Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘SET’ Category

(2013-10-02) Showing The MPRs A Specific SET Object Is Being Used In

Posted by Jorge on 2013-10-02


As you know SETs are only useful within Management Policy Rules (MPRs), when referenced by other SETs, when referenced by Search Scopes and when referenced by RCDCs. If you want to see if SETs are being used at all or not, you should have a look at this blog post. In this case we are interested to find out in WHICH MPRs a specific SET is being used. By default you would need to use the MPR Explorer to find out. You can read more about the MPR Explorer in this blog. Before being able to use the MPR Explorer, you first need to know the name of the SET. Then you open up the MPR Explorer, specify for what you want to find MPRs (in this case a SET) and then you define criteria. Finally the results will be shown. Now is it possible to do this in an easier way? YES, it is!

Away silver! Smile

When looking at SETs, those can be used by MPRs in the following way:

  • Request Based MPRs
    • As a “requestor SET”
    • As a “before the operation SET”
    • As a “after the operation SET”
  • Transition Based MPRs
    • As a “Transition IN” SET
    • As a “Transition OUT” SET

The easiest way to find in which MPRs a specific SET is being used, is through the GUI with very minimal input. In other words, by adjusting the RCDC of the SET object. I only paid attention for the RCDC for editing SETs (which can also be used for viewing by the way). I’m showing this in figure 1 and 2. For the RCDC (edit mode) of the SET object I added an additional TAB called “Referencing MPRs”. Within that TAB you will find 5 sections where MPRs can be listed if referencing that specific SET. For each MPR I also specify if an MPR is disabled or not, and in the case of request based MPRs I also specify if the MPR is a permissions based MPR.

image

Figure 1: Listing The Request Based MPRs Which The SET Can Be Used In

In the picture above you see in which request based MPR the SET is being used as either a requestor SET, a “before the operation SET” and/or an “after the operation SET”. If you scroll further down you will what is shown below.

image

Figure 2: Listing The Transition Based MPRs Which The SET Can Be Used In

In the picture above you see in which transition based MPR the SET is being used as either a “transition in SET” and/or an “transition out SET”.

OK, OK, of course you want to know HOW to do this?! After exporting the RCDC configuration for EDIT mode of SET objects, you add the XML text below AFTER the “StaticMembership” grouping and BEFORE the “Summary” grouping. Save the XML file, and reimport it as a new RCDC configuration for EDIT mode. Either wait at least 15 minutes for the GUI to be refreshed or perform a manual IISRESET on every FIM Portal server to refresh immediately.

<my:Grouping my:Name="ReferencingMPRs" my:Caption="Referencing MPRs" my:Enabled="true" my:Visible="true"> <my:Control my:Name="SETUsedInRequestMPRAsRequestorSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As Requestor SET" my:Description="This SET Is Used In An Request MPR As A Requestor SET..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/> <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/> <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A Requestor SET..."/> <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and PrincipalSet=/Set[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> <my:Control my:Name="SETUsedInRequestMPRAsBeforeSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As Before SET" my:Description="This SET Is Used In An Request MPR As A Before SET..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/> <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/> <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A Before SET..."/> <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> <my:Control my:Name="SETUsedInRequestMPRAsAfterSET" my:TypeName="UocListView" my:Caption="Used In Request MPR As After SET" my:Description="This SET Is Used In An Request MPR As A After SET..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/> <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/> <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In An Request MPR As A After SET..."/> <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='Request' and ResourceFinalSet=/Set[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> <my:Control my:Name="SETUsedInTransitionMPRAsTransitionInSET" my:TypeName="UocListView" my:Caption="Used In Transition MPR As TransitionIN SET" my:Description="This SET Is Used In A Transition MPR As A TransitionIN SET..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/> <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/> <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In A Transition MPR As A TransitionIN SET..."/> <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='SetTransition' and ActionType='TransitionIn' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> <my:Control my:Name="SETUsedInTransitionMPRAsTransitionOutSET" my:TypeName="UocListView" my:Caption="Used In Transition MPR As TransitionOUT SET" my:Description="This SET Is Used In A Transition MPR As A TransitionOUT SET..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Disabled,GrantRight"/> <my:Property my:Name="ResultObjectType" my:Value="ManagementPolicyRule"/> <my:Property my:Name="EmptyResultText" my:Value="This SET Is NOT Used In A Transition MPR As A TransitionOUT SET..."/> <my:Property my:Name="ListFilter" my:Value="/ManagementPolicyRule[(ManagementPolicyRuleType='SetTransition' and ActionType='TransitionOut' and ResourceCurrentSet=/Set[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> </my:Grouping>

