Introduction to Request Management

  • Article

Applies To: Forefront Identity Manager 2010

Every operation that is performed in the Microsoft® Forefront® Identity Manager (FIM) 2010 environment originates as a request. You can use the FIM Portal to view and manage user requests for various tasks, such as adding a member to a group or changing a user profile. From the FIM Portal, you can approve or reject each request and view request details.

The FIM Add-in for Outlook component that is included with FIM 2010 also provides the basic functionality for submitting and processing requests and approvals. In addition, the Add-in offers functionality for managing groups. The FIM Add-in for Microsoft® Office Outlook® allows users to use the native Outlook 2007 messaging and collaboration client to perform the following activities:

  • Approve or reject a group management request that is received using FIM 2010

  • Request to join or leave a group

  • Request to add or remove members from groups

What This Document Covers

This document demonstrates request and approval management using the FIM Portal and FIM Add-in for Outlook. It describes how to create workflow activities for notification and approvals, how to submit a request to join a group, and how to search for and approve such requests using both the FIM Portal and Outlook 2007 with the FIM Add-in for Outlook.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of Outlook 2007 and a working installation of FIM 2010. It also assumes that the steps in the Common Configuration for Getting Started Guides have been completed successfully. For details, see The Testing Environment in this document. For more information about requests and approvals, see Modeling Business Policy Rules in FIM in the FIM documentation.

Audience

This document is intended for systems administrators and information technology (IT) personnel who plan to manage groups using the FIM Portal or the FIM Add-in for Outlook 2007.

Time Requirements

The procedures in this document require 30 to 45 minutes to complete.

Getting Support

If you have questions regarding the content of this document or if you have general feedback that you want to discuss, post a message to the Microsoft Forefront Identity Manager Discussion Forum.

Scenario Description

This scenario will demonstrate how to manage requests and approvals by performing some basic group management tasks.

  • Get familiar with creating and modifying workflow activities related to group management.

  • Submit a request to be added to a distribution group, and have the owner receive and processes the approval request.

  • Submit a request to join another distribution group that has two owners. Authorization to join this group requires the approval of only one of the group's owners.

  • Submit a request to join a distribution group that does not require owner approval to join.

  • Examine the elements of a request and get familiar with searching for requests.

The Testing Environment

To perform the procedures in this document, your environment must have the following characteristics:

  • A server computer that is a member of the Fabrikam forest and that hosts the FIM 2010 server components.

  • A client computer that is a member of the Fabrikam forest with the FIM Add-in for Outlook.

  • A server computer that is a member of the Fabrikam forest and that hosts Microsoft Exchange Server 2007.

  • A set of Active Directory users that have been synchronized with FIM, in accordance with the Common Configuration for Getting Started Guides in the FIM 2010 documentation. The user accounts and scenarios in this document assume that the steps in the Common Configuration for Getting Started Guides have been completed successfully.

Scenario Roadmap

The scenario roadmap in this document consists of two main sections:

  • Configuring the scenario—in this section, you create all required scenario components.

  • Testing the scenario—in this section, you verify that the scenario works according to the outlined scenario specification.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  • Create a new notification activity which includes the creation of a new e-mail template.

  • Create the necessary groups.

Create a new notification activity

A notification activity is a type of workflow activity that is used to send e-mail notifications as the result of an event. Within the notification activity, you can configure the recipients, either by specific names or by determining them dynamically from the request data. For example, in the example that you will create, the activity is generically configured to send an e-mail to the owner of the target resource of the request. In the case of a group membership request, an e-mail will be sent to the owner of that group.

Within the notification activity, you use an e-mail template resource to define the content of the e-mail. FIM supplies default e-mail templates, or you can create a custom template. E-mail templates can be configured to include real-time data—for example, data from the request—to customize the user interaction.

When the workflow has been created, you define when the activity will be triggered. You do this by associating a Management Policy Rule (MPR) with the new workflow. In the example that you will create, you will use an MPR that allows users to add members to groups that do not require owner approval. Whenever this MPR is processed, the notification activity will run and an e-mail will be sent to the owner of the group.

In the following procedures, you create a new e-mail template for group owner notifications, create a new workflow activity that uses the new e-mail template, and then link the new workflow activity to an existing MPR.

To create a new e-mail template

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM 2010 home page, under Administration, click All Resources.

