Managing BHOLD Roles in the Forefront Identity Management 2010 R2 Portal


Applies To: Forefront Identity Manager

You organization uses the Microsoft BHOLD Suite to add role-based access control (RBAC) to Microsoft Forefront Identity Manager 2010 R2 SP1 (FIM). By using RBAC, your organization can assign roles to users that reflect the users’ place in the organization, the jobs that they perform, and the projects that they work on. A role simply represents the permissions and other access controls that determine the applications and information that a user can access in order to be able to fulfill that role in the organization. For example, if a user is assigned a role as an accountant, the role can permit access to the organization’s accounting application as well as the financial data that the user must be able to use to serve as an accountant. Users who are not assigned the accountant role are not permitted to access the accounting application and data. Similarly, users who are part of a regional sales division can be assigned roles that give them access to the sales data for their region only. If a user moves from one division to another, the user can be assigned a role that is appropriate for that division and removed from the role for the previous division. This greatly simplifies the effort required to ensure that, as the organization’s needs change, users are given access to all of (but no more than) the applications and information that they need.

Most roles are automatically assigned to users, but some roles must be activated by a manager or by some other authority. To make this possible, BHOLD adds features to the FIM Portal that you might already be familiar with. With these features, you can request activation for a role that is assigned to you, or you can request activation for other users for whom you are responsible (if you are a team manager, for instance). Depending on how the approval process is configured in your organization, one or more of the following might be required to approve the request:

  • Line managers, who are responsible for approving role-activation requests by members of a particular organizational unit, such as the users in a project team.

  • Role managers, who are responsible for approving requests for the role itself.

  • Security officers, who have general responsibility for approving requests for the organization.

When a request to activate a role for a user is submitted in the FIM Portal, an email message is sent to all users who are required to approve the request. The email message contains the information they need to approve or deny the request. After a period of time, if a line manager or role manager fails to approve the request, the request might be forwarded to an escalation approver instead. If all required managers and officers approve the request, the role is activated for the user. Otherwise, the request is denied and the user is not assigned the permissions that are associated with the role.

In order to request a role activation for yourself or another user, you must be logged on with an account that is authorized to use the FIM Portal. To access the FIM Portal, open a web browser and type the following in the address bar:

http:// <server_name> /identitymanagement

where <server_name> is the name of the server that hosts the FIM Portal. Your network administrator will provide you with this information.


If your network uses secure-sockets layer (SSL) security, begin the address with https://. Your network administrator will tell you whether this is required.

This guide helps you perform the following tasks: