Terminology and Glossary

Updated: April 5, 2010

Applies To: Forefront Identity Manager 2010

This topic lists new terms introduced in Microsoft® Forefront® Identity Manager (FIM) 2010.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.





























Active Directory group validation
A procedure implemented in FIM 2010 that ensures the uniqueness of the account name of a group within a domain stored in Active Directory® Domain Services (AD DS).

action workflow
A workflow that carries out an action after a change to a resource has been committed to the FIM Service database. This includes workflows with activities for sending a notification e-mail message and synchronizing changes to the FIM Synchronization Service database.

A workflow activity is the basic building block of Windows Workflow Foundation (WF) workflows. It incorporates the logic that is initiated both at design time and run time when building and running workflows.

activity assembly
A dynamic-link library (.dll) or an executable (.exe) file containing a Microsoft .NET assembly that implements the logic for a workflow activity.

An approval is a workflow decision point that can be used to obtain authorization from a person before continuing in the workflow.

approval e-mail message
If a request to change a resource requires an approval before it can be committed to the FIM Service database, an approval e-mail message is sent to the identified approvers.

approval request
A request that requires an approval. For example, an e-mail message sent by FIM 2010 to an approver as part of the processing of an approval activity.

approval response
A response for an approval request. It contains information about whether the request is approved or denied. Typically an e-mail message sent from the FIM Add-in for Outlook® in reply to an approval request.

approvals search folder
The search folders created by the FIM Add-in for Outlook that provides a way for the user to see pending and completed approvals and approval request updates.

approval threshold
The number of positive approval response messages needed to permit a request to continue processing.

The person who gives the approval for the request to proceed to the next stage. They receive approval request messages if FIM Add-in for Outlook is used. See also E.

attribute flow
This defines the direction in which attribute values flow between the FIM service and other external systems.

authentication activity
A workflow activity that validates a user’s identity. For example, the password reset gate. See Q and L.

authentication challenge
A dialog that requires the user to provide a response so that they can authenticate to FIM 2010. For example, questions for the user to answer so that they can reset their passwords.

authentication challenge activity
A workflow activity that is used to configure a challenge that is issued to a user to authenticate to FIM 2010.

authorization workflow
A workflow with activities that must be completed before the request is committed to the database. Two examples of activities that could be included in an authorization workflow are a data validation activity and an approval activity.


clear registration attribute
This attribute clears the registration associated with a particular authentication workflow. For example, in a Question and Answer Challenge, hashes of answers are stored in FIM 2010 in the form of registration data. When the Clear Registration check box is checked and a workflow is saved, the registration data is deleted, requiring users to reregister.

computed member (or member)
A read-only attribute of a set or group whose values are references to zero or resources computed from the combination of manually managed members and the resources which match a filter.

count XPath
XPath expression that returns a numeric value to be rendered within parentheses after the display name of the resource in a page in the FIM Portal.

criteria-based member
A read-only set of resources computed from the combination of static group members and a filter.

criteria-based membership
A group in which the membership of the group is determined by a filter: user resources, group resources and resources of other resource types whose attributes match the filter are considered members of the group. See also S.

across forest member
A member of a security group whose user account is in a different forest than the group account.

across forest group calculation
A preset activity which takes place across forest members of a group in the Foreign Security Principal (FSP) set associated with the forest in which the group resides.

custom expression
The descriptive language used to define functions or attribute flows in advanced mode.


destination set (or target resource definition after request)
A set to which a resource moves into because of a request that changes that resource's attributes.

default group validation activity
A preset workflow activity that determines whether a group management request would violate the FIM 2010 or Active Directory configuration or policy.

display name
An attribute of a resource that appears in a user interface to identify that resource. A value used in a display name should be unambiguous and understandable by users. It is important to provide a display name if you want to use the resource in various FIM Portal controls such as the resource picker.

distribution group
A collection of resources, most commonly users and other groups, to which you can send e-mail messages simultaneously. This is accomplished by sending messages to the mailbox for the group.

domain configuration
A configuration resource used to model Active Directory domains.

domain local group
A group with domain local scope is an Active Directory group that secures resources within a particular domain and that can contain members from that forest or any trusted forest.

dynamic attribute value
The value of an attribute that is calculated based on other attributes. For example, a name attribute is calculated by concatenating the given name and the last name.

dynamic group
A group whose membership is automatically determined and kept up-to-date by FIM 2010. FIM 2010 ensures that the group contains all the resources such as users, groups, and other resource types that fall within the constraints that are expressed by using an XPath filter.


A collection of access rights to applications and other managed resources.

A list of resources returned by the FIM Service.

If an approval is not completed within the specified time, the approval is escalated and additional approvers, the escalation approvers, are added to the approval.

escalation approver
The user who receives approval request messages if an insufficient number of the approvers fail to respond before escalation of the request. See also A.

Extensible Assertion Markup Language (XAML)
An XML-based language in which workflow definitions are represented.

external system scoping filter
Determines the resources that you identify and filter from a source directory based on a particular condition.

external system resource type
This is the resource type in the external system to which the FIM 2010 resources are connected.

external system resource creation flag
A parameter of a synchronization rule. This parameter indicates whether you should create a resource in the connector space if it is based on the relationship criteria that such a resource does not exist in the external system. See F.

external system scope
A parameter of a synchronization rule containing a filter presenting resources on the external system to which the rule applies.


An expression containing filter conditions. A filter matches a resource if each of the filter conditions contained in that filter match the resource. In FIM 2010, the filter uses the XPath syntax.

filter permission
A mechanism to define and enforce permissions on the types of filters available to the users of FIM 2010 when creating dynamic groups and users. Filter permissions are enforced through a FilterScope and are validated as part of an authorization activity when the creation or modification to filter objects is performed.

FIM 2010 R2 management agent
A management agent that synchronizes between the FIM Service and the FIM Synchronization Service.

FIM 2010 R2 password reset client service
This refers to the proxy service that resides on each end user’s computer where the Password Reset client has been installed and that communicates with the FIM Service.

FIM 2010 R2 password reset extensions
This refers to the code that resides on each end user’s computer that extends the functionality of the Windows logon to include self-service password reset. These extensions communicate via the FIM password reset client service.

FIM 2010 R2 resource creation flag
A parameter of a synchronization rule that indicates whether a resource should be created in the FIM 2010 database if based on the relationship criteria that the resources does not exist. See external system resource creation flag.

A component that can be included in a synchronization rule or a workflow definition to process data values.


A workflow activity used in the authentication phase of request processing. See Q and L.

grant entitlement
The process of adding access rights to applications, directories, and other managed resources.

group nesting
A field of a group definition that specifies whether the group contains other groups as members of the current group.

group scope
A field of a group definition, one or local, global, or universal.


image URL
The URL for an image file that is to be rendered in the FIM 2010 Portal UI.

initial flow
An initial flow is an attribute value flow that only is applied once when the resource is created for the first time. That is, an initial password is created only when you create an account for the first time.

interactive workflow
A workflow that requires a response from the user requesting a change such as for performing additional authentication checks during password reset or password reset registration.


join group request
A request to add a user to a group.


A configuration setting on a person resource in the FIM Service database that restricts that person from authenticating to the FIM Service or performing a password reset.

lockout gate
A workflow activity in the authentication phase of the request processing intended to lock out a user who has failed to authenticate. See also Q and L.

lockout threshold
This is an integer control that specifies the number of times a user can fail to complete the authentication workflow before they are locked out for the lockout duration. The default setting for the lockout threshold is 3. The lower limit is 0 and the upper limit is 99.

lockout duration
This is an integer control that specifies the duration in the number of minutes that the user is locked out after reaching the lockout threshold. The default setting for this is 15 minutes. The lower limit for this setting is 1. The upper limit is 9999, which allows the administrator to set the lockout duration to greater than one day.

lockout threshold count before permanent lockout
This is an integer control that allows the administrator to configure a numeric value for the number of times a user can reach the lockout threshold before being permanently locked out. Permanent lockout implies that the user must be unlocked by the system administrator. By default, this is set to 3. The range for this setting is between 1 and 99.


management policy rule
Management policy rules (MPRs) provide a mechanism to model business processing rules for incoming requests to the FIM Service. They control the permissions for requesting operations on FIM Service resources together with the workflows that are triggered by these requests. They also specify the workflows that are triggered by set transitions.

manually managed member
The membership of the group or set that consists of a manually selected list of users, groups, or other resources.

monitored mailbox
An Exchange Server mailbox which the FIM Service monitors to receive approval and request e-mail messages from the FIM Add-in for Outlook.


notification activity
A workflow activity within the action phase of request processing in which the FIM Service sends e-mail messages to one or more users to notify them of the successful completion of a request.

notification message
An e-mail message sent by a notification activity. See also notification activity in this section.


ObjectID (ResourceID)
An attribute that contains a globally unique identifier (GUID) assigned by the FIM Service to each resource when it is created in or synchronized into the FIM Service database. Also known as a resource ID.

object identifier
A sequence of numbers used as an identifier for a field in a X.509 digital certificate or for an attribute type or object class in an LDAP-based directory service. Object identifiers are typically assigned by software vendors and standards bodies.

operation type
The operation type is a specification of a type of change to a resource which can be requested through the WS-Transfer web service of the FIM Service. The operation types are creation and deletion of resources, and read, adding values to, removing values from modifying the value of resource attributes.

An element of a filter that specifies a comparison or another relationship between data values.

origin set (or target resource definition before request)
A set to which a resource belonged prior to a change in that resource's attributes.


password reset
A procedure by which a user’s password can be changed to a new value when the user has forgotten or lost their current password. See also R.

Each resource creation, update, or deletion request is processed by the FIM Service through three workflow phases. In the authentication phase, additional authentication checks of the requesting user can be performed. In the authorization phase, any necessary approvals are gathered. In the action phase, the activities are performed after the request to change the resource that has been committed.

policy management
Policy management in FIM 2010 is made possible by a console based on Microsoft Office SharePoint® Server 2007 for policy authoring and enforcement. Extensible workflows based on Windows Workflow Foundation (WF) enable the users to define, automate, and enforce identity management policies. Policy management also includes heterogeneous identity synchronization and consistency that is achieved by the integration of a broad range of network operating systems, e-mail, database, directory, application, and flat-file access.

policy update (or run-on policy update)
A parameter set on action workflows to indicate that the workflow should be applied to existing members of a set Transition Set in the Set Transition Policy referencing this workflow. Applies only the Set Transition Policies when the policy is first created, enabled, or when selected changes are made to the policy.

An ordering of synchronization rules.

A set used in an MPR to specify the set of resources (usually a set of users) that initiate the MPR evaluation.

requestors relative to resource
Used to define dynamic MPRs whose conditions are evaluated in the context of each target resource being processed (such as the requester’s own user object, a target user's manager or a target group's owner).


QA gate
A workflow activity in an authentication phase in which the requesting user must supply answers to one or more predetermined questions. This activity is typically used in password reset to challenge the user to prove their identity. This challenge is made by prompting the user with a selection of predetermined questions for which only that user would know and for which the user must supply the correct answer. See also L.

QA challenge
A challenge that requires the user to answer a series of questions in order to authenticate to FIM 2010.


random password settings
A setting that determines the minimum number of characters required to set a password in the external directory.

reference attribute type
An attribute type in which the values of the attribute are the ObjectID (globally unique identifiers) attribute values of other resources in FIM 2010. See also O.

referential integrity
A constraint in FIM 2010 in which a reference attribute cannot have as a value an ObjectID of a resource which has been deleted.

A procedure to configure self-service password reset for a user. See also Q.

The updating of a registration for an authentication challenge in FIM 2010, typically required after a change to an administrative policy for password reset registration.

relationship creation
Configuration flags of a synchronization rule that determines whether the resources should be created automatically in FIM 2010 or in the external system, if the resources are absent.

relationship criteria
Setting of a synchronization rule that is used to match resources in FIM server and resources in external systems.

relationship termination
Indicates if related resources in other external systems should be disconnected (and perhaps deleted) when the synchronization rule no longer applies.

request management
The ability for a user to interact with and manage submitted requests and associated workflows.

Requester Management Policy Rule (RMPR)
A management policy rule type that is evaluated and applied against incoming requests to perform operations. RMPRS are primarily used to author access policy definitions in FIM.

Requester or requestor
The identity of the user or service that has submitted a request to FIM 2010.

requester scope
A configured collection of users who can submit a request. A requester scope can be everyone or a specific set of users defined by a filter.

An instance of a certain resource type in the FIM 2010. Each resource is uniquely identified by its ObjectID (ResourceID) attribute.

resource control display configuration (RCDC)
RCDCs are configuration resources that are used to render the UI in the FIM Portal for creating, editing or viewing a resource of a specific resource type in FIM.

resource hierarchy
In a directory service, the hierarchy of a resource entry is the collection of directory entries between the base of a naming context and that resource entry.

ResourceID (ObjectID)
An attribute that contains a globally unique identifier (GUID) assigned by FIM 2010 to each resource when it is created. Also known as an O.

resource scope
A set of resources about which a request can be submitted.

resource type
A part of a schema that defines the representation of a resource in FIM 2010.

resource type mapping
A relationship between a resource type used to represent a resource in the FIM Service database and a resource class used to represent that resource in the FIM Synchronization Service metaverse.

revoke entitlement
The process of removing access rights to applications, directories, and other managed resources.