Et voila!

For other scenarios, see:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, MPR, RCDC, SET | 3 Comments »

(2013-02-08) Unused SETs, Unused Workflows, Unused Mail Templates – Keeping FIM Portal Clean From Unused Configuration Objects

Posted by Jorge on 2013-02-08


As soon as you have installed FIM you start configuring it according to your application design, which is based upon the data model and the usage scenarios. In case of the FIM Portal you configure it with configuration objects (MPRs, SETs, Workflows, Mail Templates, etc.) that in the end will be the technical components that give you the desired logic to do whatever you need it to do. At least I hope so! Smile

During the usage of the FIM Portal, stuff changes because requirements change and logic change. Because of that objects are added and changed to accommodate the new requirements and therefore the required logic. BUT….. where’s the part about deleting unused objects, in other words CLEAN UP! By default there is nothing in FIM that will tell you if objects are not used. Is it impossible to get that information? No, but you need to do it yourself! I want to keep my FIM Portal configuration clean, therefore I have created the following PowerShell script to help me with that. And I do hope it helps you too!

# Jorge de Almeida Pinto [MVP-DS] # https://jorgequestforknowledge.wordpress.com/ # # +++ Finding UnUsed Objects In The FIM Portal +++ Param ( [string] $URI = "http://localhost:5725/resourcemanagementservice", [parameter(Mandatory=$true)] [string] $objectType ) # Clear The Screen Clear-Host # Import The FIM 2010 (R2) Snap-In If Available $SnapIn = "FIMAutomation" If(@(Get-PSSnapin | Where-Object {$_.Name -eq $SnapIn} ).count -eq 0) { If(@(Get-PSSnapin -Registered | Where-Object {$_.Name -eq $SnapIn} ).count -ne 0) { Add-PSSnapin $SnapIn Write-Host "" Write-Host "Snap-In '$SnapIn' Has Been Loaded..." -ForeGroundColor Green Write-Host "Continuing Script..." -ForeGroundColor Green Write-Host "" } Else { Write-Host "" Write-Host "Snap-In '$SnapIn' Is NOT Available To Load..." -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" Exit } } Else { Write-Host "" Write-Host "Snap-In '$SnapIn' Has Already Been Loaded..." -ForeGroundColor Green Write-Host "Continuing Script..." -ForeGroundColor Green Write-Host "" } # Convert a FIM ExportObject to a PowerShell PSObject # http://www.identitytrench.com/2011/07/convert-fim-exportobject-to-powershell.html Function Convert-FimExportToPSObject { Param ( [parameter(Mandatory=$true, ValueFromPipeline = $true)] [Microsoft.ResourceManagement.Automation.ObjectModel.ExportObject] $ExportObject ) Process { $psObject = New-Object PSObject $ExportObject.ResourceManagementObject.ResourceManagementAttributes | ForEach-Object { if ($_.Value -ne $null) { $value = $_.Value } elseif($_.Values -ne $null) { $value = $_.Values } else { $value = $null } $psObject | Add-Member -MemberType NoteProperty -Name $_.AttributeName -Value $value } Write-Output $psObject } } # Current Folder $currentFolder = (Get-Location).Path # Searching For Unused SETs # SETs Can Be Used In: # * MPRs # * Referenced By Other SETs # * Referenced By Search Scopes # * Referenced By RCDCs If ($objectType.ToUpper() -eq "SET") { Write-Host "" Write-Host "+++ CHECKING USAGE OF SETS +++" -ForeGroundColor Cyan Write-Host "" # Files $listOfSETsUsed = "List-Of-Sets-Used.txt" $listOfSETsUnUsed = "List-Of-Sets-UnUsed.txt" # Check Current Files If (Test-Path $($currentFolder + "\" + $listOfSETsUsed)) { Remove-Item $($currentFolder + "\" + $listOfSETsUsed) -Force } If (Test-Path $($currentFolder + "\" + $listOfSETsUnUsed)) { Remove-Item $($currentFolder + "\" + $listOfSETsUnUsed) -Force } # Get All The SETs $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set" $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject # Get All The MPRs $MPRsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ManagementPolicyRule" $MPRsInFIMPSObject = $MPRsInFIM | Convert-FimExportToPSObject # Get All The SearchScopes $SearchScopesInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/SearchScopeConfiguration" $SearchScopesInFIMPSObject = $SearchScopesInFIM | Convert-FimExportToPSObject # Get All The RCDCs $RCDCsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ObjectVisualizationConfiguration" $RCDCsInFIMPSObject = $RCDCsInFIM | Convert-FimExportToPSObject # For Each SET Check If It Is Used Somewhere ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) { $setDisplayName = $SETInFIMPSObject.DisplayName $setObjectID = $SETInFIMPSObject.ObjectID $setIsUsed = $false # For Each SET Check If It Is Used In Some MPR If (!$setIsUsed) { ForEach ($MPRInFIMPSObject In $MPRsInFIMPSObject) { If ($MPRInFIMPSObject.PrincipalSet -eq $setObjectID -Or $MPRInFIMPSObject.ResourceCurrentSet -eq $setObjectID -Or $MPRInFIMPSObject.ResourceFinalSet -eq $setObjectID) { # Object Is Used $setIsUsed = $true Break } Else { # Object Is NOT Used $setIsUsed = $false } } } # For Each SET Check If It Is Used In Some Other SET If (!$setIsUsed) { ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) { If ($SETInFIMPSObject.Filter -match $($setObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $setDisplayName) { # Object Is Used $setIsUsed = $true Break } Else { # Object Is NOT Used $setIsUsed = $false } } } # For Each SET Check If It Is Used In Some Workflow If (!$setIsUsed) { ForEach ($SearchScopeInFIMPSObject In $SearchScopesInFIMPSObject) { If ($SearchScopeInFIMPSObject.SearchScope -match $($setObjectID.TrimStart("urn:uuid:")) -Or $SearchScopeInFIMPSObject.SearchScope -match $setDisplayName) { # Object Is Used $setIsUsed = $true Break } Else { # Object Is NOT Used $setIsUsed = $false } } } # For Each SET Check If It Is Used In Some RCDC If (!$setIsUsed) { ForEach ($RCDCInFIMPSObject In $RCDCsInFIMPSObject) { If ($RCDCInFIMPSObject.ConfigurationData -match $($setObjectID.TrimStart("urn:uuid:")) -Or $RCDCInFIMPSObject.ConfigurationData -match $setDisplayName) { # Object Is Used $setIsUsed = $true Break } Else { # Object Is NOT Used $setIsUsed = $false } } } # If The SET Is Used If ($setIsUsed) { Write-Host "In Use: '$setDisplayName'..." -ForeGroundColor Green Add-Content $($currentFolder + "\" + $listOfSETsUsed) $setDisplayName } # If The SET Is UnUsed If (!$setIsUsed) { Write-Host "Not In Use: '$setDisplayName'..." -ForeGroundColor Red Add-Content $($currentFolder + "\" + $listOfSETsUnUsed) $setDisplayName } } } # Searching For Unused WorkFlows # WorkFlows Can Be Used In: # * MPRs # * Referenced By SETs If ($objectType.ToUpper() -eq "Workflow") { Write-Host "" Write-Host "+++ CHECKING USAGE OF WORKFLOWS +++" -ForeGroundColor Cyan Write-Host "" # Files $listOfWorkflowsUsed = "List-Of-Workflows-Used.txt" $listOfWorkflowsUnUsed = "List-Of-Workflows-UnUsed.txt" # Check Current Files If (Test-Path $($currentFolder + "\" + $listOfWorkflowsUsed)) { Remove-Item $($currentFolder + "\" + $listOfWorkflowsUsed) -Force } If (Test-Path $($currentFolder + "\" + $listOfWorkflowsUnUsed)) { Remove-Item $($currentFolder + "\" + $listOfWorkflowsUnUsed) -Force } # Get All The Workflows $WorkflowsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/WorkflowDefinition" $WorkflowsInFIMPSObject = $WorkflowsInFIM | Convert-FimExportToPSObject # Get All The MPRs $MPRsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/ManagementPolicyRule" $MPRsInFIMPSObject = $MPRsInFIM | Convert-FimExportToPSObject # Get All The SETs $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set" $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject # For Each Workflow Check If It Is Used Somewhere ForEach ($WorkflowInFIMPSObject In $WorkflowsInFIMPSObject) { $workflowDisplayName = $WorkflowInFIMPSObject.DisplayName $workflowObjectID = $WorkflowInFIMPSObject.ObjectID $workflowIsUsed = $false # For Each Workflow Check If It Is Used In Some MPR If (!