification e-mail message when an update to the department attribute was applied. For the scenario in this document, this workflow is intended to be triggered by the request-based MPR.
In the FIM 2010 R2 Portal, to open the Workflows page, on the Administration bar, click Workflows.
To open the Create Workflow Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Workflow name: Send Notification Workflow
Workflow type: Action
On the Activities tab, provide the following information, and then click Next:
In the Activity Picker, select Notification, and then click Select.
To set the Recipients, in the Recipients text box, type administrator, and then click the Validate and resolve button.
To select an Email Template:
To open the Select Resources dialog box, click the Browse button.
To display a list of the available Notification Email Templates, click the Search for button.
Select one of the listed Notification Email Templates.
Click OK to select the template.
To add the activity, click Save.
To open the Summary page, click Finish.
On the Summary tab, click Submit.
The objective of this workflow is to set the description of a target user to a specific value. For the scenario in this document, this workflow is intended to be triggered by the set transition–based MPR.
In the FIM 2010 R2 Portal, in the Administration bar, click Workflows to open the Workflows page.
To open the Create Workflow wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Workflow name: Update Description Workflow
Workflow type: Action
On the Activities tab, provide the following information, and then click Next:
In the Activity Picker, select Function Evaluator, and then click Select.
In the Activity Display Name text box, type Update Description.
To open the Add Workflow Parameter Lookup dialog box, click Lookup.
From the Workflow Parameter list, select Target.
In the Parameter Attribute list, select Description.
To close the Add Workflow Parameter Lookup dialog box, click OK.
To set the Value, click Concatenate Value.
In the items list, select String, and then type Your TMPR was applied in the text box.
To save the activity, click Save.
To go to the Summary tab, click Finish.
On the Summary tab, click Submit.
In this section, you create the required MPRs. For the scenario in this document, you create two MPRs:
New Helpdesk Member TMPR – This MPR is triggered when a user transitions into the All Helpdesk Members set.
Update Department RMPR – This MPR is triggered when the department attribute of a user is updated.
The objective of this section is to create a MPR that is triggered when a user transitions into the All Helpdesk Members set.
To open the Management Policy Rules page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Management Policy Rules.
To open the Create Management Policy Rule Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Display Name: New Helpdesk Member TMPR
Type: Set transition
On the Transition Definition tab, provide the following information, and then click Next:
Transition Set: All Helpdesk Members
Transition Type: Transition In
Note
You need to click the Validate and resolve button after typing the name of the transition set into the textbox.
On the Policy Workflows tab, provide the following information, and then click Next:
- Action Workflows: Update Description Workflow
On the Summary tab, click Submit.
The objective of this section is to create a request-based MPR that is triggered when an update request to the department attribute of a user is processed.
To open the Management Policy Rules page, on the FIM 2010 R2 Portal homepage, in the navigation bar, click Management Policy Rules.
To open the Create Management Policy Rule Wizard, on the toolbar, click New.
On the General tab, provide the following information, and then click Next:
Display Name: Update Department RMPR
Type: Request
On the Requestors and Operations tab, provide the following information, and then click Next:
Requestors: Specific Set of Requesters - Administrators
Note
You need to click the Validate and resolve button after typing the name into the Resource Picker.
Operation: Modify a single-valued attribute
On the Target Resources tab, provide the following information, and then click Next:
Target Resource Definition Before Request: All Users and Groups
Target Resource Definition After Request: All Users and Groups
Note
You need to click the Validate and resolve button after typing the name into a Resource Picker.
Select specific Attributes: - Department
You need to click the Validate and resolve button after typing the name into a Resource Picker.
On the Policy Workflows tab, provide the following information, and then click Next:
- Action Workflows: Send Notification Workflow
On the Summary tab, click Submit.
The goal of the scenario in this document is to test the functionality of the two basic MPR types – request and transition.
The following sections provide instructions for testing each MPR type.
The objective of the request MPR in this scenario is to invoke a workflow that sends a notification e-mail message when the department attribute of a user is updated. For the scenario in this document, you verify the functionality of the request MPR by updating the department attribute of the sample user Britta Simon to Finance.
To verify whether the set transition MPR works as expected, perform the following tasks:
Update the department attribute of the sample user
Review the request queue
Verify the effect of the MPR
In the following sections, you will find the related test instructions.
The objective of this step is to set the department attribute to Finance.
To open the Users page, on the FIM 2010 R2 Portal home page, in the navigation bar, click Users.
To retrieve a list of the existing users, click the Search for button.
To open the Britta Simon property page, in the Display Name column, select Britta Simon.
In the Department text box, type Finance.
To open the Summary page, click OK.
To update the Britta Simon properties, click Submit.
The attempt to update Britta Simon's department attribute generates a request object in FIM 2010 R2. The FIM 2010 R2 Service should have applied two MPRs to this request:
Administration: Administrators can read and update Users – This MPR grants permission to update a user's attributes
Updated Department RMPR – This MPR is triggered by the update request for Britta Simon's department attribute.
The objective of this section is to verify whether the request has been processed as expected.
To open the Manage My Requests page, in the Requests & Approvals section of the navigation bar, click Manage My Requests.
To open the request properties, in the Request list, select Update to Person: 'Britta Simon' Request.
Click the Detailed Content tab, and verify that the request content has the following details:
Attribute: Department
Operation: Modify
Type: String
Value: Finance
Click the Applied Policy tab, and verify that the Matched Management Policy Rules list contains the following MPRs:
Administration: Administrators can read and update Users
Update Department RMPR
Click the General tab, and verify that Status displays Completed.
The last verification step is checking your inbox for a notification e-mail message.
Go to your Microsoft Office Outlook® Inbox.
Verify that a notification e-mail message has arrived in your Inbox.
The objective of the set transition MPR in this scenario is to invoke a workflow that sets the description of a user to a specific value when the user has transitioned into the All Helpdesk Members set. For the scenario in this document, you verify the functionality of the set transition MPR by updating the department attributes of the sample user Britta Simon to Helpdesk, which makes Britta Simon a member of the All Helpdesk Members set. When Britta Simon has become a member of the All Helpdesk Members set, her description attribute should be set to Your TMPR was applied.
To verify whether the set transition MPR works as expected, perform the following tasks:
Update the department attribute of the sample user.
Verify the set membership.
Review the request queue.
Verify the effect of the MPR.
In the following sections, you will find the related test instructions.
The objective of this step is to make the sample user a member of the All Helpdesk Members set.
To open the Users page, on the FIM 2010 R2 Portal home page, on the navigation bar, click Users.
To retrieve a list of the existing users, click the Search for button.
To open the Britta Simon properties page, select Britta Simon from the Display Name column.
In the Department text box, type Helpdesk.
To open the Summary page, click OK.
To update the Britta Simon properties, click Submit.
Setting Britta Simon's department attribute to Helpdesk should have made Britta Simon a member of the All Helpdesk Members set.
The objective of this section is to verify whether this is true.
To open the Sets page, in the Management Policy Rules section of the navigation bar, click Sets.
To open the All Helpdesk Members property page, in the DisplayName list, click All Assistance Members.
To display the list of calculated members, click the Criteria based Members tab, and then click View Members.
Verify that Britta Simon appears in the list.
Note
In the View Members list, the Description box for Britta Simon should read Your TMPR was applied.
The attempt to update Britta Simon's Employee Type attribute generates a request object in FIM 2010 R2. The FIM 2010 R2 Service should have applied two MPRs to this request:
Administration: Administrators can read and update Users – This MPR grants permission to update a user's attributes
New Helpdesk Member TMPR – This MPR is triggered by the set transition of Britta Simon into the All Helpdesk Members set.
Updated Department RMPR – This MPR is triggered when a request to update the department attribute of a user is processed.
The objective of this section is to verify whether the request has been processed as expected.
To open the Manage My Requests page, in the Requests & Approvals section of the navigation bar, click Manage My Requests.
To open the request properties, in the Request list, select Update to Person: 'Britta Simon' Request.
Click the Detailed Content tab, and verify that the request content has the following details:
Attribute: Department
Operation: Modify
Type: String
Value: Helpdesk
Click the Applied Policy tab, and verify that the Matched Management Policy Rules list contains the following MPRs:
Administration: Administrators can read and update Users
New Helpdesk Member TMPR
Update Department RMPR
Click the General tab, and verify that Status has the following value: Completed.
You should have already seen the updated description value when reviewing the membership of the All Helpdesk Members set. In addition, you should also review Britta Simon's attribute values.
To open the Users page, on the FIM 2010 R2 Portal home page, click Users on the navigation bar.
To retrieve a list of the existing users, click the Search for button.
To open the Britta Simon properties page, in the Display Name column, select Britta Simon.
Click the Advanced View button.
Verify that the Description attribute has a value of Your TMPR was applied.
Note
You should also receive another notification e-mail message in your Inbox because updating Britta Simon’s department attribute also triggers the Update Department RMPR.