An organizationally assigned security principal or collection of resources used to manage access rights.


search folder
See A.

search scope
Specifies the properties for a particular search context that a user may conduct from the FIM 2010 Portal. For example, a user could select a search scope from a drop-down list for All Users, All Distribution Lists, My Pending Approvals, and the search results would be constrained to items meeting those criteria in addition to any search terms specified by the user.

security descriptor
A structured and associated data that contains the security information for a securable resource. A security descriptor identifies the resource's owner and primary group. It can also contain a discretionary access control list (DACL) that controls access to the resource, and a system access control list (SACL) that controls the logging of attempts to access the resource.

security principal
An identity used for security management, such as a user account, that can authenticate to a service.

security token
A protocol element that transfers authentication and authorization information, based on a credential. In the Web services protocols, a security token is represented as an XML element in a SOAP header, as defined by WS-Security.

security token service
A service that implements the WS-Trust protocol to manage trust between clients and services based on the exchange of security tokens.

sequential workflow
All workflows in FIM 2010 are derived from the Windows Workflow Foundation sequential workflow. It includes several workflows with activities processed in a sequential order.

service account
A Windows account assigned to be used by a Windows service, rather than to be used by a user to log on to a computer system. It represents the system account of FIM.

A named collection of resources. Typically sets are used to organize resources based on rules. The membership in a set is manually managed or criteria-based. This means that you can manually add resources to a set and that you can define a criteria that automatically adds resources to a set based on a filter statement. When a resource fulfills the filter criteria, it is automatically added to the related set.

Set Transition management policy rule (TMPR)
A management policy rule that is applied on changes to membership of a set. Set Transition MPRs apply action workflows either when object transition into or out of a specified set in the MPR.

A security identifier (SID). A unique value used to identify a user account, group account, or logon session.

Simple Object Access Protocol. A protocol for exchanging structured information between software components.

synchronization filter
A filter to prevent resources in the metaverse from being transferred to the FIM 2010 database.

synchronization rule
A rule for flowing resource information between the server running FIM 2010 R2 (including the FIM 2010 R2 synchronization engine) and connected external system.


Temporal Policy
A Set Transition MPR that is bound to a Temporal Set. The policy is applied on the passage of time, as objects transition into and out of the set based on the Temporal Set’s definition.

Temporal Set
A type of a set object that is based on relative dates. Temporal Sets provide a mechanism that can fully automate the process of transitioning into or out of a set based on the passage of time. For example, a Temporal Set can be defined for all groups that expire one week from today. The system evaluates the objects in the system automatically and adds them to this set on a daily bases. Other examples allow for dynamic definitions of a time reference such as a filter that is based on "x days from today."

Transition Set
A set that is used in a definition of a Set Transition management policy rule. The policy is applied to the changes in the set membership, which can be either objects entering or leaving the set, depending on the TMPR’s configuration.

A time period in which FIM 2010 waits for approval responses until the approval activity is escalated.


unlocked group
A group in which the membership of the group can be changed by users other than the owner of the group.

universal group
A group with universal scope is an Active Directory group that can contain members from a particular forest. A universal group can be assigned permissions in any domain or forest. Distribution lists typically have universal scope. A security group with universal scope can secure resources within the same forest.

update request
A request to change the attributes of a resource.

usage keyword
A usage keyword is used to determine which search scopes are shown for a specific page in the portal UI. Each list view page in the UI specifies zero or more usage keywords, and the UI for that page includes all search scopes that contain matching keywords. When authoring search scopes, customers can specify zero or more keywords per search scope to customize which search scopes appear for a given page in the UI. It is also used to determine which home page resource and navigation bar resource is shown to what set of users. It is also used in schema management to protect and label schema elements that are needed by various components of FIM.


Web portal
A user interface implemented by a software application through a component of a Web server, such as Internet Information Services (IIS).

Web service
A protocol interface to a service implemented by using an HTTP-based protocol.

A workflow is a set of elemental units called activities that are stored as a model that describes a real-world process. Workflows provide a way of describing the order and dependent relationships between work items. This work passes through the model from start to finish, and activities might be performed by people or by system functions.

workflow definition
The workflow definition is stored in the XOML format defined by the WF. This defines the activities, the parameters for the activities, and the order in which they should run.

workflow designer
The design time experience for the construction of workflows.

workflow host
The server component that deals with the running of workflows. In FIM 2010, the FIM 2010 Service is the workflow host.

workflow instance
A running or runnable instance of a workflow definition as an effect of a request being in the scope of an MPR with that workflow definition.

workflow management
A FIM 2010 feature that deals with designing, executing, and managing workflows. Workflow management consists of the workflow designer, request management, and the workflow host.

Community Additions