$workflowIsUsed) { ForEach ($MPRInFIMPSObject In $MPRsInFIMPSObject) { If ($MPRInFIMPSObject.ActionWorkflowDefinition -contains $WorkflowObjectID -Or $MPRInFIMPSObject.AuthenticationWorkflowDefinition -contains $setObjectID -Or $MPRInFIMPSObject.AuthorizationWorkflowDefinition -contains $WorkflowObjectID) { # Object Is Used $workflowIsUsed = $true Break } Else { # Object Is NOT Used $workflowIsUsed = $false } } } # For Each Workflow Check If It Is Used In Some SET If (!$workflowIsUsed) { ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) { If ($SETInFIMPSObject.Filter -match $($workflowObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $workflowDisplayName) { # Object Is Used $workflowIsUsed = $true Break } Else { # Object Is NOT Used $workflowIsUsed = $false } } } # If The Workflow Is Used If ($workflowIsUsed) { Write-Host "In Use: '$workflowDisplayName'..." -ForeGroundColor Green Add-Content $($currentFolder + "\" + $listOfWorkflowsUsed) $workflowDisplayName } # If The Workflow Is UnUsed If (!$workflowIsUsed) { Write-Host "Not In Use: '$workflowDisplayName'..." -ForeGroundColor Red Add-Content $($currentFolder + "\" + $listOfWorkflowsUnUsed) $workflowDisplayName } } } # Searching For Unused Mail Templates # Mail Templates Can Be Used In: # * Workflows # * Referenced By SETs If ($objectType.ToUpper() -eq "MailTemplate") { Write-Host "" Write-Host "+++ CHECKING USAGE OF MAIL TEMPLATES +++" -ForeGroundColor Cyan Write-Host "" # Files $listOfMailTemplatesUsed = "List-Of-MailTemplates-Used.txt" $listOfMailTemplatesUnUsed = "List-Of-MailTemplates-UnUsed.txt" # Check Current Files If (Test-Path $($currentFolder + "\" + $listOfMailTemplatesUsed)) { Remove-Item $($currentFolder + "\" + $listOfMailTemplatesUsed) -Force } If (Test-Path $($currentFolder + "\" + $listOfMailTemplatesUnUsed)) { Remove-Item $($currentFolder + "\" + $listOfMailTemplatesUnUsed) -Force } # Get All The Mail Templates $MailTemplatesInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/EmailTemplate" $MailTemplatesInFIMPSObject = $MailTemplatesInFIM | Convert-FimExportToPSObject # Get All The Workflows $WorkflowsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/WorkflowDefinition" $WorkflowsInFIMPSObject = $WorkflowsInFIM | Convert-FimExportToPSObject # Get All The SETs $SETsInFIM = Export-FIMConfig -Uri $URI –OnlyBaseResources -CustomConfig "/Set" $SETsInFIMPSObject = $SETsInFIM | Convert-FimExportToPSObject # For Each Mail Template Check If It Is Used Somewhere ForEach ($MailTemplateInFIMPSObject In $MailTemplatesInFIMPSObject) { $mailTemplateDisplayName = $MailTemplateInFIMPSObject.DisplayName $mailTemplateObjectID = $MailTemplateInFIMPSObject.ObjectID $mailTemplateIsUsed = $false # For Each Mail Template Check If It Is Used In Some Workflow If (!$mailTemplateIsUsed) { ForEach ($WorkflowInFIMPSObject In $WorkflowsInFIMPSObject) { If ($WorkflowInFIMPSObject.XOML -match $($mailTemplateObjectID.TrimStart("urn:uuid:"))) { # Object Is Used $mailTemplateIsUsed = $true Break } Else { # Object Is NOT Used $mailTemplateIsUsed = $false } } } # For Each Mail Template Check If It Is Used In Some SET If (!$mailTemplateIsUsed) { ForEach ($SETInFIMPSObject In $SETsInFIMPSObject) { If ($SETInFIMPSObject.Filter -match $($mailTemplateObjectID.TrimStart("urn:uuid:")) -Or $SETInFIMPSObject.Filter -match $mailTemplateDisplayName) { # Object Is Used $mailTemplateIsUsed = $true Break } Else { # Object Is NOT Used $mailTemplateIsUsed = $false } } } # If The Mail Template Is Used If ($mailTemplateIsUsed) { Write-Host "In Use: '$mailTemplateDisplayName'..." -ForeGroundColor Green Add-Content $($currentFolder + "\" + $listOfMailTemplatesUsed) $mailTemplateDisplayName } # If The Mail Template Is UnUsed If (!$mailTemplateIsUsed) { Write-Host "Not In Use: '$mailTemplateDisplayName'..." -ForeGroundColor Red Add-Content $($currentFolder + "\" + $listOfMailTemplatesUnUsed) $mailTemplateDisplayName } } }

