(2013-10-02) Showing The MPRs A Specific SET Object Is Being Used In

As you know SETs are only useful within Management Policy Rules (MPRs), when referenced by other SETs, when referenced by Search Scopes and when referenced by RCDCs. If you want to see if SETs are being used at all or not, you should have a look at this blog post. In this case we are interested to find out in WHICH MPRs a specific SET is being used. By default you would need to use the MPR Explorer to find out. You can read more about the MPR Explorer in this blog. Before being able to use the MPR Explorer, you first need to know the name of the SET. Then you open up the MPR Explorer, specify for what you want to find MPRs (in this case a SET) and then you define criteria. Finally the results will be shown. Now is it possible to do this in an easier way? YES, it is!

–

Away silver!

–

When looking at SETs, those can be used by MPRs in the following way:

• Request Based MPRs
  • As a “requestor SET”
  • As a “before the operation SET”
  • As a “after the operation SET”
• Transition Based MPRs
  • As a “Transition IN” SET
  • As a “Transition OUT” SET

–

The easiest way to find in which MPRs a specific SET is being used, is through the GUI with very minimal input. In other words, by adjusting the RCDC of the SET object. I only paid attention for the RCDC for editing SETs (which can also be used for viewing by the way). I’m showing this in figure 1 and 2. For the RCDC (edit mode) of the SET object I added an additional TAB called “Referencing MPRs”. Within that TAB you will find 5 sections where MPRs can be listed if referencing that specific SET. For each MPR I also specify if an MPR is disabled or not, and in the case of request based MPRs I also specify if the MPR is a permissions based MPR.

Figure 1: Listing The Request Based MPRs Which The SET Can Be Used In

–

In the picture above you see in which request based MPR the SET is being used as either a requestor SET, a “before the operation SET” and/or an “after the operation SET”. If you scroll further down you will what is shown below.

Figure 2: Listing The Transition Based MPRs Which The SET Can Be Used In

–

In the picture above you see in which transition based MPR the SET is being used as either a “transition in SET” and/or an “transition out SET”.

–

OK, OK, of course you want to know HOW to do this?! After exporting the RCDC configuration for EDIT mode of SET objects, you add the XML text below AFTER the “StaticMembership” grouping and BEFORE the “Summary” grouping. Save the XML file, and reimport it as a new RCDC configuration for EDIT mode. Either wait at least 15 minutes for the GUI to be refreshed or perform a manual IISRESET on every FIM Portal server to refresh immediately.

<my:Grouping my:Name="ReferencingMPRs" my:Caption="Referencing MPRs" my:Enabled="true" my:Visible="true">
  <my:Control my:Name="SETUsedInRequestMPRAsRequestorSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As Requestor SET" my:Description="This SET Is Used In An Request MPR As A Requestor SET...">
    <my:Properties>
      <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/>
      <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>
      <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A Requestor SET..."/>
      <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and PrincipalSet=/Set[ObjectID='%ObjectID%'])]"/>
      <my:Property my:Name="PageSize" my:Value="10"/>
      <my:Property my:Name="ShowTitleBar" my:Value="false"/>
      <my:Property my:Name="ShowActionBar" my:Value="false"/>
      <my:Property my:Name="ShowPreview" my:Value="false"/>
      <my:Property my:Name="ShowSearchControl" my:Value="false"/>
      <my:Property my:Name="EnableSelection" my:Value="false"/>
      <my:Property my:Name="SingleSelection" my:Value="false"/>
      <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
      <my:Property my:Name="ReadOnly" my:Value="true"/>
    </my:Properties>
  </my:Control>
  <my:Control my:Name="SETUsedInRequestMPRAsBeforeSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As Before SET" my:Description="This SET Is Used In An Request MPR As A Before SET...">
    <my:Properties>
      <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/>
      <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>
      <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A Before SET..."/>
      <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/>
      <my:Property my:Name="PageSize" my:Value="10"/>
      <my:Property my:Name="ShowTitleBar" my:Value="false"/>
      <my:Property my:Name="ShowActionBar" my:Value="false"/>
      <my:Property my:Name="ShowPreview" my:Value="false"/>
      <my:Property my:Name="ShowSearchControl" my:Value="false"/>
      <my:Property my:Name="EnableSelection" my:Value="false"/>
      <my:Property my:Name="SingleSelection" my:Value="false"/>
      <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
      <my:Property my:Name="ReadOnly" my:Value="true"/>
    </my:Properties>
  </my:Control>
  <my:Control my:Name="SETUsedInRequestMPRAsAfterSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As After SET" my:Description="This SET Is Used In An Request MPR As A After SET...">
    <my:Properties>
      <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/>
      <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>
      <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A After SET..."/>
      <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and ResourceFinalSet=/Set[ObjectID='%ObjectID%'])]"/>
      <my:Property my:Name="PageSize" my:Value="10"/>
      <my:Property my:Name="ShowTitleBar" my:Value="false"/>
      <my:Property my:Name="ShowActionBar" my:Value="false"/>
      <my:Property my:Name="ShowPreview" my:Value="false"/>
      <my:Property my:Name="ShowSearchControl" my:Value="false"/>
      <my:Property my:Name="EnableSelection" my:Value="false"/>
      <my:Property my:Name="SingleSelection" my:Value="false"/>
      <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
      <my:Property my:Name="ReadOnly" my:Value="true"/>
    </my:Properties>
  </my:Control>
  <my:Control my:Name="SETUsedInTransitionMPRAsTransitionInSET" my:TypeName="UocListView" my:Caption="Used In Transition MPR As TransitionIN SET" my:Description="This SET Is Used In A Transition MPR As A TransitionIN SET...">
    <my:Properties>
      <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/>
      <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>
      <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In A Transition MPR As A TransitionIN SET..."/>
      <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='SetTransition' and ActionType='TransitionIn' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/>
      <my:Property my:Name="PageSize" my:Value="10"/>
      <my:Property my:Name="ShowTitleBar" my:Value="false"/>
      <my:Property my:Name="ShowActionBar" my:Value="false"/>
      <my:Property my:Name="ShowPreview" my:Value="false"/>
      <my:Property my:Name="ShowSearchControl" my:Value="false"/>
      <my:Property my:Name="EnableSelection" my:Value="false"/>
      <my:Property my:Name="SingleSelection" my:Value="false"/>
      <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
      <my:Property my:Name="ReadOnly" my:Value="true"/>
    </my:Properties>
  </my:Control>
  <my:Control my:Name="SETUsedInTransitionMPRAsTransitionOutSET" my:TypeName="UocListView" my:Caption="Used In Transition MPR As TransitionOUT SET" my:Description="This SET Is Used In A Transition MPR As A TransitionOUT SET...">
    <my:Properties>
      <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/>
      <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/>
      <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In A Transition MPR As A TransitionOUT SET..."/>
      <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='SetTransition' and ActionType='TransitionOut' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/>
      <my:Property my:Name="PageSize" my:Value="10"/>
      <my:Property my:Name="ShowTitleBar" my:Value="false"/>
      <my:Property my:Name="ShowActionBar" my:Value="false"/>
      <my:Property my:Name="ShowPreview" my:Value="false"/>
      <my:Property my:Name="ShowSearchControl" my:Value="false"/>
      <my:Property my:Name="EnableSelection" my:Value="false"/>
      <my:Property my:Name="SingleSelection" my:Value="false"/>
      <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
      <my:Property my:Name="ReadOnly" my:Value="true"/>
    </my:Properties>
  </my:Control>
</my:Grouping>

–

Et voila!

–

For other scenarios, see:

• (2013-02-06) Showing The Groups/SETs An Object Is A Member Of
• (2013-10-03) Showing The MPRs A Specific WorkflowDefinition Object Is Being Used In

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-02-08) Unused SETs, Unused Workflows, Unused Mail Templates – Keeping FIM Portal Clean From Unused Configuration Objects

As soon as you have installed FIM you start configuring it according to your application design, which is based upon the data model and the usage scenarios. In case of the FIM Portal you configure it with configuration objects (MPRs, SETs, Workflows, Mail Templates, etc.) that in the end will be the technical components that give you the desired logic to do whatever you need it to do. At least I hope so!

–

During the usage of the FIM Portal, stuff changes because requirements change and logic change. Because of that objects are added and changed to accommodate the new requirements and therefore the required logic. BUT….. where’s the part about deleting unused objects, in other words CLEAN UP! By default there is nothing in FIM that will tell you if objects are not used. Is it impossible to get that information? No, but you need to do it yourself! I want to keep my FIM Portal configuration clean, therefore I have created the following PowerShell script to help me with that. And I do hope it helps you too!

# Jorge de Almeida Pinto [MVP-DS]
# https://jorgequestforknowledge.wordpress.com/
#
# +++ Finding UnUsed Objects In The FIM Portal +++

Param (
    [string] $URI = "http://localhost:5725/resourcemanagementservice",
    [parameter(Mandatory=$true)]
    [string] $objectType 
)

# Clear The Screen
Clear-Host

# Import The FIM 2010 (R2) Snap-In If Available
$SnapIn = "FIMAutomation"
If(@(Get-PSSnapin | Where-Object {$_.Name -eq $SnapIn} ).count -eq 0) {
    If(@(Get-PSSnapin -Registered | Where-Object {$_.Name -eq $SnapIn} ).count -ne 0) {
        Add-PSSnapin $SnapIn
        Write-Host ""
        Write-Host "Snap-In '$SnapIn' Has Been Loaded..." -ForeGroundColor Green
        Write-Host "Continuing Script..." -ForeGroundColor Green
        Write-Host ""
    } Else {
        Write-Host ""
        Write-Host "Snap-In '$SnapIn' Is NOT Available To Load..." -ForeGroundColor Red
        Write-Host "Aborting Script..." -ForeGroundColor Red
        Write-Host ""
        Exit
    }
} Else {
    Write-Host ""
    Write-Host "Snap-In '$SnapIn' Has Already Been Loaded..." -ForeGroundColor Green
    Write-Host "Continuing Script..." -ForeGroundColor Green
    Write-Host ""    
}

# Convert a FIM ExportObject to a PowerShell PSObject
# http://www.identitytrench.com/2011/07/convert-fim-exportobject-to-powershell.html
Function Convert-FimExportToPSObject {
    Param ( 
        [parameter(Mandatory=$true, ValueFromPipeline = $true)] 
        [Microsoft.ResourceManagement.Automation.ObjectModel.ExportObject] 
        $ExportObject 
    ) 
    Process {         
        $psObject = New-Object PSObject 
        $ExportObject.ResourceManagementObject.ResourceManagementAttributes | ForEach-Object { 
            if ($_.Value -ne $null) { 
                $value = $_.Value 
            } elseif($_.Values -ne $null) { 
                $value = $_.Values 
            } else { 
                $value = $null 
            } 
            $psObject | Add-Member -MemberType NoteProperty -Name $_.AttributeName -Value $value 
        } 
        Write-Output $psObject 
    } 
}

# Current Folder
$currentFolder = (Get-Location).Path

# Searching For Unused SETs
# SETs Can Be Used In:
#    * MPRs
#    * Referenced By Other SETs
#    * Referenced By Search Scopes
#    * Referenced By RCDCs
If ($objectType.ToUpper() -eq "SET") {
    Write-Host ""
    Write-Host "+++ CHECKING USAGE OF SETS +++" -ForeGroundColor Cyan
    Write-Host ""
    
    # Files
    $listOfSETsUsed = "List-Of-Sets-Used.txt"
    $listOfSETsUnUsed = "List-Of-Sets-UnUsed.txt"
    
    # Check Current Files
    If (Test-Path $($currentFolder + "\" + $listOfSETsUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfSETsUsed) -Force
    }
    If (Test-Path $($currentFolder + "\" + $listOfSETsUnUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfSETsUnUsed) -Force
    }
    
    # Get All The SETs
    $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set"
    $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject

    # Get All The MPRs
    $MPRsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ManagementPolicyRule"
    $MPRsInFIMPSObject = $MPRsInFIM | Convert-FimExportToPSObject

    # Get All The SearchScopes
    $SearchScopesInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/SearchScopeConfiguration"
    $SearchScopesInFIMPSObject = $SearchScopesInFIM | Convert-FimExportToPSObject
    
    # Get All The RCDCs
    $RCDCsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ObjectVisualizationConfiguration"
    $RCDCsInFIMPSObject = $RCDCsInFIM | Convert-FimExportToPSObject
        
    # For Each SET Check If It Is Used Somewhere
    ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) {
        $setDisplayName = $SETInFIMPSObject.DisplayName
        $setObjectID = $SETInFIMPSObject.ObjectID
        
        $setIsUsed = $false
        
        # For Each SET Check If It Is Used In Some MPR
        If (!$setIsUsed) {
            ForEach ($MPRInFIMPSObject In $MPRsInFIMPSObject) {
                If ($MPRInFIMPSObject.PrincipalSet -eq $setObjectID -Or $MPRInFIMPSObject.ResourceCurrentSet -eq $setObjectID -Or $MPRInFIMPSObject.ResourceFinalSet -eq $setObjectID) {
                    # Object Is Used
                    $setIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $setIsUsed = $false
                }
            }
        }

        # For Each SET Check If It Is Used In Some Other SET
        If (!$setIsUsed) {
            ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) {
                If ($SETInFIMPSObject.Filter -match $($setObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $setDisplayName) {
                    # Object Is Used
                    $setIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $setIsUsed = $false
                }
            }
        }
        
        # For Each SET Check If It Is Used In Some Workflow
        If (!$setIsUsed) {
            ForEach ($SearchScopeInFIMPSObject In $SearchScopesInFIMPSObject) {
                If ($SearchScopeInFIMPSObject.SearchScope -match $($setObjectID.TrimStart("urn:uuid:")) -Or $SearchScopeInFIMPSObject.SearchScope -match $setDisplayName) {
                    # Object Is Used
                    $setIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $setIsUsed = $false
                }
            }
        }
        
        # For Each SET Check If It Is Used In Some RCDC
        If (!$setIsUsed) {
            ForEach ($RCDCInFIMPSObject In $RCDCsInFIMPSObject) {
                If ($RCDCInFIMPSObject.ConfigurationData -match $($setObjectID.TrimStart("urn:uuid:")) -Or $RCDCInFIMPSObject.ConfigurationData -match $setDisplayName) {
                    # Object Is Used
                    $setIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $setIsUsed = $false
                }
            }
        }
        
        # If The SET Is Used
        If ($setIsUsed) {
            Write-Host "In Use: '$setDisplayName'..." -ForeGroundColor Green
            Add-Content $($currentFolder + "\" + $listOfSETsUsed) $setDisplayName
        }
        # If The SET Is UnUsed
        If (!$setIsUsed) {
            Write-Host "Not In Use: '$setDisplayName'..." -ForeGroundColor Red
            Add-Content $($currentFolder + "\" + $listOfSETsUnUsed) $setDisplayName
        }
    }
}

# Searching For Unused WorkFlows
# WorkFlows Can Be Used In:
#    * MPRs
#    * Referenced By SETs
If ($objectType.ToUpper() -eq "Workflow") {
    Write-Host ""
    Write-Host "+++ CHECKING USAGE OF WORKFLOWS +++" -ForeGroundColor Cyan
    Write-Host ""
    
    # Files
    $listOfWorkflowsUsed = "List-Of-Workflows-Used.txt"
    $listOfWorkflowsUnUsed = "List-Of-Workflows-UnUsed.txt"
    
    # Check Current Files
    If (Test-Path $($currentFolder + "\" + $listOfWorkflowsUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfWorkflowsUsed) -Force
    }
    If (Test-Path $($currentFolder + "\" + $listOfWorkflowsUnUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfWorkflowsUnUsed) -Force
    }
    
    # Get All The Workflows
    $WorkflowsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/WorkflowDefinition"
    $WorkflowsInFIMPSObject = $WorkflowsInFIM | Convert-FimExportToPSObject

    # Get All The MPRs
    $MPRsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ManagementPolicyRule"
    $MPRsInFIMPSObject = $MPRsInFIM | Convert-FimExportToPSObject

    # Get All The SETs
    $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set"
    $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject
        
    # For Each Workflow Check If It Is Used Somewhere
    ForEach ($WorkflowInFIMPSObject In $WorkflowsInFIMPSObject) {
        $workflowDisplayName = $WorkflowInFIMPSObject.DisplayName
        $workflowObjectID = $WorkflowInFIMPSObject.ObjectID
        
        $workflowIsUsed = $false

        # For Each Workflow Check If It Is Used In Some MPR
        If (!$workflowIsUsed) {
            ForEach ($MPRInFIMPSObject In $MPRsInFIMPSObject) {
                If ($MPRInFIMPSObject.ActionWorkflowDefinition -contains $WorkflowObjectID -Or $MPRInFIMPSObject.AuthenticationWorkflowDefinition -contains $setObjectID -Or $MPRInFIMPSObject.AuthorizationWorkflowDefinition -contains $WorkflowObjectID) {
                    # Object Is Used
                    $workflowIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $workflowIsUsed = $false
                }
            }
        }

        # For Each Workflow Check If It Is Used In Some SET
        If (!$workflowIsUsed) {
            ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) {
                If ($SETInFIMPSObject.Filter -match $($workflowObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $workflowDisplayName) {
                    # Object Is Used
                    $workflowIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $workflowIsUsed = $false
                }
            }
        }
        
        # If The Workflow Is Used
        If ($workflowIsUsed) {
            Write-Host "In Use: '$workflowDisplayName'..." -ForeGroundColor Green
            Add-Content $($currentFolder + "\" + $listOfWorkflowsUsed) $workflowDisplayName
        }
        # If The Workflow Is UnUsed
        If (!$workflowIsUsed) {
            Write-Host "Not In Use: '$workflowDisplayName'..." -ForeGroundColor Red
            Add-Content $($currentFolder + "\" + $listOfWorkflowsUnUsed) $workflowDisplayName
        }
    }
}

# Searching For Unused Mail Templates
# Mail Templates Can Be Used In:
#    * Workflows
#    * Referenced By SETs
If ($objectType.ToUpper() -eq "MailTemplate") {
    Write-Host ""
    Write-Host "+++ CHECKING USAGE OF MAIL TEMPLATES +++" -ForeGroundColor Cyan
    Write-Host ""
    
    # Files
    $listOfMailTemplatesUsed = "List-Of-MailTemplates-Used.txt"
    $listOfMailTemplatesUnUsed = "List-Of-MailTemplates-UnUsed.txt"
    
    # Check Current Files
    If (Test-Path $($currentFolder + "\" + $listOfMailTemplatesUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfMailTemplatesUsed) -Force
    }
    If (Test-Path $($currentFolder + "\" + $listOfMailTemplatesUnUsed)) {
        Remove-Item $($currentFolder + "\" + $listOfMailTemplatesUnUsed) -Force
    }
    
    # Get All The Mail Templates
    $MailTemplatesInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/EmailTemplate"
    $MailTemplatesInFIMPSObject = $MailTemplatesInFIM | Convert-FimExportToPSObject

    # Get All The Workflows
    $WorkflowsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/WorkflowDefinition"
    $WorkflowsInFIMPSObject = $WorkflowsInFIM | Convert-FimExportToPSObject

    # Get All The SETs
    $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set"
    $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject
        
    # For Each Mail Template Check If It Is Used Somewhere
    ForEach ($MailTemplateInFIMPSObject In $MailTemplatesInFIMPSObject) {
        $mailTemplateDisplayName = $MailTemplateInFIMPSObject.DisplayName
        $mailTemplateObjectID = $MailTemplateInFIMPSObject.ObjectID
        
        $mailTemplateIsUsed = $false

        # For Each Mail Template Check If It Is Used In Some Workflow
        If (!$mailTemplateIsUsed) {
            ForEach ($WorkflowInFIMPSObject In $WorkflowsInFIMPSObject) {
                If ($WorkflowInFIMPSObject.XOML -match $($mailTemplateObjectID.TrimStart("urn:uuid:"))) {
                    # Object Is Used
                    $mailTemplateIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $mailTemplateIsUsed = $false
                }
            }
        }

        # For Each Mail Template Check If It Is Used In Some SET
        If (!$mailTemplateIsUsed) {
            ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) {
                If ($SETInFIMPSObject.Filter -match $($mailTemplateObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $mailTemplateDisplayName) {
                    # Object Is Used
                    $mailTemplateIsUsed = $true
                    Break
                } Else {
                    # Object Is NOT Used
                    $mailTemplateIsUsed = $false
                }
            }
        }
        
        # If The Mail Template Is Used
        If ($mailTemplateIsUsed) {
            Write-Host "In Use: '$mailTemplateDisplayName'..." -ForeGroundColor Green
            Add-Content $($currentFolder + "\" + $listOfMailTemplatesUsed) $mailTemplateDisplayName
        }
        # If The Mail Template Is UnUsed
        If (!$mailTemplateIsUsed) {
            Write-Host "Not In Use: '$mailTemplateDisplayName'..." -ForeGroundColor Red
            Add-Content $($currentFolder + "\" + $listOfMailTemplatesUnUsed) $mailTemplateDisplayName
        }
    }
}

–

The script supports the check for SET, Workflow and Mail Template objects. The script accepts two parameters, being -URI and -objectType. -URI is only mandatory if you are not running the script on the server with the FIM service. -objectType is always mandatory and accepts the values SET, Workflow or MailTemplate.

–

To find used and unused SETs, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType SET

–

The output can be seen below.

Figure 1: Finding Used And Unused SETS

–

To find used and unused Workflows, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType Workflow

–

The output can be seen below.

Figure 2: Finding Used And Unused Workflows

–

To find used and unused Mail Templates, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType MailTemplate

–

The output can be seen below.

Figure 3: Finding Used And Unused Mail Templates

–

In addition to the output on screen, the script will also provide the output to a text file. For each object type 2 files are created when applicable. One file contains the objects used and the other file contains the unused objects.

Figure 4: Text Files Listing The Used And Unused Objects

–

Now, the script does NOT delete anything! It just enumerates the information and presents it to you. It is now up to you to delete an object or not based upon the information presented to you. As a suggestion, I would never delete an object that by default is in the FIM Portal.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-02-06) Showing The Groups/SETs An Object Is A Member Of

With groups and SETs you can see which objects are members (statically or dynamically) easily. This is of course from the perspective of the group or SET. BUT…. is it possible to show which groups or SETs an object is a member of? Yes, that’s possible and it’s quite easy! In this case I just do this for the Person object in the FIM Portal, but in general you can use this for any object, especially if you are thinking about SET memberships!

–

For EDIT mode of the Person object I edited the RCDC and added the following lines to show the security groups and the distribution groups a user is a member of under the TAB called “Group Membership Info”:

    <my:Grouping my:Name="GroupMembershipInfo" my:Caption="Group Membership Info" my:Enabled="true" my:Visible="true">
      <my:Control my:Name="memberOfSecurityGroups" my:TypeName="UocListView" my:Caption="Member Of Security Groups" my:Description="This User Is A Member Of The Following Security Groups...">
        <my:Properties>
          <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,AccountName,Domain,Type,Scope,MembershipLocked,Owner"/>
          <my:Property my:Name="ResultObjectType" my:Value="Group"/>
          <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any Security Group..."/>
          <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security' and ComputedMember=/Person[ObjectID='%ObjectID%'])]"/>
          <my:Property my:Name="PageSize" my:Value="10"/>
          <my:Property my:Name="ShowTitleBar" my:Value="false"/>
          <my:Property my:Name="ShowActionBar" my:Value="false"/>
          <my:Property my:Name="ShowPreview" my:Value="false"/>
          <my:Property my:Name="ShowSearchControl" my:Value="false"/>
          <my:Property my:Name="EnableSelection" my:Value="false"/>
          <my:Property my:Name="SingleSelection" my:Value="false"/>
          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
          <my:Property my:Name="ReadOnly" my:Value="true"/>
        </my:Properties>
      </my:Control>
      <my:Control my:Name="memberOfDistributionGroups" my:TypeName="UocListView" my:Caption="Member Of Distribution Groups" my:Description="This User Is A Member Of The Following Distribution Groups...">
        <my:Properties>
          <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,AccountName,Domain,Type,Scope,MembershipLocked,Owner"/>
          <my:Property my:Name="ResultObjectType" my:Value="Group"/>
          <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any Distribution Group..."/>
          <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution' and ComputedMember=/Person[ObjectID='%ObjectID%'])]"/>
          <my:Property my:Name="PageSize" my:Value="20"/>
          <my:Property my:Name="ShowTitleBar" my:Value="false"/>
          <my:Property my:Name="ShowActionBar" my:Value="false"/>
          <my:Property my:Name="ShowPreview" my:Value="false"/>
          <my:Property my:Name="ShowSearchControl" my:Value="false"/>
          <my:Property my:Name="EnableSelection" my:Value="false"/>
          <my:Property my:Name="SingleSelection" my:Value="false"/>
          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/>
          <my:Property my:Name="ReadOnly" my:Value="true"/>
        </my:Properties>
      </my:Control>
    </my:Grouping>

–

It looks like is shown in the picture below.

Figure 1: Showing The Security And Distribution Groups A User Is A Member Of

–

For EDIT mode of the Person object I again edited the RCDC and added the following lines to show the SETs a user is a member of under the TAB called “SET Membership Info”:

    <my:Grouping my:Name="SETMembershipInfo" my:Caption="SET Membership Info" my:Enabled="true" my:Visible="true"> 
      <my:Control my:Name="memberOfSETs" my:TypeName="UocListView" my:Caption="Member Of SETs" my:Description="This User Is A Member Of The Following SETs..."> 
        <my:Properties> 
          <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Description"/> 
          <my:Property my:Name="ResultObjectType" my:Value="Set"/> 
          <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any SET..."/> 
          <my:Property my:Name="ListFilter" my:Value="/Set[ComputedMember=/Person[ObjectID='%ObjectID%']]"/> 
          <my:Property my:Name="PageSize" my:Value="20"/> 
          <my:Property my:Name="ShowTitleBar" my:Value="false"/> 
          <my:Property my:Name="ShowActionBar" my:Value="false"/> 
          <my:Property my:Name="ShowPreview" my:Value="false"/> 
          <my:Property my:Name="ShowSearchControl" my:Value="false"/> 
          <my:Property my:Name="EnableSelection" my:Value="false"/> 
          <my:Property my:Name="SingleSelection" my:Value="false"/> 
          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> 
          <my:Property my:Name="ReadOnly" my:Value="true"/> 
        </my:Properties> 
      </my:Control> 
    </my:Grouping>

–

It looks like is shown in the picture below.

Figure 2: Showing The SETs A User Is A Member Of

–

Remember though, after editing the RCDC, to import it into the FIM Portal. Afterwards perform an IISRESET, close IE and reopen.

–

Et voila!

–

For other scenarios, see:

• (2013-10-02) Showing The MPRs A Specific SET Object Is Being Used In
• (2013-10-03) Showing The MPRs A Specific WorkflowDefinition Object Is Being Used In

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-02-06) Using/Testing Queries Within/Against The FIM Portal

To test your XPATH queries in the FIM Portal you can either use a test SET, a test Search Scope, the Quest PowerShell CMDlets for FIM or use the internal FIM PowerShell CMDlets. When testing XPATH queries I just want to see if the XPATH actually works AND if it returns the correct/expected results. With that you can say that the attention is on the XPATH query configuration itself than anything else. Because of that in the past I used a test dynamic SET to test my XPATH quer(y)(ies) as that was the easiest way to go. However, if you are also interested in returning specific attribute values, than you were better of using a Search Scope.

–

In both cases and in addition to what you wanted to do it could give you more work than you would want to have. Fear no more!

–

The guys at Predica have created a tool called the FIM Explorer. You can download the FIM Explorer from the Codeplex.

–

With the FIM Explorer you can:

• Execute any XPATH query against the FIM Service. By default it enumerates all attributes for which you have permissions, but you can also choose which specific ones to return;
• Look for objects through their ObjectID (Resource ID);
• Display the results in a table;
• Look at the properties of a single object by double-clicking the ObjectID in the “Resource ID” column of the corresponding object;
• Navigate through references in linked attributes by clicking on the ObjectID of the reference;
• Export the results in the tabel to an XML (same XML format as when using FIM Configuration CMDlets);
• Import the result XML of either the FIM Explorer or the FIM Configuration CMDlets to display these in a table. This can be useful for "offline" analysis;
• Run on any computer, as long as .NET Framework 4.5 is installed.

–

If you download the pre-compiled version of the FIM Explorer, you are good to go. Just before using the FIM Explorer you need to configure its configuration file called “Predica.FimExplorer.exe.config”. When you open that file you should see something similar to the picture below.

Figure 1: The Configuration File Of The FIM Explorer

–

If you are running the FIM Explorer on the server that has the FIM service installed, you can either specify “http://localhost/” or the actual FQDN that points to the FIM service (e.g. “http://fimsvc.adcorp.lab/”). If you are running the FIM Explorer on a computer that does not have the FIM service installed, then you must specify the FQDN that points to the FIM service (e.g. “http://fimsvc.adcorp.lab/”). In addition, you can also specify credentials. If you leave the credentials (“fimUser” and “fimPassword”) empty as shown in figure 1, then the FIM Explorer will connect by using the credentials of the current logged on user. As soon as you specify credentials, the FIM Explorer will use those credentials. That’s quite handy as with this you can easily test your XPATH queries AND you can test your request based permissions MPRs to see what a specific user is able to query for.

Instead of changing the credentials just before starting the FIM Explorer, I have written a quick and dirty PowerShell script that will look for the FIM Explorer configuration, display it to you, and allow you to easily change the configured credentials. When done, it will start the FIM Explorer right away. The PowerShell script should be located in the same folder as the FIM Explorer itself. See the script below:

# Predica.FimExplorer.ps1

Clear-Host
$currentFolder = (Get-Location).Path
$predicaFimExplorerConfig = New-Object XML
$predicaFimExplorerConfig.Load("$currentFolder\Predica.FimExplorer.exe.config")

$fimSvcAddress = $predicaFimExplorerConfig.configuration.appSettings.add[0].value
$fimUser = $predicaFimExplorerConfig.configuration.appSettings.add[1].value
$fimPassword = $predicaFimExplorerConfig.configuration.appSettings.add[2].value
Write-Host ""
Write-Host "Current FIM Svc Address...: $fimSvcAddress"
Write-Host "Current User Account......: $fimUser"
Write-Host "Current Password..........: $fimPassword"
Write-Host ""

$chosenUser = Read-Host "Current Logged On User (C), Other User (O) Or Specified User (S)"
If ($chosenUser.ToUpper() -eq "C" -Or $chosenUser.ToUpper() -eq "") {
    Write-Host ""
    Write-Host "Using Credentials Of Current Logged On User"
    Write-Host ""
    $predicaFimExplorerConfig.configuration.appSettings.add[1].value = ""
    $predicaFimExplorerConfig.configuration.appSettings.add[2].value = ""
}
If ($chosenUser.ToUpper() -eq "O") {
    Write-Host ""
    Write-Host "Please Specify The Custom Credentials To Use..."
    Write-Host ""
    Write-Host "What is The User Name?"
    Write-Host "    (<Domain NBT>\<sAMAccountName>) (<sAMAccountName>@<Domain FQDN>)"
    $credsUserName = Read-Host "User Name"
    Write-Host ""
    Write-Host "What's The Password?"
    $credsPassword = Read-Host "Password?"
    $predicaFimExplorerConfig.configuration.appSettings.add[1].value = "$credsUserName"
    $predicaFimExplorerConfig.configuration.appSettings.add[2].value = "$credsPassword"
}
If ($chosenUser.ToUpper() -eq "S") {
    Write-Host ""
    Write-Host "Using Credentials Of Already Specified User"
    Write-Host ""
}
$predicaFimExplorerConfig.Save("$currentFolder\Predica.FimExplorer.exe.config")
Start-Sleep -s 3
&"$currentFolder\Predica.FimExplorer.exe"

–

However, when you use an unsigned PowerShell script (as the one above) and the server execution policy is configured as such it does not allow to execute unsigned PowerShell scripts, you are not able to use the script. In that case you can start the script through a batch file by specifying you want to bypass the execution policy. The PowerShell script should be located in the same folder as the FIM Explorer itself. See the script below:

REM Predica.FimExplorer.cmd

@ECHO OFF
PowerShell.exe -ExecutionPolicy Bypass -file "%0\..\Predica.FimExplorer.ps1"

This all looks like as shown in the picture below:

Figure 2: Starting The FIM Explorer Through A Script And Specifying Other Credentials

–

As soon as you start the FIM Explorer, it looks like the picture below.

Figure 3: Running The FIM Explorer

–

When looking at Figure 3….

[A] Here you can specify your custom XPATH query (/Person, /Person[AccountName=’ADM.ROOT’]) (also have a look at this post and this post)

[B] Or you just click on of the specified object types and return all objects of a specific type

[C] By default you get all attributes back for which you have permissions, or you select all the attributes you want to be returned in the response

[D] After specifying and selecting everything you want, you click the “Run Query” button.

[E] And over here all the objects matching your XPATH query with all attributes that you wanted to be returned (all or specific)

[F] Clicking “Export To XML” exports the result to an XML file that uses the same format as when using FIM Configuration CMDlets. Clicking “Import XML” allows you to import a result XML of either the FIM Explorer or the FIM Configuration CMDlets to display these in a table. This can be useful for "offline" analysis;

–

However, if your result is too large you will end up with the following nice error! This basically tells you to increase the message size quota for incoming messages.

Figure 4: Message Size Quota Error When Limit Is Exceeded

–

To resolve the error, or in other words get rid of it you need to increased the message size quota. To do that you need to get the uncompiled version of the FIM Explorer. Click DOWNLOAD Save the ZIP somewhere and after that unpack it. You are not there yet, you still need to download the FIMClient solution used by the FIM Explorer. Click ZIP and save the file and after that unpack it. Copy the contents (folders ‘lib’ and ‘src’ and the three files) into the FIMClient folder of the uncompiled version of the FIM Explorer. You now need Visual Studio. Double-click on the file “Predica.FimExplorer.sln” to open it in Visual Studio.

–

 

Figure 5: The “Predica.FimExplorer” Solution

–

Navigate to: “Solution ‘Predica.FimExplorer’” –> “FimClient” –> “Fim2010Client.Client” –> “_Predica” –> “CodeInit” –> “Bindings.cs” and double-click on “Bindings.cs”. Now search for “MaxReceivedMessageSize”.

Figure 6: Changing The Value For “MaxReceivedMessageSize”

–

Change the value to a value of your liking. In this case I just doubled the valued. Save the file “Bindings.cs”. Then right-click on “Solution ‘Predica.FimExplorer’” and select the option “Rebuild Solution”.

Now copy:

• “..\FimClient\src\_external\fim2010client\Microsoft.ResourceManagement.Client\bin\Debug\Microsoft.ResourceManagement.Client.Predica.dll” to folder that contains the FIM Explorer
• “..\src\UI.WPF\bin\Debug\Predica.FimExplorer.exe” to folder that contains the FIM Explorer

–

Now double-click on the file “Predica.FimExplorer.cmd” to start the FIM Explorer.

–

This is quite cool to easily test your XPATH queries! Great job guys!

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————