Introduction to Set Management

  • Article

Applies To: Forefront Identity Manager 2010

Microsoft® Forefront Identity Manager 2010 uses Sets to group together FIM resources for management rules and workflow purposes. Membership in Sets can be criteria-based or manually-managed. Set memberships exist only in the FIM Portal, and are independent of Active Directory groups. Some examples of Sets could be:

  • All Sales Groups

  • All Users in Chicago

  • All Distribution Lists owned by a specific user

What This Document Covers

This document discusses how to create Sets and add members using the FIM Portal.

Prerequisite Knowledge

This document assumes that you have a basic understanding of how to create Users using the FIM Portal.

Audience

This document is intended for IT planners, systems administrators, architects, technology decision-makers, consultants, infrastructure planners, and IT personnel.

Time Requirements

The procedures in this document require less than 30 minutes to complete.

Best Practices

Creating Large Groups or Sets May Timeout at Higher Scales

Depending on the size of your FIM Service Database, creating a Set or Group with thousands of members will sometimes cause a timeout through the FIM Portal. This has been observed in Sets or Groups that have a direct membership of over 10,000 objects. Editing a Set or Group that results in thousands of members being added to it will result in the same behavior.Users should refrain from creating Sets or Groups with large memberships, however if it is absolutely necessary then you should adjust the timeout values within the FIM resource management service configuration file beyond the 58 second timeout to longer values as needed to complete the creation of the Set or Group.

Filters At Scale Should Avoid the NOT and Contains Operator

At large scaled environment, that is, 10,000 users or more, the effects of performing queries or creating Sets or Groups with specific filter types becomes more pronounced. In general, filters with a single clause using a NOT condition will result in extremely poor query performance. If the NOT operator is to be used, it should be done in conjunction with other clauses which use other non-negation operators.Additionally, the Contains operator should be avoided when performing queries or creating Sets or Groups. When possible, use exact equality matching (is) or starts with, as Contains is known to cause a server performance degradation in query performance. Again, if the Contains operator must be used, it is recommended to be used in conjunction with additional equality based clauses which will appropriately scope down the result set upon which the Contains operator will be evaluated.

Do not Delete Default Users or Sets

Do not, under any circumstances, remove the following Users and Sets.

  1. Administrator (or the user who installed FIM 2010.)

  2. Built-in Synchronization Account

  3. Administrators Set

  4. All Button Viewable Set

  5. User Administrators Set

  6. Approvals Approve Reject Viewable Set

Deleting these will cause irreversible changes to FIM 2010 and may result in loss of data.

Scenario Description

Fabrikam, a fictitious corporation, wants to create Sets to identify All Managers, Selected Computers, and All Contractors whose expiration date is within 30 days. In addition, they want to create a Set that contains all employees who report directly to a specified manager.

Testing Environment

To perform the procedures in this document, your environment should have the following characteristics:

  • A server computer that is a member of the Fabrikam forest and hosts the FIM 2010 server components.

  • A custom resource in the FIM 2010 data store named “Computer”, and several Computer resources named Comp_1, Comp_2, etc. For more information, see the Introduction to Schema Management document in the FIM 2010 documentation set.

  • The following users:

    User name Attributes

    User_TopLevel

    • DisplayName/Account Name – User_TopLevel

    • Job Title - Manager

    User_MiddleLevel

    • DisplayName/Account Name – User_MiddleLevel

    • Job Title - Manager

    • Manager – User_TopLevel

    User_BottomLevel

    • DisplayName/Account Name – User_BottomLevel

    • Job Title - Consultant

    • Manager – User_MiddleLevel

    IsManager

    • DisplayName/Account Name – IsManager

    • Job Title - Manager

    • Manager – User_MiddleLevel

    NotManager

    • DisplayName/Account Name – NotManager

    • Job Title - Consultant

    • Manager – IsManager

    ShortTermContractor

    • DisplayName/Account Name – ShortTermContractor

    • Employee End Date – 2 weeks from the current date

    • Employee Type - Contractor

    LongTermContractor

    • DisplayName/Account Name – LongTermContractor

    • Employee End Date – 2 months from the current date

    • Employee Type - Contractor

Implementing the Procedures in This Document

In this section, you will create four Sets:

  • All Managers

  • Selected Computers

  • All Contractors whose expiration date is within the next 30 days

  • All users who report directly to User_MiddleLevel

Warning

Do not, under any circumstances, remove the following Users and Sets.

  1. Administrator (or the user who installed FIM 2010.)

  2. Built-in Synchronization Account

  3. Administrators Set

  4. All Button Viewable Set

  5. User Administrators Set

  6. Approvals Approve Reject Viewable Set

Deleting these will cause irreversible changes to FIM 2010 and may result in loss of data.

Create the “All Managers” Set

In this procedure you will create a new Set called All Managers that uses a criteria-based membership filter.

To create the “All Managers” Set

  1. Log on to the FIM Portal as Administrator.

  2. On the FIM Portal home page, under Management Policy Rules, click Sets.

  3. On the Sets page, click New.

  4. On the General page, input the following information in the fields listed below:

    • Display nameAll Managers

    • Description – Enter a user-friendly description for the Set that you are creating, for example, All users with job title of Manager.

  5. Click Next.

  6. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

  7. Make sure is is selected. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Job Title.

  8. Click click to select value, enter Manager and then click View Members .

  9. You should see the following users in the preview list:

    • IsManager

    • User_MiddleLevel

    • User_TopLevel

  10. Click Finish.

  11. The Summary page provides is an overall view of the Set you created.

  12. Click Submit.

Create the “Selected Computers” Set

In this procedure you will create a new Set entitled Selected Computers and manually manage the members.

To Create the “Selected Computers” Set

  1. On the FIM Portal home page, in the left hand side Navigation Bar area, under Management Policy Rules, click Sets.

  2. On the Sets page, click New.

  3. On the General page, input the following information in the fields listed below:

    • Display nameSelected Computers

    • Description – Enter a user friendly description for the Set that you are creating, for example, Selected Computers in the organization.

  4. Click Next.

  5. Deselect Enable criteria-based membership in current set, and click Next.

  6. In Members to add, click the Browse icon.

  7. In Search within:, select All Resources. In Search for: type comp, then click the Search icon.

  8. Select the boxes next to Comp_1 and Comp_2, then click OK.

  9. Click Next.

  10. The Summary page provides is an overall view of the Set you created.

  11. Click Submit.

Note

For information on how to include custom resources, such as Computer, in a criteria-based membership filter, see the Introduction To Portal Configuration in the FIM 2010 documentation set.

Create the “All Contractors whose expiration date is within the next 30 days” Set

In this section you will create a Set that contains all Contractors whose EmployeeEndDate is within the next 30 days.

To create the “All Contractors whose expiration date is within the next 30 days” Set

  1. On the FIM Portal home page, under Management Policy Rules, click Sets.

  2. On the Sets page, click New.

  3. On the General page, input the following information in the fields listed below:

    • Display nameAll Contractors who expire in 30 days

    • Description – Enter a user friendly description for the Set that you are creating, for example, All Contractors who expiration date is within the next 30 days.

  4. Click Next.

  5. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

  6. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Employee Type.

  7. Make sure is is selected for the operator. Click click to select value, enter Contractor and press Enter.

  8. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Employee End Date.

  9. Click after, then click prior to.

  10. Click click to select value and select X days hence.

  11. Click 1, enter 30 and click View Members.

  12. You should see the following user in the preview list:

    • ShortTermContractor

    Important

    When viewing the membership of any sets whose membership conditions are time-based (such as the above example), you may see members that are not in the set yet, and you should expect the membership to be corrected based on the configured schedule of the SQL agent.

  13. Click Finish.

  14. The Summary page provides is an overall view of the Set you created.

  15. Click Submit.

Create the “Reports to User_MiddleLevel” Set

In this procedure you will create a new Set called Reports to User_MiddleLevel that contains all users that report directly or indirectly to User_MiddleLevel.

To create the “Reports to User_MiddleLevel” Set

  1. Log on to the FIM Portal as Administrator.

  2. On the FIM Portal home page, under Management Policy, click Sets.

  3. On the Sets page, click New.

  4. On the General page, input the following information in the fields listed below:

    • Display nameReports to User_MiddleLevel

    • Description – Enter a user-friendly description for the Set that you are creating, for example, All users that report directly to User_MiddleLevel.

  5. Click Next.

  6. On the Criteria-based Members page, make sure that Enable criteria-based membership in current set is selected, and click all resources. From the drop-down menu select user.

  7. Click Add Statement, then click Click to select attribute. From the drop-down menu, select Manager.

  8. Make sure is is selected as the operator. Click click to select value. In Select Resource, in Search for: enter User_ and then click the search icon.

  9. Select the box next to User_MiddleLevel, click OK, then click View Members.

  10. You should see the following users in the preview list:

    • IsManager

    • User_BottomLevel

  11. Click Finish.

  12. The Summary page provides is an overall view of the Set you created.

  13. Click Submit.

Create “Workgroup for LongTermContractor”

In this procedure you will create a new Set with manually-managed members. These members are manually selected as there is not a clean filter that can express this relationship.

To create the “Workgroup for LongTermContractor” as a set that includes criteria-based members

  1. Log on to the FIM Portal as Administrator.

  2. On the FIM Portal home page, under Management Policy, click Sets.

  3. On the Sets page, click New.

  4. On the General page, input the following information in the fields listed below:

    1. Display name – Workgroup for LongTermContractor

    2. Description– Enter a user-friendly description for the Set that you are creating, for example, All users that work with LongTermContractor

  5. Click Next.

  6. On the Criteria-based Members page, deselect the check box beside Enable criteria-based membership in current set and click Next.

  7. On the Manually-managed Members page, add the members in the Members to Add box by performing following steps:

    1. Click the Browse icon located next to the input box.

    2. In the search box, enter ShortTermContractor, and then press Enter or click the search icon. Make sure Search within box has All Users selected.

    3. Under Search Result, check the box beside ShortTermContractor. Click OK.

      -or-

      You can also type ShortTermContractor and press Ctrl+K or click the validate icon. Sometimes there is more than one matching result. You can select the desired item in the list shown.

    Repeat this step to add User_BottomLevel.

  8. Click Finish.

  9. The Summary page provides is an overall view of the Set you created.

  10. Click Submit.

Enable Criteria-based Members in Existing Set

When deleting a set, all references to the set in other MPRs, Workflows and other resources will be cleared. This may lead to these resources not function as expected. You should always do a thorough search of where the set is being referenced and fix these links before deleting the set. However, if you really need to preserve the set but enable the criteria-based membership part of the set, you can do so following these instructions listed below.

To change the “Workgroup for LongTermContractor” set to a set that includes criteria-based members

  1. Log on to the FIM Portal as Administrator.

  2. On the FIM Portal home page, under Management Policy, click Sets.

  3. On the Sets page, enter Workgroup for LongTermContractor in the search box above and click the search icon.

  4. In the results page generated from above search, click Workgroup for LongTermContractor.

  5. Click Advanced View on the bottom of the page that displays the detail of the set.

  6. On the Extended Attributes page, in the Filter attribute paste in following text:

    <Filter xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" Dialect="https://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="https://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[JobTitle = 'Manager']</Filter>

    The Filter attribute takes a XML wrapped XPath expression. The XML wrapper format is always in following format:

    <Filter xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" Dialect="https://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="https://schemas.xmlsoap.org/ws/2004/09/enumeration">XPath Expression</Filter>

    The XPath expression /Person[JobTitle = 'Manager'] means All people whose job title indicate that he/she is a Manager

  7. Click Ok.

  8. The Summary page provides is an overall view of the Set you created.

  9. Click Submit.

Summary

After completing the procedures in this guide, you have successfully used the FIM Portal to create both criteria-based and manually-managed Sets in the FIM database. As a next step, use the Introduction to Management Policy Rules document that accompanies the FIM 2010 document set to use these sets to define permissions and workflows.