Quantcast
Channel: Microsoft Identity Manager forum
Viewing all 7443 articles
Browse latest View live

Assigning a Permission to a Role in BHOLD when Permission has scope

September 2, 2013, 1:22 am
$
0
0

Hello,

I have Organizational Units (OU), Users and Permissions imported to BHOLD. If I want to add a Permission to user, I choose a Role of particular OU and add permission to it and it works great.

However, I want to change the way I choose a Permission. What I would like to have in the "assign permission to role" page is ability to filter permissions by its scope.

In order to help you understand what I am trying to accomplish, I'll provide a general use case. I have an Application with 100 Permissions (Perm1, Perm2, ..., Perm100). Permissions have their scope (or boundaries) - 60 departments (Dep1, Dep2, ... Dep60). What I would like to have when assigning Permission to Role is to be able to select a pair - Permission and department (like [Perm1, Dep1], [Perm2, Dep3]).

As I understand, the general approach is to get Permissions from connected system as Cartesian product (all possible pairs of Permissions and departments, that would be 6000 unique pairs in above scenario), and it is fine approach, however, then I have to make unique names and let end user search 6000 permissions by name, which is not user friendly at all. The best approach in my case would be to have a dropdown list with all departments in BHOLD "assign permission to role" page and let user choose the department before choosing the particular permission. However, I don't know if I can customize BHOLD web page at all. Or can I?

What are my other options to solve this problem?

Donatas Vyzas


Search

Hi, FIM link for download is not working

September 2, 2013, 1:50 am
$
0
0

Hi, FIM link for download is not working.

Can you help me please?

Thanks,

Dmitry

FIM developmer reference missing

September 2, 2013, 5:22 am
$
0
0

Hi there,

try to develop Rule Extension and MA, but cannot find any articles on how to do it. Looks like the only source is

Forefront Identity Manager 2010 R2 Developer Reference with a single code example without any comments. Do I miss something?

What is general approach to map BHOLD.Permission.Member => ConnectedApplication.User.Roles?

September 2, 2013, 5:38 am
$
0
0

Hello,

When I assign a permission to a user in BHOLD and do Import on BHOLD MA, I get that Group.member attribute is updated.

However, most of our connected applications store permissions in user objects, and not users in permission (aka group in BHOLD MA) objects. That is, I have to remap in some way the BHOLD.Group.Member changes to SomeConnectedSystemMA.User.Roles attribute.
One approach would be to import changes to FIM portal and use custom workflow to analyze Role.member changes and then use UpdateResource activity for every related user object. But are changes of multi-valued attribute (in this case Role.member) available in a workflow activity?

What are other, maybe more elegant solutions for such mapping?

Donatas Vyzas

FIM Service Management Agent: Server -Stopped

August 28, 2013, 9:34 am
$
0
0

Hiii

I trying to run the FIM Service MA it receiving an error "FIM Service Management Agent: Server -Stopped' while running Full Import and Export..after researching this error it MS Forums I got to this link

http://social.technet.microsoft.com/wiki/contents/articles/11331.troubleshooting-fim-r2-stopped-server-error-on-the-fim-service-management-agent.aspx

In this link it says Run the Sync.ClearExport stored procedure  i couldn't find the navigation to do this.

Any help will be appreciated!!

Thanks

Remove RCDC help icon

September 2, 2013, 4:28 am
$
0
0
I want to remove RCDC help icon. Kindly help

User's Provisioning through XML File using Extensible Connectivy.

September 2, 2013, 10:14 am
$
0
0

Hi Team,

As I am working one of FIM Project and customer wants to Pull the data from XML file.

If any one have some information on this or any link please provide me.

Any Help would be really appriciated.

Thanks,

FIM Portal Distribution Group

September 2, 2013, 8:54 am
$
0
0

Hi All,

When we are creating Distribution group from FIM Portal, it is not allowing group administrator to assign account Name. It is generating unique GUID as account Name.

Can you please suggest us an approach to set account Name for newly created DG groups without using synchronization rule.

Thanks in Advance

bhsiva

Search

Textbox Reason descirption in Approval WF

September 2, 2013, 7:18 am
$
0
0

Hello people!

Im am currently configuring a solution where a user is able to request a Role/Permission though the FIM portal. 

Now. Im going to have 3 levels of approval request. Three different people who has to accept. This is not a problem to setup.

I want the approver`s to be able to write a short text as of why they approve/reject the request. And I also want the "other" approver`s down the line to be able to see what other approver`s wrote.

I was thinking about just extending the schema and write to a unindexed-string during approval process, but I cannot find which RCDC is controlling this.

Can anybody point me in the right direction?

Thanks alot!

Regards, Remi www.iamblogg.com

Windows Azure Active Directory Connector - Problem during the installation

August 13, 2013, 6:25 am
$
0
0
Hi,

I've set up FIM 2010 R2 (4.1.3451.0) on Windows Server 2012 according to the documentation included in the connector. Now when I try to import the included server configuration (4 – Configuring the FIM Synchronization Service, Step 1 - Load the Server Configuration) I get the following error message:

Preparing existing metaverse configuration for update starting...
    An error was encountered while trying to update the metaverse configurations.
    E_MMS_UNSUPPORTED_SCHEMA_UPDATE
Error encountered trying to prepare the existing metaverse configuration.
Server configuration import FAILED.

Any ideas?

Thanks,
Klaus

FIM 2010 R2 and Group Management

August 28, 2013, 3:33 am
$
0
0

Hi,

We want to setup AD Group Management with FIM 2010 R2 to decrease the load on the service desk.  We have different types approvals for members requesting to be added to groups.  For some groups the user requests access and a manager / owner approves the access.  For other types the user need to motivate why they need access, the owner then validates the reason and grant or deny access.

Currently both are handled by an electronic form completed by the user and submitted to the service desk where all of this is processed.  We want to move the complete current manual group management process to FIM.  The first type of approval is fairly easy to implement, but I am having problems with the second. 

What I did notice is that if the group owner receives the email to approve the request, the message says that the user didn't provide a reason, but the user when requesting to join a group doesn't have the option to provide a reason.

My questions are as follows:

1. Where can I get a bit more advanced group management information, as the stuff I have found is very basic?

2. I noticed that a user can only request to become a member of a distribution list in Outlook if he or she click the "Join" icon. For security groups it must be done through the "Groups Website".  Is this by design? (Also had to do a lot of stuff to display the groups on the home page of the Groups Website.)

3. What do I need to change or add to enable a user to provide a reason for joining a particular group?

Thanks

Johan Marais

JkM6228

Installation of hotfix rollup package (build 4.0.3644.2) fails

September 3, 2013, 1:03 am
$
0
0

I'm trying to upgrade the FIM Synchronization Service from 4.0.3606.2 to 4.0.3644.2 but the installation fails. The msiexec log contains the following error message:

MSI (s) (88:04) [19:04:27:421]: Executing op: ActionStart(Name=ProcessMachineDcomPermission,,)
Action 19:04:27: ProcessMachineDcomPermission. 
MSI (s) (88:04) [19:04:27:423]: Executing op: CustomActionSchedule(Action=ProcessMachineDcomPermission,ActionType=1025,Source=BinaryData,Target=ProcessMachineDcomPermission,CustomActionData=ADMINS=ROOTFIM01\FIMSyncAdmins OPERATORS=ROOTFIM01\FIMSyncOperators BROWSE=ROOTFIM01\FIMSyncBrowse PASSWORDSET=ROOTFIM01\FIMSyncPasswordSet)
MSI (s) (88:5C) [19:04:27:484]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIAE24.tmp, Entrypoint: ProcessMachineDcomPermission
CustomAction ProcessMachineDcomPermission returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 19:04:27: InstallFinalize. Return value 3.

It seems like something is wrong with the Dcom Permissions. Has anybody seen this before?

Regards,

Steve

EXporting a copy of the metaverse to an AD LDS

August 29, 2013, 2:29 am
$
0
0

Hello Everyone,

hope you can help out with this small question i have,

i'd like to have an AD LDS be an exact copy of my metaverse. so i've created a schema on my AD LDS server that is similar to my MV, but i'm not sure if i can just export the whole metaverse to AD LDS.

is that in any way possible ? 

thanks !

Hitch Bardawil

Using Object SID / Resource SID in a FIM Portal Set / Filter

September 3, 2013, 2:26 am
$
0
0

Hello,

I am trying to configure a Set that shows which users have been provisioned to Active Directory but are missing another attribute. I was intending to confirm they are in AD by filtering objects based on their Resource ID (ObjectSID)....

Unfortunately Resource ID(ObjectSID) does not appear in the list of filters?

I have checked the 'filter permissions' and it is in the approved list for Administrators

I have checked the attribute and binding details but couldn't see anything I know of that would omit it from the filters.

Thanks
mtwelve

Cannot get two items to become a single one

September 3, 2013, 12:12 am
$
0
0

Hi there,

I have two DataSources (AD and HR DB). I've imported data from both of them and have duplictaed items for each employee. Now I add a field to MV "person" object so these duplicated items could merge. But that doesn't happen!

What do I do:

1. Add field to "person" object, fill it from HRdb

2. Change Relationship Criteria for AD SyncRule so it uses this new field

3. Run FIM MA imort, then sync

4. Run both datasources MA import and sync (HR first, then AD)

...

still have two "persom" item for each employee

What do I do wrong?

Search

ApplicationHost.config file modification on FIM

August 25, 2013, 7:46 am
$
0
0

I am installating FIM 2010. The server on which I installing FIM Server/Portal...I am modifying theApplicationHost.config  file as per the technet document. Now as per the document...it says that we will seewindowsAuthentication enabled=”true” just three times.

But In my case...I saw it 6 times and did the modification on these 6 instances as mentioned in technet document. I saved the file and tried to start the IIS. The service did not start and seems my IIS got crashed and started getting bunch of errors. I was not even able to uninstall the IIS. At last..I had copy theApplicationHost.config  from other server and copy in the same location and restarted the server and eventually all services were started...looks like my IIS is working ok.

My question is - where did I go wrong. Should I see just  3 instances ofApplicationHost.config  rather than 6. Or even if they are 6...where did go wrong...Please suggest.

FIM Rule Extension debug - breakpoint will not currently be hit

September 3, 2013, 8:03 am
$
0
0

Hi there,

trying to debug RE and getting following error: The breakpoint will not currently be hit. No symbols have been loaded for this document.

Any ideas?

Powershell script runs from command line but not from within FIM Workflow

August 30, 2013, 10:53 am
$
0
0

Following is a sample of a powershell script that runs fine from the powershell command line but not from within a FIM PowerShell Workflow Activity. Note that the “solaris” session specified in the snippet below is defined in PuTTY with applicable IP address. During execution of the workflow, the script does run up until the last line (it does some log file writing and some other processing not reflected in the snippet below). The last line is an attempt to logon to a remote machine and execute MyScript.sh. MyScript.sh never gets executed.

Additionally, the rest of the workflow that follows this PowerShell Workflow Activity ALSO never executes. Thus it appears that the script below hangs on the last line.  I thought adding the –batch would alleviate this, but not so.  Again the script runs fine from the powershell command line.

……………………………………………………………………………………………………………………………………………

Param

(

    [String]$USERID,

    [String]$USERNAME

)

    $myApp = "D:\plink.exe"

    [Array] $Creds = ("root", "<root-password>"), ("sysadmin", "<sysadmin-password>")

    $sshcommand = & $myApp -load solaris -batch -l $Creds[0][0] -pw $Creds[0][1] /root/SOFTWARE/MyScript.sh $USERID $USERNAME

Return ""

……………………………………………………………………………………………………………………………………………

I replaced the last line with the following and got the same results:

D:\plink.exe -batch -load solaris -l $Creds[0][0] -pw $Creds[0][1] /root/SOFTWARE/MyScript.sh $USERID $USERNAME

I tested initiating this script from the FIM workflow activity using both the “Read from File” option and the “Include in Workflow Definition” option. I get the same results either way.

I noted that the command line was running PowerShell Version 3.0, while FIM was running Version 2.0. I tested running this script from the command line as both Version 2.0 and Version 3.0, and it works successfully in both cases. Thus the issue does not appear to be related to the version of PowerShell that FIM is running per se. I understand that PowerShell 3.0 requires .NET Framework 4.0 and that the FIM Service runs on the 3.5 Framework, so perhaps the issue is related to these differences?

Any thoughts on what may be causing this issue and how to resolve? Does FIM perhaps not support Plink?  I appreciate that the issue might not have anything do with FIM and may just be powershell-specific, so I am posting on a powershell forum as well. But also posting here in case anyone has seen this with FIM and been able to resolve. Thanks for any ideas!

Ramona Balke

What's the correct process for adding a file based fitler rule?

September 3, 2013, 3:48 am
$
0
0

Hi,

I have a fim sync process which works as follows:

1. File MA - imports CSV information from a file
2. FIM MA - imports CS information from File MA into MV
3. AD MA - then exports the FIM MV info into AD

My file MA, has the following filter rule:

If CSV field "DN" contains "OU=WinVista" then import row

The above works great and I'm only importing the WinVista users. What I want to do now is import Windows 7 and I was thinking of changing my File MA filter rule to the following:

If CSV field "DN" contains "OU=WinVista" then import row
OR
If CSV field "DN" contains "OU=Win7" then import row

Can I simply amend the filter rule on my File based MA and then run the import run profile?
Do I need to run the FIM MA run profiles to update the sync rules (for example, I know I have to run the FIM sync profiles if I update sync rules in the FIMportal)

I'm looking at doing this in the least intrusive manner as I already have accounts in production and would hate, for example if my Windows Vista users were wiped out, but I gained Windows 7 users.

Thanks

Can you teach us anything about FIM? Win love and recognition! Become a TechNet Guru for August 2013

August 1, 2013, 5:05 am
$
0
0

UPDATE...
August submissions are now closed.
September submissions are now open! :D

 

TechNet Wiki is looking for great new content, from YOU!

Show us your forum solutions or nifty knowledge nuggets and become MICROSOFT TECHNOLOGY GURU OF THE MONTH!

This is an official Microsoft TechNet recognition, where people such as yourselves can shine.

If you spend any amount of time crafting an awesome answer to a forum question, or just learnt something new, then why not get the most back for your efforts, by posting it to TechNet Wiki.

1) Please copy over any solutions and revelations to TechNet Wiki.

2) Add a link to it on THIS WIKI PAGE, so we know you've contributed

3) Every month, we will highlight your contributions, and select a "Guru of the Month" in each technology.

If you win, we will sing your praises, similar to the weekly contributor awards, however once "on our radar" and making your mark, you will probably be interviewed for your greatness, and eventually even invited into other TechNet/MSDN circles!

Either way, winning this award in your favoured technology can only be good for your career! ;)

Feel free to ask any questions below.

Thanks in advance!
Pete Laker

 

 

 

UPDATE... July's winners have been announced here!

#PEJL Got a good solution? If you invest your time in coding an elegant/novel or large answer on these MSDN forums, why not copy it over to our belovedTechNet Wiki, for future generations to benefit from!



Viewing all 7443 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>