Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-12-11) Experiences And/Or Differences With FIM2010 RC1 So Far (Part 2)

Posted by Jorge on 2009-12-11


MPRs

New MPRs have been defined or existing MPRs have been redefined. In ILM "2" RC0 an MPR called "Administrators have Full Control" existed which gave administrators Full Control permissions over existing stuff and new created stuff. In FIM 2010 RC1 I created a new object type called COMPUTER including the attributes I wanted on that. I then wanted to create a computer object and at the end when I clicked SUBMIT I got an access denied. Researching a bit more I found out that administrators only have Full Control over configuration stuff in the FIM Portal. They are not allowed to create users and in my case also computers. So, for those object types I had to create an MPR that gave the administrators Full Control over those objects. Now you can take two different approaches: (1) create a permissions based MPR for each object type or, (2) create a permissions based MPR that gives the administrators Full Control over ALL objects.

In addition, it is possible to disable and re-enable MPRs. Now you do not have to delete them or change them in a way so that there were not used by the system. Remember that when you get an access denied you cases might apply: (1) no MPR is available, or (2) an MPR is available but it is disabled!

image

image

After you have configured your FIM system with all kinds of MPRs, SETs, Workflows, etc. How are you going to find out or troubleshoot, after 6 months for example, how a particular system works? In ILM"2" RC0 that was a pain in the well-known behind! In FIM 2010 RC1 you will find a button called MPR Explorer (see below). It is "just" button and because of that you might miss it.

image

Clicking that button shows you the following screen which allows you to select what you want to check/do.

image

After that, for what you want to do, you define criteria as shown below. In my case I wanted to know which "enabled" "permissions-based MPRs" apply when "ADM.ROOT" makes a request to "Create a resource", "Delete a resource", "Read resource", "Add a value to a multi-valued attribute", "Remove a value from a multi-valued attribute" OR "Modify the value of a single-valued attribute" against "All Objects".

image

The results of the query I’m making are shown below

image

SCOM Management Pack

A SCOM Management Pack will be made available for FIM 2010.



 

Component

# Monitors

# Events

FIM Service

9

8

FIM Portal

11

10

FIM Sync

7

6

FIM CM

6

6

image

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2009-12-11) Experiences And/Or Differences With FIM2010 RC1 So Far (Part 2)”

  1. […] you would need to use the MPR Explorer to find out. You can read more about the MPR Explorer in this blog. Before being able to use the MPR Explorer, you first need to know the name of the SET. Then you […]

  2. […] you would need to use the MPR Explorer to find out. You can read more about the MPR Explorer in this blog. Before being able to use the MPR Explorer, you first need to know the name of the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: