What's New in Forefront Identity Manager 2010 R2

What’s new in Forefront Identity Manager 2010 R2

Forefront Identity Manager 2010 R2 introduces several new features and improvements to Forefront Identity Manager 2010. These include the following:

Increased Global Reach

  • The FIM Service and Portal are available in 19 languages

  • SSPR Registration and Reset portals are available in 33 languages

  • Add-ins and Extensions are available in 33 languages.

Improved Performance

  • Improved performance for initial load (or other bulk load) from connected system to FIM Service.

  • Clearer FIM Service database tuning guidance and enhancements

  • FIM Management Agent supports batching and more configuration options

New Extensible Connectivity MA framework

  • Batched call-based import and export

  • Programmatic schema, partition, and hierarchy discovery

  • Password change API similar to export

  • Custom anchors and additional DN styles

  • Custom parameters in the Identity Manager UI

  • Full Export run step

  • .NET 4 development

Improved Troubleshooting and Diagnostics

  • Full Support for Event Tracing for Windows - Both the FIM MA and FIM Service now support ETW technology, allowing administrators to use advanced Windows logging tools to drill down more deeply into errors through a rich user interface.

  • Easier Tracing of Errors in the FIM Portal - Now when an end user sees an error, we provide a unique ID which he or she can give to helpdesk so that they can more easily track down and troubleshoot the user’s problem. Users can employ a one-click-to-copy command directly from the error page in the FIM Portal so that they can more easily craft an email message to their administrators in case of an error.

  • Improved FIM Service Exceptions - When FIM encounters an error, the names and descriptions of exceptions that occur have been re-engineered to be easier to understand and decipher. Furthermore, FIM administrators can now choose to see an advanced stack trace along with the existing exception information that appears when the FIM Service encounters an issue.

  • New Logging Capability for UpgradeDB - The DB Upgrade tool that is run as part of FIM Service and Portal setup will now generate a log file as it runs to aid in troubleshooting upgrade problems with the FIMService Database.

  • Default FIM Event Log Trace Level now Includes WarningsWhen enabling tracing on a FIM Service instance, the default trace log level will now be set to “Warning” to aid administrators in troubleshooting subtle issues.

  • Dozens of New Health Events Added - Existing features such as SSPR and the Workload monitor include improvements to their existing health events, as well as new health events to aid in troubleshooting these features. The new feature in R2, Reporting, also includes a full set of health events which cover a broad array of scenarios, including installation of the feature, synchronization of data to the Data Warehouse, and extension of the default schema and reports.

Updated Connectors

  • Lotus Notes

  • Oracle Business Apps

  • SAP

Self-Service Password Reset capabilities improved

  • New Self-Service Password Reset Gates:

    • One-time Password E-mail Gate

    • One-time Password SMS Gate

  • Programmatic Registration

  • QA Gate Enhancements

  • Extranet-capable self-service password registration & reset portals. Key features:

    • Cross-browser support

    • Mobile device support

    • Customizable User Interface

For more information see Deployment Guide for Forefront Identity Manager 2010 R2 - Self-Service Password Reset

Reporting Platform

  • Extensible Reporting Platform

  • In-depth Auditing

  • Built on System Center Service Manager

FIM Service

  • A new DateTime Attribute "Completed Time" was added to the FIM Schema. The Request Resource has a binding to it. All new Requests created in R2 will have this attribute stamped on them. All Requests already in the system will not. An R2 Request now has 4 DateTime properties:

    1. CreatedTime -- DateTime when the Request is created.

    2. CommittedTime -- DateTime when the changes requested are committed.

    3. CompletedTime - DateTime when all the policies have been applied as a result of this Request.

    4. ExpirationTime - DateTime that is used to define when the Request can be deleted.

  • System Event Requests (commonly known as collateral requests) are created by the FIM Service to allow the execution of action workflows where the target of the action workflow does not match the target of the request. To control the impact of this load on overall system performance, R2 introduces workload management. The FIM Service monitors the FIM Service server CPU utilization and the FIM Service database server CPU utilization (SQL Server Enterprise Edition only) and uses a new "System Throttle Level" setting to determine how fast it can process collateral requests and their associated workflows.

    The new setting has a default value of 75, and an operational range of 1-100. Setting the value to -1 disables the feature and allows the FIM Service to process the collateral request queue as quickly as possible without monitoring its effect on the overall system performance. You can change this setting in the FIM Portal at: Administration / All Resources / System Configuration Settings / Extended Attributes / System Throttle Level. The setting is dynamic so changes will be picked up automatically without restarting the FIM Service.

    A large number of collateral requests may be generated by the following events:

    • FIM MA Export

    • Policy Updates (Run On Policy Update)

    • Temporal Policies

    If as a result of these, or other events, you experience degraded performance in your system due to a large number of collateral requests being created, consider lowering the "System Throttle Level".

  • Requests and workflows that do not complete their execution within a default 60 day time period are automatically canceled and if necessary terminated. This ensures that the system does not build up stale and potentially invalid requests and workflow instances over time which is known to impact overall system health. A request that has not completed within the “Request Maximum Active Duration”, default 60 days, will be cancelled by the system. Any request that has been in a “Cancelling” state for the “Request Maximum Canceling Duration”, default 2 days will be terminated.

    The “Request Maximum Active Duration” and “Request Maximum Canceling Duration” are configurable within the FIM Portal and a reboot is not required in order for changes to these settings to be applied. These settings are stored on the new “System Configuration Settings” resource. This resource is found:

    FIM Portal / Administration / All Resources / System Configuration Settings

    To view/edit the system configuration settings, open the resource and select Extended Attributes.

  • In earlier versions, the delete-add command was used enable you to both de-provision an existing object and add the object again with the same dn as the old one. Starting with Microsoft® Forefront Identity Manager 2010 R2 the delete-add process is no longer available and must be accomplished by running first the delete process followed by a separate add process.

  • The CreateResource, UpdateResource, and DeleteResource workflow activities have been extended with a new property: public bool ApplyAuthorizationPolicy

    By default the value is false which is compatible with FIM 2010 behavior.

    When this property is set to true, on one of the above activities, the corresponding request issued by the activity will be subject to applicable authorization policies, The applicable authorization policies (RMPRS) will be dependent on the details of the request and the identity of the requestor.

    The ability to apply authorization policy to requests originating within workflows allows you to support scenarios where you need to take actions (create subsequent requests) based on the content of the originating request to which you wish authorization to apply.

  • Two new optional public properties Bcc and CC have been added to the EmailNotificationActivity. Modifying these properties is not currently supported in the FIM workflow designer. As a result you will need to set them using custom code or by editing the workflow XOML directly.

    Example XOML:

                    <ns0:EmailNotificationActivity x:Name="emailNotificationActivity1" Bcc="[//Target/Owner]" CC=" bf7b286a-c4eb-4685-9995-78890acd1017;"SuppressException="False" To="bf7b286a-c4eb-4685-9995-78890acd1017;" EmailTemplate="727756dc-92b3-4861-8cab-4ab81ca28a3d" /> </ns0:SequentialWorkflow>
  • Email Templates in FIM can be customized to include data from within Workflows. The Approval activity now writes 4 "properties" into the WorkflowData collection that provide important details about the Approval.




    • If Approved, this will provide the list of names involved in approving the Request.

    • If Rejected, this will provide the name who rejected the Request.


    Approved, Rejected, TimedOut


    • if the Approval Expires:

      <data name="ApprovalActivityTimeoutExpiredReason" xml:space="preserve">
          <value>Approval has expired. See the approval details for this request for more information.</value>
    • if Approver Rejects the Approval

      <data name="ApprovalActivityDefaultRejectedReason" xml:space="preserve">
          <value>Approval was rejected. See the approval details for this request for more information.</value>
    • Approval does not have enough approvers to meet required threshold

      <data name="ApprovalActivityNoLongerValid" xml:space="preserve">
          <value>Approval was rejected. One of the approvers is not valid.</value>
    • Approver is no longer valid

      <data name="ApprovalActivityApproverNoLongerValidReason" xml:space="preserve">
          <value>Approver does not have the authority to approve anymore.</value>


    DEPRECATED in future versions. Use ApprovalFinalStatus.

    To leverage this functionality in your email templates associated with Approval workflows, add the following string where appropriate. For example if you want to use the value of ApprovalFinalStatus then add this: [//WorkflowData/ApprovalFinalStatus].

Additional What’s New Sections

In addition to the sections above, the 3 sections below contain additional information on the new changes and features. These are: