My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Sunday, November 29, 2009

FIM RCDC explained in brief

In this post I attempt to give you the reader a quick overview of how the FIM RCDC works conceptually. As for the mechanics of modifying the RCDC the nearly complete but growing collection of documents downloadable from MSFT will suffice.

As you will recall FIM is the new abbreviation for ILM, since it has been renamed Forefront Identity Manager, and RCDC is the Resource Control Display Configuration formerly known as the Object Visualization Configuration (OVC). RCDC is the way you custom how FIM displays objects (now called resources) in the portal. Now for English: If you need to change the options and information users see in the FIM portal when they create new users, groups (security or distribution), or edit or view these resources you do it by modifying the RCDC. The RCDC is an XML object, and each resource type (user, group, request, etc) has three: Create, Edit and View. To get a handle on the terms take a look at the figure below:

 

RCDCExplained

Every RCDC has a Panel that contains all other visible elements. You don’t have to worry about the Panel, other than to know that you need a have it and it must have a name.

The next item to which I must call your attention is the Groupings. The little area which I have outlined in Red is the Header Grouping and provides the caption for the RCDC in this case: Create Security Group. The Header Grouping contains just one control the UocCaptionControl and it is this control that determines what will be displayed based on the Caption and Description Attributes.

The rest of the groupings show up as tabs. The first three are content groupings (there can be up. to 16 groupings counting the Header Grouping and the Summary Grouping, leave up to 14 slots for content groupings). Each content tab or grouping can contain between 1 and 256 controls.

Not visible in the screenshot above are data sources. Data sources provide access to the data of the resource (PrimaryResourceObjectDataSource), the changes that are being made during the edit or create process (PrimaryResourceDeltaDataSource), what rights the current user has to each attribute (PrimaryResourceRightsDataSource), information about the resource type and its attribute types, such as displayname and description (SchemaDataSource), and a listing of Active Directory Domains that are managed by this instance of FIM (DomainDataSource). Additionally, you can have XML data sources. There are two purposes for these: 1) to provide the xsl transformation to provide a different summary of changes on the Grouping Summary, and 2) to provide a list for use in UocDropDownList and UocRadioButtonList controls (there is at least one other method for providing the options list).

Controls have elements, and attributes. The element type you will be concerned with are the Properties. (Help only applies to groupings, CustomProperties is not supported, Options only applies to the UocDropDownList and UocRadioButtonList controls, Buttons only applies to the UoCListView Control, and you can’t make use of events.)

The attributes and properties are used to govern the behavior of the control. They can be bound to the different data sources, to cause the control to interact with an attribute on a resource, to control the visibility and editing on a control, and to provide the list of options to choose from.

Well that covers the conceptual overview. Next time I blog about RCDC, I plan on discussing the attributes of controls, and their common properties.

Labels: , , ,

Tuesday, November 24, 2009

Answering my FIM RC 1 question

Thanks to Darryl Russi for answering my questions in my earlier post An Update to FIM RC1 where I was asked about something I had read in the release notes:

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

So the short answer to my last question is yes and then Darryl answers the first question in great deal.

Here is his answer: Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Great job Darryl! I see this as a great way to ensure good response time for users and to scale out.

Labels: , , ,

Monday, November 23, 2009

Identity Synchronization FIM 2010 HOL Irvine California

I will be at the Microsoft Technical Center in Irvine on Dec 1 and 2 presenting this HOL with Marvin Tansley of Gemalto.

Identity Synchronization – Hands on Training

Homeclip_image001clip_image001[4]

 

Date: December 1-2, 2009

Location:   3 Park Plaza, Suite 1800   Irvine, CA  92614     949-263-3000

Microsoft, Gemalto and Ensynch invite you to a free 2-day training seminar and hands-on-lab on Microsoft’s Forefront Lifecycle Manager (FIM 2010).

Come and learn how FIM 2010 can help you by delivering simplicity, agility and efficiency while increasing security and compliance within your enterprise identity infrastructure.

The curriculum for this training is modular, which will allow users with different technical levels to attend. 

Day 1 Agenda:

· FIM 2010 Overview Presentation and Demo

· FIM 2010 Managing Users and Groups Hands-on Lab

· Introduction to identity management

· ROI - a Tool to Help you Sell Your Project

· OTP Provisioning using FIM 2010

· Certificate Basics Presentation

· Certificate Demo and Basic Use Cases

Day 2 Agenda:

· FIM 2010 Synchronization Presentation and Demo

· FIM 2010 Hands-on Lab

· FIM 2010 Policy Management Presentation and Demo

· FIM 2010 Hands-on Lab

· Making It All Work Together

Who Should Attend?
IT security staff as well as system administrators and engineers who work with the installation, configuration, and maintenance of a variety of server types and have two to three years of experience managing an enterprise-level Microsoft Windows Server environment.

Space is limited. Register to reserve your seat.   Invitation only registration link – click here!

Questions? Contact Gemalto |  amy.gant@gemalto.com  |  (888) 343 5773  | www.gemalto.com/enterprise

Labels: , , ,

Sunday, November 8, 2009

An Update to FIM RC1

Microsoft has posted an update to FIM RC 1, dated Nov 6.

It looks like this update covers pretty much everywhere except Certificate Services (sorry Brian and Paul).

The Release notes included in the download lists the follow improvements:

    • Query and Sets
      • Resolved a number of issues that resulted in incorrect dynamic set membership.
      • Removed support for the use of the != operator with multivalued attributes. Xpath equality expressions on multivalued attributes must use the not() function.  For example, the following xpath is not supported: /Group[Owner != /Person].  Instead, use the following xpath: /Group[not(Owner = /Person)]
    • Synchronization engine
      • Resolved a data corruption issue in Multi-Mastery scenarios where deleted Member attributes were being added back during full sync of AD and FIM.
    • Workflows
      • Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIM Service that originally created the workflow. This enables the partitioning of workflow execution among servers dedicated to specific functionality. 
        For example, if a FIM Service is dedicated to servicing Requests submitted by the Synchronization Service, all workflows resulting from Synchronization Service Requests will only run on that FIM Service.
      • Resolved an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.
      • Resolved an issue in the EnumerateResourcesActivity that prevented selecting which attributes to return. Previously, regardless of the attribute selection specified, all attributes bound to the enumerated resources were returned.
    • Resolved various issues and made general improvements for:
      • Management Policy Rules
      • Portal user interface Request Management
      • Self-service Password Reset
      • Schema

 

Some of those items raise a few questions, like how to setup a FIM service that only takes requests from the sync service? Do we setup multiple FIM Service instances and then configure the FIM MA to talk to one of them, and not make that one available to web clients?

 

Go to Connect.microsoft.com and 11/6/2009
Here’s the link: FIM 2010 RC1 Update 1
4.0.2570.0 (compare to 4.0.2560.0 the version released on 9/29/09 -- RC1)
Build

It references a KB article that I can’t find: KB976465

The total download is under 36 MB so this is definitely a patch and not the full enchilada.

Looks like Jorge got the news out first.

Labels: ,