FIM 2010: How to let non-admin group owners manage their groups

December 2, 2009 at 6:57 PMHenrik Nilsson

I turns out there’s a lot of things that needs to be in place before this is made possible…

Usage Keyword

Usage keywords are required for letting non-admin users see portal design elements like navigation bar and home page resources but also for letting them being able to use search scopes. The keyword for letting non-admin users take part of these objects is BasicUI…

1. Under Administration and Home Page Resources select the “Manage my SG’s” and add the keyword BasicUI as usage keyword.


2. Go back to Administration and select Navigation Bar Resources. Select the “My SG’s” navigation bar resource and add the BasicUI keyword to this one as well.

3. Go back to Administration again and select Search Scopes. Add BasicUI as Usage keyword to the “My Security Groups” Search Scope


There is two MPR’s that allows for group owners to manage their groups. Both of these are disabled by default.

4. Go back to Administration and in to Management Policy Rules. Open and enable these two MPR’s:

  • Security group management: Owners can read selected attributes of group resources
  • Security group management: Owners can update and delete groups they own


5. Done!


The usage keyword stuff is poorly documented but I hope this will be better…

Posted in: Forefront Identity Manager | Portal Management

Tags: , , ,

How to load balance FIM

November 23, 2009 at 11:26 AMHenrik Nilsson

Darryl Russi have posted a great article on how to configure for more than one instance of the FIM Service.
If you haven’t discovered Darryl’s blog yet, make sure you bookmark it or add a feed subscription!

Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: ,

WIF is released!!!

November 17, 2009 at 9:01 PMHenrik Nilsson


Today Microsoft announced that Windows Identity Foundation is released. It puzzles me since the RC of WIF must be the most short lived RC ever, only 11 days or am I missing something?

Anyway, have a look at the announcement:

Unfortunately the download doesn’t seem to be working yet but it’ll probably show up here soon…

Posted in: ADFS | Federation | WIF

Tags: ,

EnumerateResourcesActivity - the follow-up

November 16, 2009 at 10:13 PMHenrik Nilsson

A couple of months ago Joe Zamora (the CShark) was trying to solve the mysteries around the EnumerateResourcesActivity, a great activity that you could use from your own custom activities/workflows but not from the FIM workflow designer, read Joe’s post here. After a lot of work, some help from Nima in the product team and a couple of not that useful tips from me Joe got it working. See the forum post where me and Joe was trying to accomplish this here.

The EnumerateResourcesActivity is the only activity that could search for and return resources in FIM and it does so simply by you giving it an XPath query. It’s a really nice activity except it’s got limitations in that it can only contain a single child activity (actually not strange at all, the same goes for the ReplicatorActivity) and it has a got a designer that doesn’t allow for adding the child activity declaratively so you’re forced to add the single child using code. The EnumerateResourcesActivity work pretty much as the ReplicatorActivity in that it iterates bunch of values only in the case of the EnumerateResourcesActivity it finds the values (resources) before iterating them. An important aspect of workflow crafting is that an activity can’t be executed twice and that is handled by the EnumerateResourcesActivity by creating duplicates of the child activity objects (and descendant objects of the child activity) for each iteration before the iteration is started therefore you can’t use the original activity object references for getting activities within the iterations.

Joe used a CodeActivity as the single child but the solution I’m going to show you will use a SequenceActivity instead making it possible to add more than one single activity because you will probably want to do work suited for other activities like add a user to the group you have found or something like that.

I won’t go through all the stuff around activity crafting, for this you’ll have to turn to the Windows Workflow Foundation developer center , the Forefront Identity Manager 2010 Developer Reference or maybe the oracle scrapheap's named Google and Bing. First of all we need some code in the designer part of our custom Activity class (A custom activity is usually created from two partial classes when you create it in Visual Studio). In the InitializeComponent method I create a EnumerateResourcesActivity, add a SequenceActivity to it and to the SequenceActivity I add a CodeActivity but I leave for you to create more child activities to the SequenceActivity after the CodeActivity. Finally I add the EnumerateResourcesActivity to the custom activity I’m currently creating:

private void InitializeComponent()
    this.CanModifyActivities = true;

    // codeActivity
    this.codeActivity = new CodeActivity();
    this.codeActivity.ExecuteCode += new System.EventHandler(this.codeActivity_ExecuteCode);

    // sequenceActivity
    this.sequenceActivity = new SequenceActivity();

    // enumResourcesActivity 
    this.enumResourcesActivity = new Microsoft.ResourceManagement.Workflow.Activities.EnumerateResourcesActivity();
    this.enumResourcesActivity.PageSize = 100;
    this.enumResourcesActivity.XPathFilter = "/Person";
    // MyCustomActivity
    this.Name = "MyCustomActivity";

    this.CanModifyActivities = false;

Did you notice the XPathFilter property of the EnumerateResourcesActivity that I’ve set to return all person objects? You might think it’s strange that I add a CodeActivity as the only child of the SequenceActivity but I use this for getting the resource for the current iteration and it also gives a method that you could use for assigning values to siblings further down the execution chain from the CodeActivity that I leave up to you to add.

Here’s how I extract the value from the EnumerateResourcesActivity:

void codeActivity_ExecuteCode(object sender, EventArgs e)
    SequenceActivity s = (SequenceActivity)((CodeActivity)sender).Parent;
    ResourceType resource = EnumerateResourcesActivity.GetCurrentIterationItem(s) as ResourceType;

    // Perform initialization of any sibling activities here but remember you must reference
// them as I’ve done above with the SequenceActivity
// and a good way of doing it could be for example...
// UpdateResourceActivity u = s.Activities.OfType<UpdateResourceActivity>().First();
// or other generic “queries”.

First of all we need to get the SequenceActivity of the current iteration and since we know it’s the parent of the CodeActivity we could get the Parent property object of the current CodeActivity object instance that we’ve got from the sender parameter. Then we call the static GetCurrentIterationItem method passing in the SequenceActivity object instance and this should return the resource for the current iteration.

Next I leave up to you to use the values of the found resources to do whatever you wish and that could be for example update the resources found, delete the resources found or maybe create new resources from whatever values the found resources contain.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , ,

Working with RCDC’s in Visual Studio

November 14, 2009 at 2:14 PMHenrik Nilsson

Not all of you out there know that Visual Studio is a great tool for editing XML and that goes for Resource Control Display Configurations as well. If you’re using Notepad for editing RCDC’s you should definitely rethink what you’re doing because wouldn’t it be nice to have Intellisense, Schema validation while you type, and a lot of other nice features?

In order to accomplish this you need the schema for RCDC’s and that could be found as Appendix A in Resource Control Display Configuration XML Reference. I’ve prepared the schema so that it’s ready for use in Visual Studio, download it here.

Before you start editing RCDC make sure you read and understood the Introduction to Resource Control Display Configurations and the Resource Control Display Configuration XML Reference.

How to create the XML schema file RCDCSchema.xsd (unless you have downloaded it here):

  1. Open Visual Studio and choose to create a new file from the file menu, select XML Schema and click open.
  2. Remove everything from the new file except the top row:
    <?xml version="1.0" encoding="utf-8"?>
  3. Paste in the contents from the Appendix A in the Resource Control Display Configuration XML Reference.
  4. Save the file as RCDCSchema.xsd in the location of your choice.

How to edit an existing RCDC:

  1. In the portal, go to Administration/Resource Control Display Configuration.
  2. Open the RCDC of your choice.
  3. Click the “Click here to view the value of this attribute” link above the file upload control for the Configuration Data attribute and a new window opens and shows the XML for the RCDC.
  4. Save the page with .xml file extension in a place of you choice.
  5. Open the file with Visual Studio.
  6. In the properties for the document there’s a Schemas property. click the button with the ellipsis within the value field for this property and a dialog with available schemas shows up.
  7. Click the Add button, browse and select the RCDCSchema.xsd file.
  8. Click Ok to close the schemas dialog.
  9. If you have done everything correct you’ll now be able to edit your RCDC xml file with Intellisense and schema validation.


How to upload a finished RCDC:

  1. In the portal, go to Administration/Resource Control Display Configuration.
  2. Open the RCDC of your choice.
  3. Click the Browse button in the file upload control for the Configuration Data attribute and select the file you have edited in Visual Studio.
  4. Close the RCDC page by clicking the ok button.

How to improve the schema

Unfortunately the schema isn’t perfect, I would really like to have the available options for the different attributes to be present in the schema so that you could select for example the value “UocTextBox” for the my:TypeName attribute, this would make the editing even simpler and less error prone. Is there anyone out there that has the time and interest for taking this schema a bit further?

What I mean is for example if we add the following type definition to the schema (not complete):

<xsd:simpleType name="controlTypes">
   <xsd:restriction base="xsd:token"> 
      <xsd:enumeration value="UocTextBox"/> 
      <xsd:enumeration value="UocFileUpload"/> 
      <xsd:enumeration value="UocPictureBox"/> 
      <xsd:enumeration value="UocDropDownList"/>


…and map this type to the my:TypeName attribute like this:

<xsd:attribute name="TypeName" type="my:controlTypes"/>


…We could easily use Intellisense for selecting a value for the my:TypeName attribute like this:

A known issue with the schema
A while ago was helping out on the forum (this thread) and as I hope you all know XML is case-sensitive. Usually boolean values are entered using lower-case but in the RCDC schema some attributes like for example the Required attribute requires you to enter the boolean value with an initial capitalized letter and improving the schema could help many avoid this problem.

For more info on the XML Tools in Visual Studio go here

Posted in: Forefront Identity Manager | RCDC

Tags: ,

Finally the FIM 2010 RC1 VHD is available

November 10, 2009 at 9:22 PMHenrik Nilsson

Find it here

I waited  a long time for this but I lost my patience 1½ weeks ago and did an install of my own so I don’t need it anymore but for those of you out there – this will save you a lot of time installing and hopefully it contains some interesting educational stuff. My wish is that the VHD for the following releases could be released at the same time and that the educational stuff instead could be released later. Brjann?

Once again Jorge was first with the news… Jorge don’t you have anything better to do than surf the web for news, have you got a secret search engine of your own or a feeds reader on steroids? :-) 

Posted in:


Windows Identity Foundation (WIF) RC is here!

November 6, 2009 at 8:42 PMHenrik Nilsson

Don’t miss Vittorio’s fantastic Italian accent and all about what’s new in WIF!
You could also download this whitepaper if you wish to know more about what's new.

If you don’t have a subscription for Vittorio’s blog yet, go get one!
Could we hope for a ADFSv2 release at PDC?
Download WIF here


Posted in: ADFS | Federation | WIF


To be or not to be – AppStored

October 16, 2009 at 8:25 AMHenrik Nilsson

I’ve had a long discussion with Markus Vilcinskas on the FIM Forum on a thread started by Carol Wapshere maybe better known as MissMiis on the subject ”Selective provisioning to FIM”.

Carol wanted a way of bringing only a subset of users into the FIM AppStore and I really understand why, the reasons could be to save money on CAL’s - 30.000 users * 25$ = 750.000$, or maybe you already have perfectly working legacy sync rules.

Think before you try to do this, the best practice is that AppStore is should be a mirror of the Metaverse except of course for the resource types that live exclusively in the AppStore.

My first idea was it could be fairly simple to filter out users from the AppStore by the filter you could find in the declarative input sync rule but that was not a good idea at all, if you have 32.000 resources and you filter out 30.000 of these all of the filtered resources will be hit during sync since they're disconnectors. This is bad!

I also must admit I had a silly belief that the “Create Resource in FIM” checkbox, unchecked would project resources into the Metaverse and I was all wrong and for that I’ve promised to wear a silly hat all day.


So how should it be done then?
The best practice is to bring all your objects into AppStore but you could bring objects you don’t want to manage in the AppStore as separate object types into Metaverse using legacy rules but remember you won’t get the management of unique identifiers and group management might become a nightmare so think before you plan on not bringing all your objects into AppStore!

Posted in: Forefront Identity Manager | Identity Management | Sync Rules


Where’s U-Prove?

October 9, 2009 at 8:28 AMHenrik Nilsson

One and a half years ago Microsoft bought the U-Prove technology from Credentica for integrating in Geneva and Windows Communication Foundation according to the press release on the Credentica home page but it’s been very quiet about what’s happening.

The last we ever heard was in the end of August when Kim Cameron replied to Felix Gaehtgens at Kuppinger Colein this blog post: Microsoft: minimum disclosure about minimum disclosure?:

…The complexity must be tamed for the technology to succeed. There is more to this than brilliant formulas or crypto routines. We need to understand not only how minimal disclosure technology can be used - but how it can be made usable…
…So we’ve been working hard on figuring this stuff out. In fact, a lot of progress has been made, and I’ll write about that in my next few posts. I’ll also reach out to anyone who wants to become more closely involved.

…Then nothing…

For those of you that haven’t heard about U-Prove should definitely check it out, it’s going to be revolutionizing!

Technorati Tags: ,

Posted in: ADFS | Federation

Tags: ,

Welcome Paolo

October 7, 2009 at 12:59 PMHenrik Nilsson

A new blog has shown up in the FIM2010 sphere, Paolo Tedesco at the European Organization for Nuclear Research, CERN near Geneva - the ones with The Large Hadron Collider has started a blog about their work with identity management. So far Paolo have made a couple of interesting posts on the FIM2010 Web Service Client, maybe we’ll se other content as well in the future!?

You can find the blog here:
Identity Management at CERN

Posted in: Forefront Identity Manager | Identity Management | Web Services