Forefront Identity Manager Schema

Microsoft Forefront Identity Manager 2010 (FIM) provides an extensible schema with a predefined set of resource types and associated attributes. This document discusses the components and structure of the FIM schema: resource types, attributes, and bindings.

This topic is based on the TechNet topic Technical Concepts for Custom Resource and Attribute Management, which provides information about making schema changes using the FIM Portal.

Understanding the FIM 2010 Schema

The FIM schema consists of three components:

• Resource Type - Each instance of a resource type definition (ObjectTypeDescription) defines the basic properties of a resource type. A resource type can be mapped to multiple attributes.

• Attributes - Each instance of an attribute definition (AttributeTypeDescription) defines the basic properties of an attribute. An attribute can be mapped to multiple resource types.

• Bindings - Each instance of a binding definition (BindingDescription) maps an attribute to a resource type. It also provides user options to customize the property of the attribute when used under the bound resource type context.

  Figure 1 shows the relationship between these three elements.

Basic Bindings

Each resource type, including all schema related resource types, binds to a list of basic attributes such as Creator, Description, DisplayName, ExpectedRulesList, and Locale.. These are all attributes of the Resource resource. All of the resource types in FIM have the same bindings as the Resource type by default. The relationship (Required property) between the bound attributes and the bound resource types is defined by default and cannot be changed.

For more information about creating and modifying these bindings in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management

Resource Type

The Resource Type schema is defined by ObjectTypeDescription resources. You can create new resource type definitions or edit existing resource type definitions via the Schema Management – All Resource Types page in the FIM Portal. For more information about creating and modifying these types in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new resource type.

Create Resource Type Resources

To create a new resource type in FIM, you must create a new ObjectTypeDescription resource.

For more information about creating and modifying resource types in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new resource type.

Delete Resource Type Resources

To delete a resource type in FIM, you must delete the corresponding ObjectTypeDescription resource.

You cannot delete a resource type after an instance of that resource has been created, even if that instance has been deleted.

You can delete a resource type if no instances of it have been created, however, you must remove all bindings that are attached to the resource before deleting it.

When a resource is deleted, the resources that depend on the deleted resource may become broken. Before deleting a resource, it is important to check for other resources that depend on that resource. For more information about creating and modifying these types in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new resource type.

Grant Rights to Resource Type Resources

Once a new resource type is created, members of Administrators set must define new Management Policy Rule(s) to grant users (including themselves) rights to manage them.

Localize Resource Type Resources

When a new resource type is created, it will not be localized automatically into different languages by default. Administrators need to provide localization information for it manually. To modify localization information for a resource through Windows PowerShell or web services, you need to modify the Locale value of the resource (see Resource). For information about setting localization information for a resource type using the Localization tab of the FIM Portal, see Introduction to Custom Resource and Attribute Management.

Customize UsageKeyword

The UsageKeyword is used to indicate what resource type is mandatory for what component(s) of FIM. It is a multi-valued string attribute. It can be used by the third party ISV developers to mark resource types that are mandatory to their application. In FIM, the key resource types are protected by the system as well as by selected Management Policy Rules. For more information, see UsageKeyword.

For information about creating and modifying these types in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new resource type.

Attributes

FIM also contains a default collection of system attributes, and in addition, you can create custom attributes. Attributes may be bound to multiple resource types, and must be one of the supported FIM data types (see Schema Data Types):

For more information about data types, see Schema Data Types.

Creating an Attribute

To create a new attribute type in FIM, you must create a new AttributeTypeDescription resource.

For more information about creating and modifying attributes of a resource in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new attribute.

Deleting an Attribute

If you add a new attribute to a resource type, the attribute can only be removed from the resource type if it has never been used in any instance of that resource type. If you created a resource type with a valid attribute value, you cannot remove the attribute for that resource type even after you delete the resource type.

An attribute can only be deleted when it meets all the following conditions:

1. The attribute is not currently bound to any resource type.

2. The attribute is not currently used in any instances of a resource type.

3. The attribute is not currently used in the ActionParameter property of any ManagementPolicyRule resource.

Grant Rights to Attribute Resources

Once a new attribute is created, members of Administrators set must define new Management Policy Rule(s) to grant users (including themselves) rights to manage them.

Localize Attribute Resources

When a new attribute is created, it will not be localized automatically into different languages by default. Administrators need to provide localization information for it manually. To modify localization information for a resource through Windows PowerShell or web services, you need to modify the Locale value of the resource (see Resource). For information about setting localization information for a resource type using the Localization tab of the FIM Portal, see Introduction to Custom Resource and Attribute Management.

Customize UsageKeyword

The UsageKeyword property is used to indicate what attributes are mandatory for what component(s) of FIM. It is a multi-valued string attribute. It can be used by the third party ISV developers to mark attributes that are mandatory to their application. In FIM, the key attributes are protected by the system as well as by selected Management Policy Rules. For more information, see UsageKeyword.

For information about creating and modifying attributes in the FIM Portal, see Technical Concepts for Custom Resource and Attribute Management. You need to run iisreset to refresh the schema after creating a new resource type.

Bindings

A binding maps an attribute and a resource type. A resource type can be bound to multiple attributes, and attributes can be bound to multiple resources, but each binding’s bound attribute and bound resource type combination must be unique. In FIM, bindings are defined by BindingDescription resources.

For information about creating/modifying bindings in the FIM Portal , see .Introduction to Custom Resource and Attribute Management. For custom resource types, bound attributes will appear automatically in the default detail view of the resource. For system resources, you must modify the RCDC for that resource type in order for them to appear in the UI. For more information, see the Resource Control Display Configuration XML Reference in the FIM TechNet documentation.

Uniqueness Rules

FIM has default uniqueness rules for schema. For more information, see Object Uniqueness Rules.

Recommendations and Known Issues

Custom resources with ":", "(", or ")" in the name will render the FIM Portal inoperable

In this release, do not use a colon (:) or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name will cause the FIM Portal to become inoperable, and a reinstallation of the FIM Portal will be necessary.

Dependency on auditing requirements

It is recommended that you do not delete your schema resources while you still have auditing requirements for these resources.

Making regular expressions case insensitive

In FIM, it can be helpful to make some regular expressions case insensitive. You can ignore case within a group by using ?!:. For example, for Employee Type, use

^(?!:contractor|full time employee)%

Calculation of the member attribute

The Member attribute exposed to the synchronization engine is actually mapped to ComputedMembers. It is a combination of criteria-based members and manually selected members. Even if you add all three attributes, (Filter, ExplicitMembers and ComputedMembers), the dynamic calculation of the member attribute does not occur for resource types other than Group and Set.

To achieve similar functionality when you synchronize a custom resource, you must create a custom reference-valued attribute—for example, ExplicitMember2—and bind it to your custom resource.

Strings with leading and trailing spaces

In FIM, you can enter strings with leading and trailing spaces, but the FIM system ignores those spaces. If you submit a string with a leading and trailing space, the synchronization engine and Web services ignore those spaces.

Empty strings

Empty strings are not equal to null in this release of FIM. Empty string input is regarded as a valid value. Not present is regarded as a null.

Making certain unsupported attributes required

The following attribute types are not supported:

1. Multivalued binary

2. Multivalued text

If you create these attributes, designate them as required, and then bind a resource to them, you will not be able to create that resource or update any existing instance of that resource in the FIM Portal UI. You will receive an error message when you attempt to submit the change.

To work around this issue, either mark the attribute as not required, or, if it must be required, do not expose it in the FIM Portal.

Modifying Schema

For guidance on extending and modifying the schema by using the FIM Portal, see Introduction to Custom Resource and Attribute Management. The Schema can be also be programmatically modified by performing Create, Read, Update, and Delete requests via the Web Services API (for more information, see Forefront Identity Manager Schema). You can also perform Create, Read, Update, and Delete requests via PowerShell cmdlets (for more information, see FIM PowerShell cmdlet Reference). For the default FIM Service schema reference, see Forefront Identity Manager Schema.

See Also

Concepts

Schema Data Types
Schema Naming Conventions
Object Uniqueness Rules

Other Resources

Schema Resources
Technical Concepts for Custom Resource and Attribute Management