Custom Resource and Attribute Management Deployment Guide

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront® Identity Manager (FIM) 2010 provides an extensible schema for creating and managing custom resources and attributes. In this document, you walk through the deployment steps for creating and managing custom resources from beginning to end.

What This Document Covers

This document describes the steps for configuring FIM to enable administrators and end users to manage custom resources coming from—or going to—Active Directory® Domain Services (AD DS) or other connected systems. This document assumes that you are familiar with FIM.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

This document describes the following:

  • Configuring the FIM Synchronization Engine necessary to synchronize custom resources from a connected system to and from FIM

  • Configuring the synchronization rules in FIM

  • Extending the FIM schemas

  • Managing the FIM schemas

  • Managing the permissions of a new custom resource

  • Configuration of the FIM Portal user interface (UI) to manage a new custom resource

Audience

This document is intended for information technology (IT) planners, systems administrators, infrastructure planners, and IT professionals who will design and manage custom resources and attributes in FIM.

Prerequisite knowledge

This document assumes that you have a basic understanding of FIM and Active Directory or AD DS. You must complete the steps in Publishing Active Directory Users from Two Authoritative Data Sources before you start with this document, because this document assumes that your environment is the same as the end environment of that document.

The following documents are recommended as prerequisite reading for completion of the tasks in this deployment guide:

  1. Understanding FIM 2010

  2. Understanding Configuring and Customizing the FIM Portal

  3. Understanding Custom Resource and Attribute Management

  4. Designing Business Policy Rules

Time requirements

The time it takes to complete the steps in this document varies, depending on your previous knowledge of FIM Synchronization Engine and other concepts in FIM. It can take two or three hours to one day to complete the steps in this document.

Note

These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.

Where to get help

If you encounter issues that are not addressed in this document, use the Forefront Identity Manager 2010 forums resources for assistance. The forum brings together experts from the community to collaborate on FIM topics. These community members may be able to help answer your questions.

Test environment

Before you begin walking through the steps in this document:

  1. The pilot environment (also known as the test lab) must be installed, configured, and validated. It is important to validate all configurations in a safe environment. Adverse configurations can lead to deleted resources in connected systems, such as AD DS.

  2. Your environment must be set up to be similar to the end environment in Publishing Active Directory Users From Two Authoritative Data Sources.

Scenario

Fabrikam wants to allow their employees, contractors, and onsite employees of partner organizations (such as auditors) to access the company's networks (both wired and wireless) from personal devices, such as notebooks and smart phones. Fabrikam’s employees must get approval from their managers and from the IT manager to allow these computers to access Fabrikam resources. Much of this approval process occurs through person-to-person conversation or e-mails. Fabrikam wants to use FIM to automate the process.

Scenario roadmap

The scenario roadmap in this document consists of two phases:

  • Configuring the scenario – In this phase, you configure all the required scenario components, including management agents, synchronization rules, custom schema resources, UI configuration, management policy rules (MPRs), and workflows.

  • Testing the scenario – In this phase, you verify that the scenario works according to the outlined scenario specification.

Steps for Configuring the Scenario

In this section, you will complete the following procedures to configure the FIM components:

  1. Back up the existing pilot environment

  2. Configure the computer schema object in the AD DS) Management Agent

  3. Configure the computer schema object in the Metaverse (MV)

  4. Configure the FIM schema to include elements that you need for managing computer resources in FIM.

  5. Grant permission to the appropriate users to manage computer resources

  6. Configure inbound/outbound FIM Synchronization Rules to synchronize the data for computer resources

  7. Configure the manager approval workflow activity

  8. Configure a workflow to add computer resources to appropriate security groups

  9. Customize the UI configuration for computer resource management

Step 1: Back up the existing pilot environment

Back up the FIM Synchronization Service and FIM Service in the pilot environment (also known as the test or test lab environment) that you are currently working on. This step is necessary if you ever want to restore your pilot environment to its original configuration. To complete this task, see the FIM 2010 Backup and Restore Guide (https://go.microsoft.com/fwlink/?LinkId=165864).

Step 2: Add the computer object to the AD DS management agent

In this step, you add the computer object to the AD DS Management Agent. It is assumed that you already have a management agent created for AD DS that synchronizes users and groups, as described in Publishing Active Directory Users From Two Authoritative Data Sources (https://go.microsoft.com/fwlink/?LinkId=165860).

