نمایش نتایج: از شماره 1 تا 5 از مجموع 5

موضوع: Experiences and/or Differences with FIM 2010 RC1 so far

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Experiences and/or Differences with FIM 2010 RC1 so far

    کد:
    http://blogs.dirteam.com/blogs/jorge/archive/2009/12/11/experiences-and-or-differences-with-fim2010-rc1-so-far-part-1.aspx

    PART-1



    So FIM 2010 RC1 came out in the beginning of October are my first impressions, or changes I found (either through my own testing/reading or through some other posts):
    OS Support
    FIM 2010 now both supports Windows Server 2008 (x64) and Windows Server 2008 R2 (x64). Be aware though; if you want to combine all kinds of technologies on one server (e.g. test/demo environment) check all requirements and pre-requisites of all components. For example, Exchange Server 2007 is not supported on Windows Server 2008 R2 and FIM 2010 does not support Exchange Server 2010 yet. However, Microsoft changed their plans and has decided to support Exchange Server 2007 on Windows Server 2008 R2 in the (near) future!

    Additional Options During install + FIM Portal Access
    Read more about this here: Jorge 's Quest For Knowledge! : Enabling FIM Portal Access for a Regular AD User Account

    FIM 2010 Portal itself
    The graphics department at Microsoft has been busy changing its looks and rebranding everything within the system from "Identity Lifecycle Manager "2"" to "Forefront Identity Manager 2010"
    BEFORE


    AFTER


    Other Stuff within the product that was rebranded is:
    ILM "2" RC0 Naming
    FIM 2010 RC1 Naming
    Identity Lifecycle Manager "2"
    Microsoft Forefront Identity Management
    ILM Service
    FIM Service
    MIIS / Sync Engine
    FIM Synchronization Service
    CLM
    FIM Certificate Management
    Object Type
    Resource Type
    Object Visualization Configuration (OVC)
    Resource Control Display Configuration (RCDC)
    Service: Microsoft Identity Integration Server
    Service: Forefront Identity Manager Synchronization Service
    Service: Microsoft Identity Lifecycle Manager Service
    Service: Forefront Identity Manager Service
    Service: Microsoft ILM Password Service
    Service: Forefront Identity Manager Password Reset Client Service
    Service: Certificate Lifecycle Manager
    Service: Forefront Identity Manager CM Update Service
    Identity Manager
    Synchronization Service Manager


    FIM MA in Identity Manager
    Connection information for the FIM MA is different. You now need to specify the SQL Server, the SQL DB for the portal (to read from) and the address of the FIM Service you want to use for writes (You can have more than one FIM Service and you can dedicate a FIM Service instance for the FIM Sync Engine if you need/want to)


    Cheers,
    Jorge





    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.dirteam.com/blogs/jorge/archive/2009/12/11/experiences-and-or-differences-with-fim2010-rc1-so-far-part-2.aspx

    PART-2



    MPRs
    New MPRs have been defined or existing MPRs have been redefined. In ILM "2" RC0 an MPR called "Administrators have Full Control" existed which gave administrators Full Control permissions over existing stuff and new created stuff. In FIM 2010 RC1 I created a new object type called COMPUTER including the attributes I wanted on that. I then wanted to create a computer object and at the end when I clicked SUBMIT I got an access denied. Researching a bit more I found out that administrators only have Full Control over configuration stuff in the FIM Portal. They are not allowed to create users and in my case also computers. So, for those object types I had to create an MPR that gave the administrators Full Control over those objects. Now you can take two different approaches: (1) create a permissions based MPR for each object type or, (2) create a permissions based MPR that gives the administrators Full Control over ALL objects.
    In addition, it is possible to disable and re-enable MPRs. Now you do not have to delete them or change them in a way so that there were not used by the system. Remember that when you get an access denied you cases might apply: (1) no MPR is available, or (2) an MPR is available but it is disabled!




    After you have configured your FIM system with all kinds of MPRs, SETs, Workflows, etc. How are you going to find out or troubleshoot, after 6 months for example, how a particular system works? In ILM"2" RC0 that was a pain in the well-known behind! In FIM 2010 RC1 you will find a button called MPR Explorer (see below). It is "just" button and because of that you might miss it.


    Clicking that button shows you the following screen which allows you to select what you want to check/do.

    After that, for what you want to do, you define criteria as shown below. In my case I wanted to know which "enabled" "permissions-based MPRs" apply when "ADM.ROOT" makes a request to "Create a resource", "Delete a resource", "Read resource", "Add a value to a multi-valued attribute", "Remove a value from a multi-valued attribute" OR "Modify the value of a single-valued attribute" against "All Objects".


    The results of the query I'm making are shown below


    SCOM Management Pack
    A SCOM Management Pack will be made available for FIM 2010.
    Component
    # Monitors
    # Events
    FIM Service
    9
    8
    FIM Portal
    11
    10
    FIM Sync
    7
    6
    FIM CM
    6
    6







    Cheers,
    Jorge





  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.dirteam.com/blogs/jorge/archive/2009/12/11/experiences-and-or-differences-with-fim2010-rc1-so-far-part-3.aspx

    PART-3



    Export/Import Portal Configuration
    In ILM 2007 you were able to export the complete Sync Engine configuration and move that to some other instance instead of reconfiguration everything manually. That saved you a lot of work AND mistakes! Although it is possible export/import individual Mas, you need to be careful about that precedence configuration may not be configure the same as with the instance where you did the export. Sometimes it may be better to export the complete server configuration!
    In ILM "2" RC0 it was not possible to export ANYTHING from the portal. So, you basically had to reconfigure stuff over and over and over again, until you get annoyed and start dying to be able to use FIM 2010 RC1! Why? FIM 2010 RC1 does allow you to export and import the portal configuration through PowerShell CMDlets. YES ! YES ! YES!!!!!!!!!!!

    So, how do you do this? Follow the next steps:

    • Start PowerShell
    • Execute: Add-PSSnapin FIMautomation


    The following FIM CMDlets become available:

    • Export-FIMConfig

      • The Export-FIMConfig cmdlet extracts configuration objects from the FIM Service using the web service interface. The cmdlet recursively follows references contained in objects in order to extract a full representation of the service's configuration. If a reference points to an object which is not marked as a configuration object, the cmdlet downloads the entire representation but does not follow any references.
    • Import-FIMConfig

      • The Import-FIMConfig cmdlet takes in a list of ImportObject objects and executes the web service calls. Please be warned that all ImportObjects sent to Import will be executed. As objects are created, the references are automatically resolved in subsequent update and create operations.
    • Join-FIMConfig

      • The Join-FIMConfig cmdlet takes two lists of Export Objects and joins them into Match Objects. The cmdlet performs the join using criteria specified as arguments to the cmdlet. The join criteria is specific attributes to compare using case-sensitive matching. You may specify individual join criteria for each object type. For example, you may join on EmployeeID for Person and MailNickname for Groups. You may also use multiple attributes as join criteria. For example, you may join ConstantSpecifier objects on both the DisplayName and Value. No default join criteria is provided. The reason you must specify the join criteria is to ensure that this tool joins on attributes or collections of attributes that are unique in your organization.
    • Compare-FIMConfig

      • The Compare-FIMConfig cmdlet takes in a list of MatchObject and performs an attribute-level comparison on the source and target objects. The cmdlet returns a list of changes to make to the target system such that it looks like the source system. The list of changes is guaranteed to be in precedence order. For example, if a Workflow Definition references an Email Template, then the cmdlet guarantees that the EmailTemplate exists prior to creating the WorkflowDefinition. All objects are processed generically without regard to object type except for ManagementPolicyRule objects. These objects are processed in a special way: the cmdlet guarantees that all dependent sets are updated prior to workflow definitions.
    • ConvertFrom-FIMResource

      • The ConvertFrom-FIMResource serializes objects used elsewhere in the FIM Automation Snapin into xml. The motiviation of this cmdlet is so you can save intermediate work and transfer it among computers. The cmdlet serializes the objects using XmlObjectSerializer in .NET. It is necessary to use this cmdlet over Export-Clixml because Export-Clixml does not preserve nested and complex types.
    • ConvertTo-FIMResource

      • The ConvertTo-FIMResource deserializes objects used elsewhere in the FIM Automation Snapin from xml. This is the complement cmdlet to ConvertFrom-FIMResource. The cmdlet deserializes the objects using XmlObjectSerializer in .NET.


    Using the GET-Help CMDlet you can get additional information on how to use each FIM CMDlet, including examples (e.g. Get-help Export-FIMConfig)
    Remark: Make sure to read this too!



    WorkFlow Activities designed for ILM "2" RC0 to be used in FIM 2010 RC1
    Short one. Check the following URL: Jorge 's Quest For Knowledge! : Workflow Activities designed for ILM2 RC0 may not work for FIM 2010 RC1

    Enable/Disable codeless provisioning
    In RC0 you could only disable/enable scripted (through Rules Extensions) provisioning. As soon as an object mapping was defined in the ILM2 MA provisioning would occur, assuming other prerequisites were also met (initial flow only for anchor attributes and criteria). It was not possible to disable codeless provisioning. In RC1 you now can disable codeless provisioning through the Identity Manager GUI. If the setting is not checked, provisioning through Codeless Provisioning will not work. AND it is disabled by default!