The script supports the check for SET, Workflow and Mail Template objects. The script accepts two parameters, being -URI and -objectType. -URI is only mandatory if you are not running the script on the server with the FIM service. -objectType is always mandatory and accepts the values SET, Workflow or MailTemplate.

To find used and unused SETs, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType SET

The output can be seen below.

SNAGHTML352f4120

Figure 1: Finding Used And Unused SETS

To find used and unused Workflows, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType Workflow

The output can be seen below.

SNAGHTML353e7621

Figure 2: Finding Used And Unused Workflows

To find used and unused Mail Templates, execute the following:

.\Finding-Unused-Objects-In-FIM-Portal.ps1 -objectType MailTemplate

The output can be seen below.

SNAGHTML353f3aba

Figure 3: Finding Used And Unused Mail Templates

In addition to the output on screen, the script will also provide the output to a text file. For each object type 2 files are created when applicable. One file contains the objects used and the other file contains the unused objects.

SNAGHTML353e2b9b

Figure 4: Text Files Listing The Used And Unused Objects

Now, the script does NOT delete anything! It just enumerates the information and presents it to you. It is now up to you to delete an object or not based upon the information presented to you. As a suggestion, I would never delete an object that by default is in the FIM Portal.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Mail Template, SET, Workflow | 3 Comments »

(2013-02-06) Showing The Groups/SETs An Object Is A Member Of

Posted by Jorge on 2013-02-06


With groups and SETs you can see which objects are members (statically or dynamically) easily. This is of course from the perspective of the group or SET. BUT…. is it possible to show which groups or SETs an object is a member of? Yes, that’s possible and it’s quite easy! In this case I just do this for the Person object in the FIM Portal, but in general you can use this for any object, especially if you are thinking about SET memberships!

For EDIT mode of the Person object I edited the RCDC and added the following lines to show the security groups and the distribution groups a user is a member of under the TAB called “Group Membership Info”:

<my:Grouping my:Name="GroupMembershipInfo" my:Caption="Group Membership Info" my:Enabled="true" my:Visible="true"> <my:Control my:Name="memberOfSecurityGroups" my:TypeName="UocListView" my:Caption="Member Of Security Groups" my:Description="This User Is A Member Of The Following Security Groups..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,AccountName,Domain,Type,Scope,MembershipLocked,Owner"/> <my:Property my:Name="ResultObjectType" my:Value="Group"/> <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any Security Group..."/> <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security' and ComputedMember=/Person[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="10"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> <my:Control my:Name="memberOfDistributionGroups" my:TypeName="UocListView" my:Caption="Member Of Distribution Groups" my:Description="This User Is A Member Of The Following Distribution Groups..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,AccountName,Domain,Type,Scope,MembershipLocked,Owner"/> <my:Property my:Name="ResultObjectType" my:Value="Group"/> <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any Distribution Group..."/> <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution' and ComputedMember=/Person[ObjectID='%ObjectID%'])]"/> <my:Property my:Name="PageSize" my:Value="20"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> </my:Grouping>

It looks like is shown in the picture below.

image

Figure 1: Showing The Security And Distribution Groups A User Is A Member Of

For EDIT mode of the Person object I again edited the RCDC and added the following lines to show the SETs a user is a member of under the TAB called “SET Membership Info”:

<my:Grouping my:Name="SETMembershipInfo" my:Caption="SET Membership Info" my:Enabled="true" my:Visible="true"> <my:Control my:Name="memberOfSETs" my:TypeName="UocListView" my:Caption="Member Of SETs" my:Description="This User Is A Member Of The Following SETs..."> <my:Properties> <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Description"/> <my:Property my:Name="ResultObjectType" my:Value="Set"/> <my:Property my:Name="EmptyResultText" my:Value="The User Is NOT A Member Of Any SET..."/> <my:Property my:Name="ListFilter" my:Value="/Set[ComputedMember=/Person[ObjectID='%ObjectID%']]"/> <my:Property my:Name="PageSize" my:Value="20"/> <my:Property my:Name="ShowTitleBar" my:Value="false"/> <my:Property my:Name="ShowActionBar" my:Value="false"/> <my:Property my:Name="ShowPreview" my:Value="false"/> <my:Property my:Name="ShowSearchControl" my:Value="false"/> <my:Property my:Name="EnableSelection" my:Value="false"/> <my:Property my:Name="SingleSelection" my:Value="false"/> <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog"/> <my:Property my:Name="ReadOnly" my:Value="true"/> </my:Properties> </my:Control> </my:Grouping>

It looks like is shown in the picture below.

image

Figure 2: Showing The SETs A User Is A Member Of

Remember though, after editing the RCDC, to import it into the FIM Portal. Afterwards perform an IISRESET, close IE and reopen.

Et voila!

For other scenarios, see:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, RCDC, SET | 2 Comments »

(2013-02-06) Using/Testing Queries Within/Against The FIM Portal

Posted by Jorge on 2013-02-06


To test your XPATH queries in the FIM Portal you can either use a test SET, a test Search Scope, the Quest PowerShell CMDlets for FIM or use the internal FIM PowerShell CMDlets. When testing XPATH queries I just want to see if the XPATH actually works AND if it returns the correct/expected results. With that you can say that the attention is on the XPATH query configuration itself than anything else. Because of that in the past I used a test dynamic SET to test my XPATH quer(y)(ies) as that was the easiest way to go. However, if you are also interested in returning specific attribute values, than you were better of using a Search Scope.

In both cases and in addition to what you wanted to do it could give you more work than you would want to have. Fear no more!

The guys at Predica have created a tool called the FIM Explorer. You can download the FIM Explorer from the Codeplex.

With the FIM Explorer you can:

  • Execute any XPATH query against the FIM Service. By default it enumerates all attributes for which you have permissions, but you can also choose which specific ones to return;
  • Look for objects through their ObjectID (Resource ID);
  • Display the results in a table;
  • Look at the properties of a single object by double-clicking the ObjectID in the “Resource ID” column of the corresponding object;
  • Navigate through references in linked attributes by clicking on the ObjectID of the reference;
  • Export the results in the tabel to an XML (same XML format as when using FIM Configuration CMDlets);
  • Import the result XML of either the FIM Explorer or the FIM Configuration CMDlets to display these in a table. This can be useful for "offline" analysis;
  • Run on any computer, as long as .NET Framework 4.5 is installed.

If you download the pre-compiled version of the FIM Explorer, you are good to go. Just before using the FIM Explorer you need to configure its configuration file called “Predica.FimExplorer.exe.config”. When you open that file you should see something similar to the picture below.

image

Figure 1: The Configuration File Of The FIM Explorer

If you are running the FIM Explorer on the server that has the FIM service installed, you can either specify “http://localhost/” or the actual FQDN that points to the FIM service (e.g. “http://fimsvc.adcorp.lab/”). If you are running the FIM Explorer on a computer that does not have the FIM service installed, then you must specify the FQDN that points to the FIM service (e.g. “http://fimsvc.adcorp.lab/”). In addition, you can also specify credentials. If you leave the credentials (“fimUser” and “fimPassword”) empty as shown in figure 1, then the FIM Explorer will connect by using the credentials of the current logged on user. As soon as you specify credentials, the FIM Explorer will use those credentials. That’s quite handy as with this you can easily test your XPATH queries AND you can test your request based permissions MPRs to see what a specific user is able to query for.

Instead of changing the credentials just before starting the FIM Explorer, I have written a quick and dirty PowerShell script that will look for the FIM Explorer configuration, display it to you, and allow you to easily change the configured credentials. When done, it will start the FIM Explorer right away. The PowerShell script should be located in the same folder as the FIM Explorer itself. See the script below:

# Predica.FimExplorer.ps1 Clear-Host $currentFolder = (Get-Location).Path $predicaFimExplorerConfig = New-Object XML $predicaFimExplorerConfig.Load("$currentFolder\Predica.FimExplorer.exe.config") $fimSvcAddress = $predicaFimExplorerConfig.configuration.appSettings.add[0].value $fimUser = $predicaFimExplorerConfig.configuration.appSettings.add[1].value $fimPassword = $predicaFimExplorerConfig.configuration.appSettings.add[2].value Write-Host "" Write-Host "Current FIM Svc Address...: $fimSvcAddress" Write-Host "Current User Account......: $fimUser" Write-Host "Current Password..........: $fimPassword" Write-Host "" $chosenUser = Read-Host "Current Logged On User (C), Other User (O) Or Specified User (S)" If ($chosenUser.ToUpper() -eq "C" -Or $chosenUser.ToUpper() -eq "") { Write-Host "" Write-Host "Using Credentials Of Current Logged On User" Write-Host "" $predicaFimExplorerConfig.configuration.appSettings.add[1].value = "" $predicaFimExplorerConfig.configuration.appSettings.add[2].value = "" } If ($chosenUser.ToUpper() -eq "O") { Write-Host "" Write-Host "Please Specify The Custom Credentials To Use..." Write-Host "" Write-Host "What is The User Name?" Write-Host " (<Domain NBT>\<sAMAccountName>) (<sAMAccountName>@<Domain FQDN>)" $credsUserName = Read-Host "User Name" Write-Host "" Write-Host "What's The Password?" $credsPassword = Read-Host "Password?" $predicaFimExplorerConfig.configuration.appSettings.add[1].value = "$credsUserName" $predicaFimExplorerConfig.configuration.appSettings.add[2].value = "$credsPassword" } If ($chosenUser.ToUpper() -eq "S") { Write-Host "" Write-Host "Using Credentials Of Already Specified User" Write-Host "" } $predicaFimExplorerConfig.Save("$currentFolder\Predica.FimExplorer.exe.config") Start-Sleep -s 3 &"$currentFolder\Predica.FimExplorer.exe"

However, when you use an unsigned PowerShell script (as the one above) and the server execution policy is configured as such it does not allow to execute unsigned PowerShell scripts, you are not able to use the script. In that case you can start the script through a batch file by specifying you want to bypass the execution policy. The PowerShell script should be located in the same folder as the FIM Explorer itself. See the script below:

REM Predica.FimExplorer.cmd @ECHO OFF PowerShell.exe -ExecutionPolicy Bypass -file "%0\..\Predica.FimExplorer.ps1"

This all looks like as shown in the picture below:

image

Figure 2: Starting The FIM Explorer Through A Script And Specifying Other Credentials

As soon as you start the FIM Explorer, it looks like the picture below.

image

Figure 3: Running The FIM Explorer

When looking at Figure 3….

[A] Here you can specify your custom XPATH query (/Person, /Person[AccountName=’ADM.ROOT’]) (also have a look at this post and this post)

[B] Or you just click on of the specified object types and return all objects of a specific type

[C] By default you get all attributes back for which you have permissions, or you select all the attributes you want to be returned in the response

[D] After specifying and selecting everything you want, you click the “Run Query” button.

[E] And over here all the objects matching your XPATH query with all attributes that you wanted to be returned (all or specific)

[F] Clicking “Export To XML” exports the result to an XML file that uses the same format as when using FIM Configuration CMDlets. Clicking “Import XML” allows you to import a result XML of either the FIM Explorer or the FIM Configuration CMDlets to display these in a table. This can be useful for "offline" analysis;

However, if your result is too large you will end up with the following nice error! Smile This basically tells you to increase the message size quota for incoming messages.

image

Figure 4: Message Size Quota Error When Limit Is Exceeded

To resolve the error, or in other words get rid of it you need to increased the message size quota. To do that you need to get the uncompiled version of the FIM Explorer. Click DOWNLOAD Save the ZIP somewhere and after that unpack it. You are not there yet, you still need to download the FIMClient solution used by the FIM Explorer. Click ZIP and save the file and after that unpack it. Copy the contents (folders ‘lib’ and ‘src’ and the three files) into the FIMClient folder of the uncompiled version of the FIM Explorer. You now need Visual Studio. Double-click on the file “Predica.FimExplorer.sln” to open it in Visual Studio.

image 

Figure 5: The “Predica.FimExplorer” Solution

Navigate to: “Solution ‘Predica.FimExplorer’” –> “FimClient” –> “Fim2010Client.Client” –> “_Predica” –> “CodeInit” –> “Bindings.cs” and double-click on “Bindings.cs”. Now search for “MaxReceivedMessageSize”.

image

Figure 6: Changing The Value For “MaxReceivedMessageSize”

Change the value to a value of your liking. In this case I just doubled the valued. Save the file “Bindings.cs”. Then right-click on “Solution ‘Predica.FimExplorer’” and select the option “Rebuild Solution”.

Now copy:

  • “..\FimClient\src\_external\fim2010client\Microsoft.ResourceManagement.Client\bin\Debug\Microsoft.ResourceManagement.Client.Predica.dll” to folder that contains the FIM Explorer
  • “..\src\UI.WPF\bin\Debug\Predica.FimExplorer.exe” to folder that contains the FIM Explorer

Now double-click on the file “Predica.FimExplorer.cmd” to start the FIM Explorer.

This is quite cool to easily test your XPATH queries! Great job guys!

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, PowerShell, Search Scopes, SET, Tooling/Scripting, Xpath | Leave a Comment »

 
%d bloggers like this: