For an IT Operations team in any large organization, the powerful set of tools provided by Forefront Identity Manager 2010 for managing groups really come in handy when it comes to organizing and streamlining the process of managing distribution groups. The administrators only need to define a criteria for the membership of those groups and FIM takes over from that point onwards.
Things are pretty straight forward when it comes to defining the filter criteria for any existing attribute out of FIM’s schema. Let’s consider a scenario when you get a request for defining new distribution groups based on the employee’s ‘Rank Number’ that is being pushed into FIM from the HR database. Fair enough. You already have FIM 2010 up and running, doing the provisioning job without a hassle so defining an extra attribute mapping and a new distribution group is all you need. You decide to customize the metaverse and FIM schema, update the Management Agents and run the synchronization process. The next thing you notice is a bunch of funky errors.
What am I missing here?
The Management Policy Rules are the heart and soul of FIM 2010. These rules provide a highly granular level control over the access to the various objects inside the system. In order to allow the synchronization of the newly defined schema attribute you’d need to update your synchronization related MPR (as shown in the screenshot below) so the synchronization account can export the information from the metaverse to FIM.
On the Target Resources tab add the newly created attribute.
Time for a sync job
Run the synchronization process and ensure that the newly created attribute is synchronized successfully with FIM. You can verify the results from Synchronization Manager’s run log or simply by opening the information of any existing user. The custom defined attributes will be visible in the ‘Advanced View’ on the ‘Extended Attributes’ tab.
Creating distribution group
Ok. Now is the time to create our distribution group that uses a criteria-based member selection method. In my case the requirement is that all the people with ‘Rank Number = 7’ are some sort of acting ‘Line Managers’ and will be part of a single distribution group.
Let’s hit the ‘View Members’ button and voila! We see the list of users. So it’s all good to go. Let’s proceed to the summary tab and press ‘Submit’. The next we see is another access denied error.
Click on the [Details] hyperlink right next to the status error and notice the error message ‘Filter definition is not permitted.’
Filter permissions are different from the MPRs and only allow any attributes to be used in filters. In order to allow the administrators to use the newly created attribute you need to follow these steps.
1. Log on to the FIM Portal as the administrator.
2. In the navigation pane, click Administration.
3. On the Administration page, click Filter Permission.
4. On the Filter Permission page, click Administrator Filter Permission.
5. Click on Permitted Filter Attributes and add the newly created attribute to the ‘Allowed Attributes’ list.
Let’s redo the exercise of creating the criteria-based distribution group. This time, it works perfect so let’s run the synchronization cycle.
Finally, let’s take a look at the distribution group in AD itself and ensure that the same users are part of the distribution group provisioned by FIM.