  3. Click Email Template.

  4. Click New.

  5. In Display Name, type Notification: member added to non-approval group.

  6. In Template Type, select Notification.

  7. In Subject, type New member added.

  8. In Body, type A new member has been added to your group.

  9. Click Finish, and then click Submit.

To create a new workflow activity

  1. On the FIM 2010 home page, on the Navigation Bar under Management Policy Rules, click Workflows.

  2. Click New.

  3. In Workflow Name, type Owner Notification Workflow.

  4. In Description, type Notifies owners of non-approval groups when members are added.

  5. In Workflow Type, select Action, and then click Next.

  6. In Activity Picker, select Notification, and then click Select.

  7. In Recipients, click Lookup.

  8. In Workflow Parameter, select Target.

  9. In Parameter Attribute, select Owner, and then click OK.

  10. In Email Template, click the browse icon.

  11. On the Select Resource page, press ENTER.

    Note

    Because you are creating a new Notification activity, only Notification Email Templates will be displayed.

  12. Select the Notification: member added to non-approval group check box, and then click OK.

  13. Click Save, click Finish, and then click Submit.

To update an MPR

  1. On the FIM 2010 home page, click Management Policy Rules on the Navigation Bar.

  2. In Search for, type distribution list, and then press ENTER. This will display all the Distribution List–related MPRs.

  3. Click the Display Name of the MPR Distribution list management: Users can add or remove any members of groups that don't require owner approval.

  4. On the Policy Workflows tab, scroll to Action Workflows, and then select the Owner Notification Workflow check box.

  5. Click OK, and then click Submit.

Configure groups and users

To view different request scenarios, you will create three Distribution Groups:

  • Single owner, join-restricted

  • Multiple owner, join-restricted

  • Single owner, no join restriction

Create the groups with the indicated attributes in the following table.

Display Name E-Mail Alias Member Selection Owner Displayed Owner Join Restriction

Marketing Strategy Discussion

MSD

Manual

bsimon

bsimon

Owner approval required

Marketing Communications Review

MCR

Manual

Tadams, bsimon

Tadams

Owner approval required

Marketing News

MN

Manual

bsimon

bsimon

None

To create the groups

  1. On the FIM 2010 home page, click Distribution Groups (DGs) on the Navigation Bar.

  2. Click New, and then enter the information for Marketing Strategy Discussion from the previous table. In Members to Add, remove yourself.

  3. Click Finish, and then click Submit.

  4. Repeat these steps for the remaining groups.

Note

A request will be created for each new group that you submit. To view these requests, click Manage My Requests on the FIM home page.

Testing the Scenario

To test the configuration, perform the following steps:

  • Approve a request to join a group with a single owner

  • Receive a notification that a member has joined an open group

  • Approve a request to join a group with multiple owners

Approve a request to join a group with single owner

In this scenario, a user will submit a request to join a Distribution Group, which will be sent to the owner of group. The owner will search for pending group requests, and approve the request.

Request to join a group

In this step, use the FIM Portal or the FIM Add-in for Outlook to request that members be added to a group.

To request to join a group using the FIM Portal

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click Distribution Groups (DGs).

  3. Click the search icon next to Search for to display all the DGs in FIM.

  4. Select the Marketing Strategy Discussion check box, click Join, and then click Submit.

  5. The Join Group page indicates that the request state is Pending Approval by the owner.

  6. Click OK.

To request to join a group using Outlook

  1. Log on to the client computer as Jbischoff, and then open Outlook 2007.

  2. At the top, go to the Groups toolbar, and in the drop-down list, select Join Group. This action opens a preconfigured e-mail that is addressed to Administrator. This cannot be changed, but FIM 2010 knows to send Bsimon an e-mail, provided that user is an owner of the DG.

  3. Click Join.

  4. Click Marketing Strategy Discussion, and then click OK.

  5. Click Send.

Approve the group join request

In this step, you will open the request using the FIM Portal. Then, you will reject the request, resubmit it, and use the FIM Add-in for Outlook to approve the request.

To open a request using the FIM Portal

  1. Log on to the FIM Portal as Bsimon.

  2. On the home page, in the Navigation Bar, click Approve Requests.

  3. Click the display name of Update to Group: 'Marketing Strategy Discussion' request.

  4. Click the General tab, select the Update to Group: 'Marketing Strategy Discussion' request check box, and then click Reject.

  5. Using the steps from the previous procedure, resubmit the join group request, and approve the request in Outlook using the next procedure.

To approve a request using Outlook

  1. Log on as Bsimon, and then open Outlook 2007.

    The Inbox for Bsimon contains the approval request e-mail message for Jbischoff to join Marketing Strategy Discussion.

  2. Approve the add member to a group request for Jbischoff in one of the following ways:

    • In the Outlook 2007 main window, under Inbox, select the approval message. In the bottom part of the reading pane, click Approve, and then click Send.

    • On the Outlook 2007 main window, under Inbox, select and right-click the approval message, click Approve, and then click Send.

    • Open the e-mail message, click Approve in the top left part of the Outlook 2007 ribbon, and then click Send.

    • Select the approval e-mail, open the Actions menu, and then click Approve.

  3. Click Send to send your approval response to FIM 2010.

Verify the group join request

In this step, use the FIM Portal to verify that the user was added to the group.

To verify the group join request

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click My DG Memberships.

  3. Verify that Marketing Strategy Discussion appears in the list.

    Note

    To verify the membership using Outlook, on the Groups toolbar, in the drop-down list, select Group Management Website, and then repeat steps 2 and 3.

Use search to find a request

Administrators have permissions to search all requests in FIM. In this step, you will search for and examine the details of the request using the FIM Portal.

To search for a request using the FIM Portal

  1. Log on to the FIM Portal as an administrator.

  2. Remove Jbischoff from the Marketing Strategy Discussion group, and resubmit the group add request.

  3. On the home page, in the Navigation Bar, click Search Requests.

  4. In the upper right of the Search Requests page, click Advanced Search.

  5. Click Add Statement, and select Target Resource Type.

  6. In the attribute field, type Group, and then click Search. This action returns all requests that affect groups.

  7. Click the display name of Update to Group: 'Marketing Strategy Discussion' request.

  8. The following properties appear:

    • General—Displays basic information about the request.

      1. Request Summary - The title of the request. It is formatted as <operation><resource><displayname of resource>. For example, Update to Group: 'Marketing Communications review' request.

      2. Request Date - The date and time that the request was submitted.

      3. Requestor - The user or resource that submitted the request.

      4. Status - The current status of the request.

      5. Approval Information - This displays any pending approvals that are related to this request. From here you may examine the request or approve or reject it.

    • Detailed Content – Displays specific information about the request—most importantly, the attributes that would be affected.

      1. Operation – The type of operation that is being requested, for example Create, Modify, Delete, and so on.

      2. Target Resource Type – The type of resource that the operation is being applied to. For example, when you add a member to a group, the Operation is Modify, because you are modifying the membership list, and the Target Resource Type is Group.

      3. Request Contents – This displays details of the data in the request, including the attributes being changed, the operations performed, and new data values.

    • Applied Policy – Displays the MPRs that affect this request. Click the MPR to view details of the policy rules and associated workflow activities.

      Note

      By default, the Applied Policy page is not visible to end users; it is visible only to administrators.

  9. Click the General tab, select the Update to Group: 'Marketing Strategy Discussion' request check box, and then click Approve.

Receive notification for an open group

In a previous step, you created the group Marketing News, which is an open group; that is, an owner approval is not required for a user to join the group. In addition, you created a new workflow activity so that owners will be notified when a user joins the group. Because this is just an informational notification, there is no further action required from the owner.

In this procedure, Jbischoff will join the group Marketing News with an immediate confirmation, and the owner will receive an e-mail notification.

Request to join an open group

In this step, use the FIM Portal or the FIM Add-in for Outlook to request that members be added to a group.

To request to join a group using the FIM Portal

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click Distribution Groups (DGs).

  3. Click the search icon next to Search for to display all the DGs in FIM.

  4. Select the Marketing News check box, click Join, and then click Submit.

  5. The Join Group page indicates that the request status is Completed.

  6. Click OK.

To request to join a group using Outlook

  1. Log on to the client computer as Jbischoff, and then open Outlook 2007.

  2. At the top, go to the Groups toolbar, and in the drop-down list, select Join Group. This action opens a preconfigured e-mail that is addressed to Administrator. This cannot be changed but FIM 2010 knows to send Bsimon an e-mail, if the user is an owner of the DG.

  3. Click Join.

  4. Click Marketing News, and then click OK.

  5. Click Send.

Notification

Because an approval is not required for this group, the owner, Bsimon, will simply receive a notification e-mail informing him that Jbischoff has joined the Marketing News group. Log in as Bsimon, and open Outlook 2007 to verify the notification e-mail. This notification is the result of the configuration in the first step of this document.

Verify the group join request

In this step, use the FIM Portal to verify that the user was added to the group.

To verify the group join request

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click My DG Memberships.

  3. Verify that Marketing News appears in the list.

    Note

    To verify the membership using Outlook, go to the Groups toolbar. In the drop-down list, click Group Management Website, and then follow steps 2 and 3.

Approve a request to join a group with multiple owners

Groups in FIM can be configured to have multiple owners. Multiple owner groups can be used in scenarios where a group spans different departments, such as Engineering and Marketing. For these groups you can configure the approval workflow to require approval from both departments.

In this scenario, you will create a new approval workflow that will require the approval of two group owner, and associate the new workflows with an MPR.

Create a new approval workflow

In the following procedures, you will create a new workflow for group owner approval, create a new workflow activity that requires multiple owner approval, and then link the new workflow activity to an existing MPR.

Note

You must be an administrator in the FIM Portal to a workflow.

To create a new workflow and activity

  1. Log on to the FIM Portal as an administrator.

  2. On the FIM 2010 home page, on the Navigation Bar under Management Policy Rules, click Workflows.

  3. Click New.

  4. In Workflow Name, type Multiple Owner Approval Workflow.

  5. In Description, type Requires the approval of two group owners when members are added.

  6. In Workflow Type, select Authorization, and then click Next.

  7. In Activity Picker, select Approval, and then click Select.

  8. In Approvers, click Lookup.

  9. In Workflow Parameter select Target.

  10. In Parameter Attribute select Owner.

  11. In Approval Threshold, enter 2, and then click OK.

    Note

    For this example, you will use the default e-mail approval and request e-mail templates. However, as in the previous scenario, you have the option to create a custom e-mail template and specify it here.

  12. Click Save, click Finish, and then click Submit.

To update an MPR

  1. On the FIM 2010 home page, click Management Policy Rules on the Navigation Bar.

  2. In Search for, type approval, and then press ENTER. This action displays all the MPRs with "approval" in the Display Name.

  3. Click the Display Name of the MPR Distribution list management: Users can add or remove any members of groups subject to owner approval.

  4. On the Policy Workflows tab, scroll to Authorization Workflows, and then select the check box next to the workflow that you created in the previous step, Multiple Owner Approval Workflow.

  5. Click OK, and then click Submit.

Request to join a group

After joining Marketing Strategy Discussion, Jbischoff also needs to join the Marketing Communications Review group. In this step, use the FIM Portal or the FIM Add-in for Outlook to submit another request.

To request to join a group using the FIM Portal

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click Distribution Groups (DGs).

  3. Click the search icon next to Search for to display all the DGs in FIM.

  4. Select the Marketing Communication Review check box, click Join, and then click Submit.

  5. The Join Group page indicates that the request state is Pending Approval by the owners.

  6. Click OK.

To request to join a group using Outlook

  1. Log on to the client computer as Jbischoff, and then open Outlook 2007.

  2. At the top, go to the Groups toolbar, and in the drop-down list, select Join Group. This action opens a preconfigured e-mail that is addressed to Administrator. This cannot be changed, but FIM 2010 knows to send Bsimon an e-mail, provided that user is an owner of the DG.

  3. Click Join.

  4. Choose Marketing Communication Review, and then click OK.

  5. Click Send.

Join group request is processed by both of the approvers

After Jbischoff submits the join group request, the owners of Marketing Communications Review, Tadams and Bsimon, receive notification of a request to join their group. Because the new approval workflow requires two approvals, both Tadams and Bsimon must approve the request.

To approve a request using the FIM Portal

  1. Log on to the FIM Portal as Tadams.

  2. On the home page, in the Navigation Bar, click Approve Requests.

  3. Select the Update to Group: 'Marketing Communications Review' request check box, and then click Approve.

To approve a request using Outlook

  1. Log on as Bsimon, and then open Office Outlook 2007.

    The Inbox for Bsimon contains the approval request e-mail message for Jbischoff to join Marketing Communications Review.

    Upon receiving the first approval or approval update e-mail message, two Search folders are created in both the mailboxes of Tadams and Bsimon:

    Approval Requests

    Approval Requests - Updates

  2. Approve the join group request as Bsimon in one of the following ways:

    • On the Outlook 2007 main window, under Inbox, select the approval message. In the bottom part of the reading pane, click Approve, and then click Send.

    • On the Outlook 2007 main window, under Inbox, select and right-click the approval message. Click Approve, and then click Send.

    • Open the e-mail message, click Approve on the Approval tab in the Outlook 2007 ribbon, and then click Send.

    • Select the approval e-mail, open the Actions menu, click Approve, and then click Send.

    • In the Outlook 2007 main window, go to Approval Requests, and then select the approval message. In the bottom part of the reading pane, click Approve.

After the approval request is approved, several actions occur:

  • Tadams and Bsimon receive an Approval Request Update in their Inbox stating there has been an approval update.

  • The Approval Requests - Updates folder contains the approval update notification message sent by FIM 2010 after an owner has approved the join group request.

  • The original approval request e-mail is moved to the Deleted Items folder.

    You can modify this behavior in Outlook 2007. If you click the Tools menu, select Options and click the Approval tab, you can configure the behavior of the approval request message after it has been processed so that it remains in the user’s inbox. If the Add-in is configured to keep the original approval request in the user’s inbox, you can also see the request in the Approval Requests search folder.

Verify the group join request

In this step, use the FIM Portal to verify that the user was added to the group.

To verify the group join request

  1. Log on to the FIM Portal as Jbischoff.

  2. On the home page, in the Navigation Bar, click Approve Requests.

  3. In Search within, select Completed.

  4. Click the request, and then verify the properties of the request.