FIM 2010 is a new Identity Management product from Microsoft that expected to change the current state of identity management. In addition to the traditional strong synchronization engine found in MIIS 2003 and ILM 2007, FIM 2010 adds powerful end user self-service capabilities. In addition, FIM 2010 adds few rich features one of which is Group Management. The product is currently in Release Candidate stage and expected to be released on March 2010. For more information on FIM 2010, please visit the product homepage at http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

 

We were deeply involved with ILM V2 RC0 and FIM 2010 RC1 group management solutions since April 2009. We implemented several Proof Of Concept (POC) solutions using ILM V2 RC0 and FIM 2010 RC1. We are currently engaged in building group management solution using FIM 2010 for several of our customers. The solution is complete and ready to be used in production.

 

I am planning to write several articles that will cover Group Management in Microsoft Forefront Identity Manager 2010. This blog serve as an introductory to the rest of the blogs that I will be writing to cover the topic. These blogs will focus on the challenges and solutions to implement a state of the art Group Management Solution based on FIM 2010.

 

The next blogs will be divided to cover the following topics:

 

1- How to handle group's scope and type attributes translation. While AD uses one attribute called GroupType to identify and classify AD groups, FIM 2010 uses two attributes, a group type and a group scope. In addition while GroupType attribute is an integer, scope and type attributes are strings. There are many ways to address such translation either through C# code or through custom expressions. In this section I will address the issue and provide both possible solutions

 

2- How to address FIM 2010 group's owner and display owner attributes. While AD has one attribute that identify group manager, FIM 2010 has two: a group owner and a displayed owner. In FIM 2010 a group owner is a multi value attribute while in AD the managedBy attribute is a single value. Under this section I will describe such challenges and how to overcome them

 

3- Membeshiplocked and MembershipAddWorkflow attributes in FIM 2010. FIM 2010 introduces these new attributes to control group behavior. Membershiplocked is a Boolean attribute that controls if the group is dynamic or manual. MembershipAddWorkflow attribute identifies the action FIM will take when a user request to join the group. Possible values are: "none" or "Owner Approval Required". These two attributes are mandatory and any attempt to provision a group to FIM portal with no values in these two attributes will fail. Under this section I will describe such challenges and how to overcome them.

 

4- Distribution Group vs. Security Groups: While in AD all groups must have a sAMAccountName, in FIM 2010 only security groups must have an accountname. In addition while AD doesn't not require any group to have a mailNickname attribute, FIM 2010 require distribution groups to have such attribute. Under this section I will cover changes and solution to address this issue

 

5- In addition to the above points, in my final section, I will describe best practices on building a robust group management solution based on organization business structure. In this section I will cover topics such as adding a new field to group creation process to identify organization Divisions or Program and how to link and customize FIM approval workflows to use such fields.

 

Issam Andoni