    Cheers,
    Jorge





  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.dirteam.com/blogs/jorge/archive/2009/12/12/experiences-and-or-differences-with-fim2010-rc1-so-far-part-4.aspx

    PART-4



    XPATH Filter changes
    Double negations are not supported/possible anymore. An example of a double negation is "/Person[not(MyAttribute != '_$$$_')]"
    Read more about it here: Jorge 's Quest For Knowledge! : FIM 2010 ? NOT NOT is Empty and NOT equal, I think?
    In addition:

    • "contains()" function now works like SQL Full Text Search
    • descendants(), betweenTime(), atTime(), allTime() removed
    • membersof() changed syntax


    Patches
    After RC1, patches will be made available through Windows Update. You can also download these manually through the Windows Update Catalog.
    At the time of writing, Update1 and Update2 have been released.
    For the release notes see: FIM 2010 RC1, Update1 and Update2.

    Management Agents (MA)
    Support for:

    • Active Directory in Windows Server 2008
    • SQL Server 2008
    • Novell eDirectory 8.8
    • Sun Java System DS 6.2
    • IBM DB2 9.1, 9.5

    To connect to RACF, ACF2, OS400, TopSecret, you will still need ILM 2007FP1.

    FIM Service Partition
    Read more here: Darryl Russi's Blog : Service Partitions - Multiple Middle Tiers, Request & Workflow Processing

    Checking Uniqueness during object creation
    Read more here: Jorge 's Quest For Knowledge! : Checking Uniqueness of an attribute in FIM 2010 during the CREATE process

    Sync Rules
    Sync rules are now bidirectional, meaning that both inbound and outbound within one sync rule is possible.
    New functions that are available for "External System Scoping":

    • NotContains, NotStartsWith, NotEndsWith

    New functions that are available for attribute flows:

    • IsPresent


    The GUI to create the Attribute Flows also changed. Previously you could create the attribute flows on one screen. Now you have one screen with two tabs for each attribute flow you need. One tab is for the source attribute and the other tab is for the destination attribute. I really do not like this change.
    This is the main screen with all the attribute flows. When you want to create a new flow you click "New Attribute Flow"


    This is what you will see when creating a new attribute flow.


    Cheers,
    Jorge





  5. #5
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://blogs.dirteam.com/blogs/jorge/archive/2009/12/14/experiences-and-or-differences-with-fim2010-rc1-so-far-part-5.aspx

    PART-5



    Reporting/Auditing
    With RC0, a web services client could reconstruct resources via Requests, or betweenTime, atTime and allTime functions
    With RC1, a web service client will be able to reconstruct resources via Requests

    • More attributes on Request, and new creator and target fields in RequestParameters values available
    • Configurable request trimming interval to auto-delete requests which have been archived

    Also see: http://theexpertscommunity.com/item/show/blog/1381

    Password Reset Feature
    Configuring the MPRs for Password reset was quite complicated. In RC1 these MPRs are pre-configured by default, but are disabled. If you want to use the Password Reset feature you need to enable the MPRs!
    Windows XP SP2 is now also supported.
    Expect a huge change in how you will be able to use this feature. Very promising! J In time I will tell more about this.
    Also interesting to know: Password Reset - RC1

    FIM MA Run Profiles
    The FIM MA only supports Full Imports at the moment (see release notes)

    FIM Portal Schema
    Attributes of type "Unindexed String" are not yet supported by the FIM Portal and will not show up the UI for queries/filters.

    It is possible to use a dash '-' in the systemName of an attribute, but you should not use it. Why? Well, other parts that may want to use that attribute may not accept that dash in the name. Look at the pictures below.
    One of those places where this was found is in a workflow activity. For example… let's say you have created a string type attribute with the systemName 'My-Test-ID' and displayName 'My Test ID'. When using the function evaluator activity you can select as the destination [//Target/My-Test-ID]. You can type this in manually or first select //Target as your workflow parameter and then select 'My Test ID' as your parameter attribute. Click Save and you will see the error in the picture.


    Cheers,
    Jorge






کلمات کلیدی در جستجوها:

Could not delete ilmPassword object of Id

1

Could not delete ilmPassword object

fim201032initial flow only FIM 2010could not delete ilmpasswordJoin-FIMConfig MA Changefim 2010 function evaluatorimport-fimconfig unindexed stringcreating a sync rule for Enabling or disabling accounts in FIM 2010insert multivalue fields in fim 2010Enable computer object creation in FIM portalfim 2010 workflow update mailnicknamemultivalued attributes using webservice of fim portalILM Microsoft Identity Lifecycle Managerfim 2010 r2 racf mafim workflow creator parametersun ds provisioning using fim2010sun ds provisioning using fim 2010convertto-fimresource xmlhow to update multi valued attribute with fim web service via powershelluser profile service could not delete ilmpasswordfim matchobject no target

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •