Custom Resource and Attribute Management Deployment Guide
Applies To: Forefront Identity Manager 2010
Microsoft® Forefront® Identity Manager (FIM) 2010 provides an extensible schema for creating and managing custom resources and attributes. In this document, you walk through the deployment steps for creating and managing custom resources from beginning to end.
This document describes the steps for configuring FIM to enable administrators and end users to manage custom resources coming from—or going to—Active Directory® Domain Services (AD DS) or other connected systems. This document assumes that you are familiar with FIM.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
This document describes the following:
Configuring the FIM Synchronization Engine necessary to synchronize custom resources from a connected system to and from FIM
Configuring the synchronization rules in FIM
Extending the FIM schemas
Managing the FIM schemas
Managing the permissions of a new custom resource
Configuration of the FIM Portal user interface (UI) to manage a new custom resource
This document is intended for information technology (IT) planners, systems administrators, infrastructure planners, and IT professionals who will design and manage custom resources and attributes in FIM.
This document assumes that you have a basic understanding of FIM and Active Directory or AD DS. You must complete the steps in Publishing Active Directory Users from Two Authoritative Data Sources before you start with this document, because this document assumes that your environment is the same as the end environment of that document.
The following documents are recommended as prerequisite reading for completion of the tasks in this deployment guide:
The time it takes to complete the steps in this document varies, depending on your previous knowledge of FIM Synchronization Engine and other concepts in FIM. It can take two or three hours to one day to complete the steps in this document.
Note
These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.
If you encounter issues that are not addressed in this document, use the Forefront Identity Manager 2010 forums resources for assistance. The forum brings together experts from the community to collaborate on FIM topics. These community members may be able to help answer your questions.
Before you begin walking through the steps in this document:
The pilot environment (also known as the test lab) must be installed, configured, and validated. It is important to validate all configurations in a safe environment. Adverse configurations can lead to deleted resources in connected systems, such as AD DS.
Your environment must be set up to be similar to the end environment in Publishing Active Directory Users From Two Authoritative Data Sources.
Fabrikam wants to allow their employees, contractors, and onsite employees of partner organizations (such as auditors) to access the company's networks (both wired and wireless) from personal devices, such as notebooks and smart phones. Fabrikam’s employees must get approval from their managers and from the IT manager to allow these computers to access Fabrikam resources. Much of this approval process occurs through person-to-person conversation or e-mails. Fabrikam wants to use FIM to automate the process.
The scenario roadmap in this document consists of two phases:
Configuring the scenario – In this phase, you configure all the required scenario components, including management agents, synchronization rules, custom schema resources, UI configuration, management policy rules (MPRs), and workflows.
Testing the scenario – In this phase, you verify that the scenario works according to the outlined scenario specification.
In this section, you will complete the following procedures to configure the FIM components:
Back up the existing pilot environment
Configure the computer schema object in the AD DS) Management Agent
Configure the computer schema object in the Metaverse (MV)
Configure the FIM schema to include elements that you need for managing computer resources in FIM.
Grant permission to the appropriate users to manage computer resources
Configure inbound/outbound FIM Synchronization Rules to synchronize the data for computer resources
Configure the manager approval workflow activity
Configure a workflow to add computer resources to appropriate security groups
Customize the UI configuration for computer resource management
Back up the FIM Synchronization Service and FIM Service in the pilot environment (also known as the test or test lab environment) that you are currently working on. This step is necessary if you ever want to restore your pilot environment to its original configuration. To complete this task, see the FIM 2010 Backup and Restore Guide (https://go.microsoft.com/fwlink/?LinkId=165864).
In this step, you add the computer object to the AD DS Management Agent. It is assumed that you already have a management agent created for AD DS that synchronizes users and groups, as described in Publishing Active Directory Users From Two Authoritative Data Sources (https://go.microsoft.com/fwlink/?LinkId=165860).
On the Windows server that is running the FIM Synchronization Service, click Start, click Programs, click Microsoft Forefront Identity Manager, then click Synchronization Service.
Click Management Agents, and then double-click ADMA.
Select computer as an available object type in the AD DS Management Agent. See the Synchronization Manager online Help for more information about this step.
Select the following attributes for the computer object type in the AD DS Management Agent. (These attributes should already be selected for group and user objects in your environment.)
sAMAccountName
cn
csObjectID
dn
description
displayName
managedBy
In this step, you will define an object type to represent the computer in the metaverse.
Note
The computer object type should already exist in the metavers in your environment. If it does not exist, you must to add it to metaverse. (See the Synchronization Manager online Help for more information about this step.)
Select the following attributes to add to computer object type. Although you can add any attribute to the computer object type, the following attributes are used in this scenario:
accountName
cn
dn
description
displayedOwner
displayName
l
o
ou
seeAlso
In this step, you will define a resource type to represent computer in the FIM store and the FIM Management Agent. You must be logged in to the FIM Portal as a member of the Administrator set to complete this step. For more details about the following steps, see Introduction to Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkID=165857).
Create a new FIM resource type with the properties in the following table to represent computers in the FIM Portal.
Property Value System Name
CustomComputer
Display Name
Computer
Description
Computers in Fabrikam
Create the following attribute that will be bound to computer resources:
CustomAccessLevel
This attribute allows users to define what access level they want for their computers. The options for this attribute are follows:
None: No access to any resources.
Internet: Internet only access.
All: Access to all company resources.
Property Value System Name
CustomAccessLevel
Display Name
Access Level
Data Type
Indexed string
Description
Defines what access level a computer has
String pattern
^(None|Internet|All)?$
Create the following bindings for the computer resource.
CustomComputer and CustomAccessLevel
Property Value Resource Type
CustomComputer
Attribute Type
CustomAccessLevel
Required
false
Display Name (Overrides)
Access Level
Description (Overrides)
Defines what level a computer has
String pattern (Overrides)
^(None|Internet|All)?$
CustomComputer and AccountName
Property Value Resource Type
CustomComputer
Attribute Type
AccountName
Required
true
Display Name (Overrides)
Account Name
Description (Overrides)
Account Name for a computer
String pattern (Overrides)
^[^”/\\[\]:;|=,+/*?<>]{1,64}$
CustomComputer and DisplayedOwner
Property Value Resource Type
CustomComputer
Attribute Type
DisplayedOwner
Required
false
Display Name (Overrides)
Owner
Description (Overrides)
Owner of the computer
Add the computer resource type to the Synchronization Filter resource. This step makes it possible for the FIM Management Agent to see the new computer resource type.
To add the computer resource type to the Synchronization Filter resource
On the FIM Portal home page, under Administration, click All Resources.
Click Page 2, and then click Synchronization Filter.
Click Synchronization Filter, and then click Extended Attributes.
Add computer to the list of attributes in Synchronize ObjectTypeDescription.
Click OK, and then click Submit.
Run the iisreset command to refresh the schema and make the computer resource available in the FIM Management Agent.
In this step you will grant rights to all users to manage computer resources. You will also be granting rights to computer administrators to manage computer resources. For more details about the following steps, see Introduction to Management Policy Rules (https://go.microsoft.com/fwlink/?LinkID=165856).
Create a set called Computer Administrators that includes all users who are computer administrators. You can use this set in the MPRs in the following table. If you have separate administrators that handle computer management, you will need this set.
Property Value Display Name
Computer Administrators
Description
None
Enable criteria-based membership in current set
false
Manually managed members
FIM portal administrator account
Create a set called All Computers that includes all the computer resources in FIM.
Property Value Display Name
All Computers
Description
None
Enable criteria-based membership in current set
true
Filter
/Computer
(This filter selects all computers)
Create an MPR to grant rights to manage computer resources to Computer Administrators.
Property Value Display Name
Computer administrators have full control over computers
Description
None
Type
Request
Disabled
Unchecked (false)
Specific Set of Requestors
Computer Administrators
Operation
Create, Modify, Delete, Add, Remove, Read
Permissions
Grants permission checked
Target Resource Definition Before Request
All Computers
Target Resource Definition After Request
All Computers
Resource Attributes
All Attributes
Authentication Workflows
None
Authorization Workflows
None
Action Workflows
None
Create an MPR that gives all users rights to create and read computer resources.
Property Value Display Name
All users can create and read computer resources
Description
None
Type
Request
Disabled
Unchecked
Specific Set of Requestors
All People
Operation
Create, Read
Permissions
Grants permission checked
Target Resource Definition Before Request
All Computers
Target Resource Definition After Request
All Computers
Resource Attributes
Account Name, Access Level, Display Name, Description, Owner
Authentication Workflows
None
Authorization Workflows
None
Action Workflows
None
Create an MPR that gives all owners of a computer rights to modify computer resources.
Property Value Display Name
Computer owners can modify computers
Description
None
Type
Request
Disabled
Unchecked
Relative to Resource
Displayed Owner
Operation
Read, Modify, Delete
Permissions
Grants permission checked
Target Resource Definition Before Request
All Computers
Target Resource Definition After Request
All Computers
Resource Attributes
Account Name, Access Level, Display Name, Description, Owner
Authentication Workflows
None
Authorization Workflows
None
Action Workflows
None
Update the current Administrator Filter Permission to include Access Level as an allowed attribute. This makes it possible for administrators to create sets based on this attribute.
Property Value Allowed Attribute
Add:
CustomAccessLevel
Create a new MPR to grant the Synchronization Engine permission to manage computer resources.
Property Value Display Name
Synchronization Synchronization account controls computer resources
Description
None
Type
Request
Disabled
Unchecked
Specific Set of Requestors
Synchronization Engine
Operation
Create, Delete, Remove, Modify, Add, Read
Permissions
Grants permission checked
Target Resource Definition Before Request
All Computers
Target Resource Definition After Request
All Computers
Resource Attributes
All
Authentication Workflows
None
Authorization Workflows
None
Action Workflows
None
In this step, you will configure a synchronization rule that defines the computer flow between Active Directory or Active Directory Domain Services (AD DS) and FIM. You will create one inbound synchronization rule for the computer resource to flow from Active Directory or AD DS to FIM. Then, you will create one outbound initial synchronization rule for the computer resource to be provisioned to Active Directory or AD DS from FIM. You can also follow this format to create a persistent rule to synchronize modifications to computers resources with Active Directory or AD DS. Outbound synchronization rules must be embedded in an action workflow, which is then triggered by an MPR. In this scenario, the creation of a computer in the FIM Portal triggers the outbound synchronization rule to synchronize the new computer data with Active Directory or AD DS. Again, if you want to enable the updated field in the modification scenario to synchronize to Active Directory or AD DS, you must create a similar workflow and MPR.
Note
This step assumes that you already have synchronization rules, workflows, and MPRs set up to synchronize security group membership from FIM to Active Directory or AD DS. This is the key to synchronizing computers as members of a security group to Active Directory or AD DS.
Log on to the FIM Portal as Administrator.
On the FIM Portal home page, under Management Policy Rules, click Sets.
On the Sets page, click New.
On the General page, input the following information in the fields listed below:
- Display name – All People Except Built-in Sync Account
Click Next.
On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.
Click Add Statement, then click Click to select attribute. From the drop-down menu, select Resource ID.
Make sure is not is selected as the operator. Click click to select value, in Search for: enter built-in and click the search icon.
Select Built-in Synchronization Account, and click OK.
Click Finish, then click Submit.
Create a new inbound synchronization rule to synchronize computers from Active Directory or AD DS to FIM.
Property Value Display Name
Inbound Sync Rule AD Computers
Description
None
Dependency
None
Data Flow Direction
Inbound
Metaverse Resource Type
computer
External System
Name of your AD MA
External System Resource Type
Computer
External System Scoping Filter
None
Relationship Criteria
accountName maps to sAMAccountName
Create Resource in FIM
Checked (true)
Inbound Attribute Flows
Add following attribute flows:
sAMAccountName => accountName
cn => displayName
description => description
managedBy => displayedOwner
Create a new outbound synchronization rule to synchronize computers from FIM to Active Directory or AD DS.
Property Value Display Name
Outbound Sync Rule AD Computers
Description
None
Dependency
None
Data Flow Direction
Outbound
Metaverse Resource Type
computer
External System
Name of your AD MA
External System Resource Type
Computer
External System Scoping Filter
None
Relationship Criteria
accountName maps to sAMAccountName
Create Resource in External System
Checked (true)
Enable Deprovisioning
Checked (true)
Outbound Attribute Flows
Add following attribute flows:
accountName => sAMAccountName (Initial Flow only)
“cn=”+displayName+”,cn=Computers, dn=fabrikam, dc=com” => dn
description => description
displayedOwner => managedBy
Create a new action workflow to add the synchronization rule to computers that should be provisioned.
Property Value Workflow Name
Synchronize Computers to AD
Description
None
Workflow Type
Action
Run on Policy Update
Unchecked (false)
Activity Picker
Pick: Synchronization Rule Activity
Synchronization Rule Activity Definition
Synchronization Rule:
Outbound Sync Rule AD Computers
Action Selection:
Add
Create an MPR that calls for the previous action workflow whenever a computer is created.
Property Value Display Name
Synchronize Computers to AD
Description
None
Type
Request
Disabled
Unchecked (false)
Specific Set of Requestors
All People Except Built-in Sync Account
Operation
Create
Permissions
Grants permission unchecked
Target Resource Definition After Request
All Computers
Resource Attributes
All
Authentication Workflows
None
Authorization Workflows
None
Action Workflows
Synchronize Computers to AD
Important
Make sure that the existing outbound synchronization rule for groups contains the attribute flow members (MV)=>members (AD). Also make sure that the members attribute in the metaverse is mapped to the ComputedMembers attribute in FIM.
In this step, you will create an approval workflow and MPR that sends a customized approval e-mail to the computer owner’s manager. If the manager approves the creation of the computer or the modification to the access level of the computer, the computer is added to the security group.
Create a manager approval workflow with the properties in following table.
Property Value Workflow Name
Manager approves computer creation/editing
Description
None
Workflow Type
Authorization
Activity Picker
Pick: Approval
Synchronization Rule Activity Definition
Approver: [//Requester/Manager]
Approver Threshold: 1
Duration: 3
Escalate Approver: None
We are using the default e-mail templates for this exercise. In real production, you can create your own e-mail templates and reference them here to customize various e-mails.
Create a manager approval MPR with the properties in following table.
Property Value Type
Request
Specific Set of Requestors
All People
Operation
Create, Modify
Target Resource Definition Before Request
All Computers
Target Resource Definition After Request
All Computers
Resource Attributes
All Attributes
Workflow
Authorization - Manager approves computer creation/editing
You will use a dynamic security group to track all computers of a specific access level. This way, whenever a user successfully creates a computer with the attributes Access Level = All or Internet, the computer falls into the correct security group. The value of ComputedMembers for this group will be updated by FIM in Active Directory or AD DS by an outbound synchronization rule for groups that is created as described in the FIM 2010 Backup and Restore Guide (https://go.microsoft.com/fwlink/?LinkId=165864). For the purpose of this scenario, we assume that Fabrikam does not have existing security groups to manage the access level of computers. You must perform this procedure as an administrator.
Before configuring the security groups, you need to modify the RCDC for group creation and editing to the CustomComputers resource is displayed in the Filter Builder.
From the FIM Portal home page, under Administration, click Resource Control Display Configurations.
Click Configuration for Group Creation.
Click Export Configuration and save the XML file to your computer.
Open the file with and XML editor or with Notepad.
Locate the following line:
<my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group"/>
Add CustomComputer to the permitted resource list so that the line reads:
<my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group,CustomComputer"/>
Save the XML file.
Click Browse, and select the file that you just modified.
Submit the change to the RCDC.
Repeat the steps above for the Configuration for Group Editing RCDC and the Configuration for Group Viewing RCDC.
Run iisreset.
Create a security group that contains all computers whose Access Level is All.
Property Value Display Name
Computers that can access everything
E-mail Enabled
Unchecked
Domain
Your domain
Account Name
ComAccAll
Scope
Universal (Any type that is appropriate)
Member Selection
Criteria-base
Description
None
Filter
Select computer that match all of the following conditions:
Access Level is All
Owner
Leave the default value
Displayed Owner
Leave the default value
Create a security group that contains all computers whose Access Level is Internet.
Property Value Display Name
Computers that can access Internet only
E-mail Enabled
Unchecked
Domain
Your domain
Account Name
ComAccInt
Scope
Universal (Any type that is appropriate)
Member Selection
Criteria-based
Description
None
Filter
Select computer that matches all of the following conditions:
Access Level is Internet
Owner
Leave the default value
Displayed Owner
Leave the default value
In this step, you will create the UI elements that expose computer management to users. You will create a navigation bar item, a search scope, a homepage item and a custom Resource Control Display Configuration (RCDC) for computer. The default MPR already grants end user rights to view these resources. For more details about this step, see Introduction to Configuring and Customizing the FIM Portal (https://go.microsoft.com/fwlink/?LinkID=165848).
Create a Navigation Bar resource showing My Computers underneath the Users Navigation Bar.
Property Value Display Name
My Computers
Description
None
Usage Keyword
BasicUI (This allows all people to see the navigation bar resource.)
Parent Order
3 (Same as Users)
Order
2 (Underneath My Profile)
Navigation URL
~/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=CustomComputer&display=Computer
Resource Count
None
Create a Search Scope showing My Computers on the All Computers page.
Property Value Display Name
My Computers
Description
None
Usage Keyword
Computer
BasicUI
customized
Order
56
Attribute Searched
DisplayName
Search Scope Filter
/Computer[Owner=’%LoginID%’]
Results Resource Type
CustomComputer
Results Attribute
DisplayName; AccountName; Description; CustomAccessLevel
Redirecting URL
none
Create a Home Page item for My Computers to appear at the bottom of the page as a new Homepage resource.
Property Value Display Name
My Computers
Description
Go here to manage my computers.
Usage Keyword
BasicUI
Image Url
None
Region
Center region of home page
Parent Order
5
Order
0
Navigation URL
~/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=CustomComputer&display=Computer
Resource Count
None
Create an RCDC to show the computer resource. This is the page the users see when they create, edit, or view computer details. For simplicity, create one RCDC that combines all these modes. For details about creating an RCDC, see Introduction to Configuring and Customizing the FIM Portal (https://go.microsoft.com/fwlink/?LinkID=165848).
Run iisreset.
Before testing the scenario, you must add the CustomComputer object to the FIM MA in Synchronization Manager. For more information and steps to do this, see Publishing Active Directory Users from Two Authoritative Data Sources.
Populate your test data in Active Directory or AD DS.
Run the appropriate synchronization steps to test the inbound synchronization rule.
Manage a computer resource as an end user.
Approve the end user request as a manager.
Verify the security group update in Active Directory or AD DS.