To add the computer object to the AD DS Management Agent

  1. On the Windows server that is running the FIM Synchronization Service, click Start, click Programs, click Microsoft Forefront Identity Manager, then click Synchronization Service.

  2. Click Management Agents, and then double-click ADMA.

  3. Select computer as an available object type in the AD DS Management Agent. See the Synchronization Manager online Help for more information about this step.

  4. Select the following attributes for the computer object type in the AD DS Management Agent. (These attributes should already be selected for group and user objects in your environment.)

    • sAMAccountName

    • cn

    • csObjectID

    • dn

    • description

    • displayName

    • managedBy

Step 3: Configure the computer object in the metaverse

In this step, you will define an object type to represent the computer in the metaverse.

Note

The computer object type should already exist in the metavers in your environment. If it does not exist, you must to add it to metaverse. (See the Synchronization Manager online Help for more information about this step.)

To configure the computer object in the metaverse

  1. Select the following attributes to add to computer object type. Although you can add any attribute to the computer object type, the following attributes are used in this scenario:

    • accountName

    • cn

    • dn

    • description

    • displayedOwner

    • displayName

    • l

    • o

    • ou

    • seeAlso

Step 4: Configure the FIM schema to include the necessary elements for managing computer resources

In this step, you will define a resource type to represent computer in the FIM store and the FIM Management Agent. You must be logged in to the FIM Portal as a member of the Administrator set to complete this step. For more details about the following steps, see Introduction to Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkID=165857).

To configure the FIM schema to include the necessary elements for managing computer resources

  1. Create a new FIM resource type with the properties in the following table to represent computers in the FIM Portal.

    Property Value

    System Name

    CustomComputer

    Display Name

    Computer

    Description

    Computers in Fabrikam

  2. Create the following attribute that will be bound to computer resources:

    1. CustomAccessLevel

      This attribute allows users to define what access level they want for their computers. The options for this attribute are follows:

      • None: No access to any resources.

      • Internet: Internet only access.

      • All: Access to all company resources.

      Property Value

      System Name

      CustomAccessLevel

      Display Name

      Access Level

      Data Type

      Indexed string

      Description

      Defines what access level a computer has

      String pattern

      ^(None|Internet|All)?$

  3. Create the following bindings for the computer resource.

    1. CustomComputer and CustomAccessLevel

      Property Value

      Resource Type

      CustomComputer

      Attribute Type

      CustomAccessLevel

      Required

      false

      Display Name (Overrides)

      Access Level

      Description (Overrides)

      Defines what level a computer has

      String pattern (Overrides)

      ^(None|Internet|All)?$

    2. CustomComputer and AccountName

      Property Value

      Resource Type

      CustomComputer

      Attribute Type

      AccountName

      Required

      true

      Display Name (Overrides)

      Account Name

      Description (Overrides)

      Account Name for a computer

      String pattern (Overrides)

      ^[^”/\\[\]:;|=,+/*?<>]{1,64}$

    3. CustomComputer and DisplayedOwner

      Property Value

      Resource Type

      CustomComputer

      Attribute Type

      DisplayedOwner

      Required

      false

      Display Name (Overrides)

      Owner

      Description (Overrides)

      Owner of the computer

  4. Add the computer resource type to the Synchronization Filter resource. This step makes it possible for the FIM Management Agent to see the new computer resource type.

    To add the computer resource type to the Synchronization Filter resource

    1. On the FIM Portal home page, under Administration, click All Resources.

    2. Click Page 2, and then click Synchronization Filter.

    3. Click Synchronization Filter, and then click Extended Attributes.

    4. Add computer to the list of attributes in Synchronize ObjectTypeDescription.

    5. Click OK, and then click Submit.

    6. Run the iisreset command to refresh the schema and make the computer resource available in the FIM Management Agent.

Step 5: Grant permission to appropriate users to manage computer resources

In this step you will grant rights to all users to manage computer resources. You will also be granting rights to computer administrators to manage computer resources. For more details about the following steps, see Introduction to Management Policy Rules (https://go.microsoft.com/fwlink/?LinkID=165856).

To grant permission to appropriate users to manage computer resources

  1. Create a set called Computer Administrators that includes all users who are computer administrators. You can use this set in the MPRs in the following table. If you have separate administrators that handle computer management, you will need this set.

    Property Value

    Display Name

    Computer Administrators

    Description

    None

    Enable criteria-based membership in current set

    false

    Manually managed members

    FIM portal administrator account

  2. Create a set called All Computers that includes all the computer resources in FIM.

    Property Value

    Display Name

    All Computers

    Description

    None

    Enable criteria-based membership in current set

    true

    Filter

    /Computer

    (This filter selects all computers)

  3. Create an MPR to grant rights to manage computer resources to Computer Administrators.

    Property Value

    Display Name

    Computer administrators have full control over computers

    Description

    None

    Type

    Request

    Disabled

    Unchecked (false)

    Specific Set of Requestors

    Computer Administrators

    Operation

    Create, Modify, Delete, Add, Remove, Read

    Permissions

    Grants permission checked

    Target Resource Definition Before Request

    All Computers

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    All Attributes

    Authentication Workflows

    None

    Authorization Workflows

    None

    Action Workflows

    None

  4. Create an MPR that gives all users rights to create and read computer resources.

    Property Value

    Display Name

    All users can create and read computer resources

    Description

    None

    Type

    Request

    Disabled

    Unchecked

    Specific Set of Requestors

    All People

    Operation

    Create, Read

    Permissions

    Grants permission checked

    Target Resource Definition Before Request

    All Computers

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    Account Name, Access Level, Display Name, Description, Owner

    Authentication Workflows

    None

    Authorization Workflows

    None

    Action Workflows

    None

  5. Create an MPR that gives all owners of a computer rights to modify computer resources.

    Property Value

    Display Name

    Computer owners can modify computers

    Description

    None

    Type

    Request

    Disabled

    Unchecked

    Relative to Resource

    Displayed Owner

    Operation

    Read, Modify, Delete

    Permissions

    Grants permission checked

    Target Resource Definition Before Request

    All Computers

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    Account Name, Access Level, Display Name, Description, Owner

    Authentication Workflows

    None

    Authorization Workflows

    None

    Action Workflows

    None

  6. Update the current Administrator Filter Permission to include Access Level as an allowed attribute. This makes it possible for administrators to create sets based on this attribute.

    Property Value

    Allowed Attribute

    Add:

    CustomAccessLevel

  7. Create a new MPR to grant the Synchronization Engine permission to manage computer resources.

    Property Value

    Display Name

    Synchronization Synchronization account controls computer resources

    Description

    None

    Type

    Request

    Disabled

    Unchecked

    Specific Set of Requestors

    Synchronization Engine

    Operation

    Create, Delete, Remove, Modify, Add, Read

    Permissions

    Grants permission checked

    Target Resource Definition Before Request

    All Computers

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    All

    Authentication Workflows

    None

    Authorization Workflows

    None

    Action Workflows

    None

Step 6: Configure FIM synchronization rules to bring in the data for computers

In this step, you will configure a synchronization rule that defines the computer flow between Active Directory or Active Directory Domain Services (AD DS) and FIM. You will create one inbound synchronization rule for the computer resource to flow from Active Directory or AD DS to FIM. Then, you will create one outbound initial synchronization rule for the computer resource to be provisioned to Active Directory or AD DS from FIM. You can also follow this format to create a persistent rule to synchronize modifications to computers resources with Active Directory or AD DS. Outbound synchronization rules must be embedded in an action workflow, which is then triggered by an MPR. In this scenario, the creation of a computer in the FIM Portal triggers the outbound synchronization rule to synchronize the new computer data with Active Directory or AD DS. Again, if you want to enable the updated field in the modification scenario to synchronize to Active Directory or AD DS, you must create a similar workflow and MPR.

Note

This step assumes that you already have synchronization rules, workflows, and MPRs set up to synchronize security group membership from FIM to Active Directory or AD DS. This is the key to synchronizing computers as members of a security group to Active Directory or AD DS.

To create the “All People Except Built-in Sync Account ” Set

  1. Log on to the FIM Portal as Administrator.

  2. On the FIM Portal home page, under Management Policy Rules, click Sets.

  3. On the Sets page, click New.

  4. On the General page, input the following information in the fields listed below:

    • Display nameAll People Except Built-in Sync Account
  5. Click Next.

  6. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

  7. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Resource ID.

  8. Make sure is not is selected as the operator. Click click to select value, in Search for: enter built-in and click the search icon.

  9. Select Built-in Synchronization Account, and click OK.

  10. Click Finish, then click Submit.

To configure FIM synchronization rules to bring in the data for computers

  1. Create a new inbound synchronization rule to synchronize computers from Active Directory or AD DS to FIM.

    Property Value

    Display Name

    Inbound Sync Rule AD Computers

    Description

    None

    Dependency

    None

    Data Flow Direction

    Inbound

    Metaverse Resource Type

    computer

    External System

    Name of your AD MA

    External System Resource Type

    Computer

    External System Scoping Filter

    None

    Relationship Criteria

    accountName maps to sAMAccountName

    Create Resource in FIM

    Checked (true)

    Inbound Attribute Flows

    Add following attribute flows:

    sAMAccountName => accountName

    cn => displayName

    description => description

    managedBy => displayedOwner

  2. Create a new outbound synchronization rule to synchronize computers from FIM to Active Directory or AD DS.

    Property Value

    Display Name

    Outbound Sync Rule AD Computers

    Description

    None

    Dependency

    None

    Data Flow Direction

    Outbound

    Metaverse Resource Type

    computer

    External System

    Name of your AD MA

    External System Resource Type

    Computer

    External System Scoping Filter

    None

    Relationship Criteria

    accountName maps to sAMAccountName

    Create Resource in External System

    Checked (true)

    Enable Deprovisioning

    Checked (true)

    Outbound Attribute Flows

    Add following attribute flows:

    accountName => sAMAccountName (Initial Flow only)

    “cn=”+displayName+”,cn=Computers, dn=fabrikam, dc=com” => dn

    description => description

    displayedOwner => managedBy

  3. Create a new action workflow to add the synchronization rule to computers that should be provisioned.

    Property Value

    Workflow Name

    Synchronize Computers to AD

    Description

    None

    Workflow Type

    Action

    Run on Policy Update

    Unchecked (false)

    Activity Picker

    Pick: Synchronization Rule Activity

    Synchronization Rule Activity Definition

    Synchronization Rule:

    Outbound Sync Rule AD Computers

    Action Selection:

    Add

  4. Create an MPR that calls for the previous action workflow whenever a computer is created.

    Property Value

    Display Name

    Synchronize Computers to AD

    Description

    None

    Type

    Request

    Disabled

    Unchecked (false)

    Specific Set of Requestors

    All People Except Built-in Sync Account

    Operation

    Create

    Permissions

    Grants permission unchecked

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    All

    Authentication Workflows

    None

    Authorization Workflows

    None

    Action Workflows

    Synchronize Computers to AD

Important

Make sure that the existing outbound synchronization rule for groups contains the attribute flow members (MV)=>members (AD). Also make sure that the members attribute in the metaverse is mapped to the ComputedMembers attribute in FIM.

Step 7: Configure manager approval workflow

In this step, you will create an approval workflow and MPR that sends a customized approval e-mail to the computer owner’s manager. If the manager approves the creation of the computer or the modification to the access level of the computer, the computer is added to the security group.

To configure manager approval workflow

  1. Create a manager approval workflow with the properties in following table.

    Property Value

    Workflow Name

    Manager approves computer creation/editing

    Description

    None

    Workflow Type

    Authorization

    Activity Picker

    Pick: Approval

    Synchronization Rule Activity Definition

    Approver: [//Requester/Manager]

    Approver Threshold: 1

    Duration: 3

    Escalate Approver: None

    We are using the default e-mail templates for this exercise. In real production, you can create your own e-mail templates and reference them here to customize various e-mails.

To configure manager approval MPR

  1. Create a manager approval MPR with the properties in following table.

    Property Value

    Type

    Request

    Specific Set of Requestors

    All People

    Operation

    Create, Modify

    Target Resource Definition Before Request

    All Computers

    Target Resource Definition After Request

    All Computers

    Resource Attributes

    All Attributes

    Workflow

    Authorization - Manager approves computer creation/editing

Step 8: Configure security groups to contain the computers with corresponding access levels

You will use a dynamic security group to track all computers of a specific access level. This way, whenever a user successfully creates a computer with the attributes Access Level = All or Internet, the computer falls into the correct security group. The value of ComputedMembers for this group will be updated by FIM in Active Directory or AD DS by an outbound synchronization rule for groups that is created as described in the FIM 2010 Backup and Restore Guide (https://go.microsoft.com/fwlink/?LinkId=165864). For the purpose of this scenario, we assume that Fabrikam does not have existing security groups to manage the access level of computers. You must perform this procedure as an administrator.

Before configuring the security groups, you need to modify the RCDC for group creation and editing to the CustomComputers resource is displayed in the Filter Builder.

To configure the RCDC

  1. From the FIM Portal home page, under Administration, click Resource Control Display Configurations.

  2. Click Configuration for Group Creation.

  3. Click Export Configuration and save the XML file to your computer.

  4. Open the file with and XML editor or with Notepad.

  5. Locate the following line:

    <my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group"/>
    

    Add CustomComputer to the permitted resource list so that the line reads:

    <my:Property my:Name="PermittedObjectTypes" my:Value="Person,Group,CustomComputer"/>
    
  6. Save the XML file.

  7. Click Browse, and select the file that you just modified.

  8. Submit the change to the RCDC.

  9. Repeat the steps above for the Configuration for Group Editing RCDC and the Configuration for Group Viewing RCDC.

  10. Run iisreset.

To configure security groups to contain the computers with corresponding access levels

  1. Create a security group that contains all computers whose Access Level is All.

    Property Value

    Display Name

    Computers that can access everything

    E-mail Enabled

    Unchecked

    Domain

    Your domain

    Account Name

    ComAccAll

    Scope

    Universal (Any type that is appropriate)

    Member Selection

    Criteria-base

    Description

    None

    Filter

    Select computer that match all of the following conditions:

    Access Level is All

    Owner

    Leave the default value

    Displayed Owner

    Leave the default value

  2. Create a security group that contains all computers whose Access Level is Internet.

    Property Value

    Display Name

    Computers that can access Internet only

    E-mail Enabled

    Unchecked

    Domain

    Your domain

    Account Name

    ComAccInt

    Scope

    Universal (Any type that is appropriate)

    Member Selection

    Criteria-based

    Description

    None

    Filter

    Select computer that matches all of the following conditions:

    Access Level is Internet

    Owner

    Leave the default value

    Displayed Owner

    Leave the default value

Step 9: Customize the UI configuration for computer management

In this step, you will create the UI elements that expose computer management to users. You will create a navigation bar item, a search scope, a homepage item and a custom Resource Control Display Configuration (RCDC) for computer. The default MPR already grants end user rights to view these resources. For more details about this step, see Introduction to Configuring and Customizing the FIM Portal (https://go.microsoft.com/fwlink/?LinkID=165848).

To customize the UI configuration for computer management

  1. Create a Navigation Bar resource showing My Computers underneath the Users Navigation Bar.

    Property Value

    Display Name

    My Computers

    Description

    None

    Usage Keyword

    BasicUI (This allows all people to see the navigation bar resource.)

    Parent Order

    3 (Same as Users)

    Order

    2 (Underneath My Profile)

    Navigation URL

    ~/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=CustomComputer&display=Computer

    Resource Count

    None

  2. Create a Search Scope showing My Computers on the All Computers page.

    Property Value

    Display Name

    My Computers

    Description

    None

    Usage Keyword

    Computer

    BasicUI

    customized

    Order

    56

    Attribute Searched

    DisplayName

    Search Scope Filter

    /Computer[Owner=’%LoginID%’]

    Results Resource Type

    CustomComputer

    Results Attribute

    DisplayName; AccountName; Description; CustomAccessLevel

    Redirecting URL

    none

  3. Create a Home Page item for My Computers to appear at the bottom of the page as a new Homepage resource.

    Property Value

    Display Name

    My Computers

    Description

    Go here to manage my computers.

    Usage Keyword

    BasicUI

    Image Url

    None

    Region

    Center region of home page

    Parent Order

    5

    Order

    0

    Navigation URL

    ~/IdentityManagement/aspx/customized/CustomizedObjects.aspx?type=CustomComputer&display=Computer

    Resource Count

    None

  4. Create an RCDC to show the computer resource. This is the page the users see when they create, edit, or view computer details. For simplicity, create one RCDC that combines all these modes. For details about creating an RCDC, see Introduction to Configuring and Customizing the FIM Portal (https://go.microsoft.com/fwlink/?LinkID=165848).

  5. Run iisreset.

Steps for Testing the Scenario

Before testing the scenario, you must add the CustomComputer object to the FIM MA in Synchronization Manager. For more information and steps to do this, see Publishing Active Directory Users from Two Authoritative Data Sources.

To verify that new resource type is manageable in FIM

  1. Populate your test data in Active Directory or AD DS.

  2. Run the appropriate synchronization steps to test the inbound synchronization rule.

  3. Manage a computer resource as an end user.

  4. Approve the end user request as a manager.

  5. Verify the security group update in Active Directory or AD DS.