Introduction to Custom Resource and Attribute Management
Applies To: Forefront Identity Manager 2010
Microsoft® Forefront® Identity Manager (FIM) 2010 offers a way for users to view and update the FIM 2010 schema by using the FIM Portal. With access to the FIM 2010 schema, users can better manage the resources that are contained in the FIM 2010 database by manipulating their attributes.
What This Document Covers
This document describes how to view schema resource types, update schema resource types, create new resource types, delete a resource type, update schema attributes, and create new schema attributes by using the FIM Portal. It also demonstrates how to create resources that use the new schema elements.
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.
Prerequisite Knowledge
This document assumes that you have a basic understanding of the FIM Portal and the basic schema structure. For more information, see Technical Concepts for Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkId=186743) in the FIM documentation.
Audience
This document is intended for information technology (IT) planners, systems administrators, and infrastructure planners.
Time Requirements
The procedures in this document require 30 to 45 minutes to complete.
Scenario Description
A member of the schema administration group in the Fabrikam organization wants to use the FIM Portal to create a custom resource type and attributes, bind those attributes to the newly created custom resource type, and then manage the new custom resource type.
Testing Environment
To perform the procedures in this document, your environment must have a server computer that is a member of the Fabrikam forest and that hosts the FIM 2010 server components.
To implement the procedures for the localization example, you must have at least one language pack installed. For more information, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkID=165845) in the FIM documentation.
Before You Begin
To implement the procedures in the document, you must authenticate to the FIM Portal as a schema administrator. You can edit the schema pages only if you are authenticated to the FIM Portal as a schema administrator.
Important
Do not delete any attributes, bindings, or resource types that contain the usage keyword Microsoft.ResourceManagement.WebServices or Microsoft.ResourceManagement.PortalClient. Doing so may cause FIM Portal to fail. For more details about using Usage Keyword for schema elements, see Technical Concepts for Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkId=186743) in the FIM documentation.
Viewing the FIM Schema Elements
Before you implement the procedures in this document, become familiar with the FIM schema elements and how to navigate to them in the FIM Portal.
The basic elements of the FIM schema are Resource Types, Attributes, and Bindings. Simply put, attributes are bound to a resource type to hold values that define an instance of that resource type. For example, a user resource type has multiple attributes bound to it, such as DisplayName, Address, Manager, and others. An instance of a user resource may be the following:
DisplayName = Mike Danseglio
Address =123 Main St.
Manager = Neil Black
<other>
Note
For more detailed information about how these elements work together, see Technical Concepts for Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkId=186743) in the FIM documentation.
To view the schema elements in the FIM Portal
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management- All Resources page, select the check box next to Group, and then click Binding.
This list view displays all the attributes that are bound to the Group resource type. The Display Name column displays the name of the binding, which is typically the same name as the attribute in the binding, but it can be customized.
Note
The name of a binding does not have to be unique in the system, unlike a resource type name or attribute type name. For example, there are multiple bindings named "Description." However, each binding with that name describes a unique pairing of the description attribute with a different resource type.
The Resource Type column displays the resource type that the attribute is bound to. The Attribute column displays the attribute type that is bound to the resource type.
You can view the configuration and properties of each of the elements by clicking the name in its respective column. For example, clicking Account Name in the first column displays the properties of the Account Name binding. Clicking Account Name in the last column displays the properties of the Account Name attribute type.
To view the same relationships from the attribute perspective, click All Attributes, select the Account Name check box, and then click Binding.
This list view displays all the resource types that the Account Name attribute is bound to. The Display Name column displays the name of the binding, the Resource Type column displays the resource type that the attribute is bound to, and the Attribute column displays the attribute type that is bound to the resource type.
Click back in the browser to return to the previous page, Schema Management - All Attributes, and then click All Bindings.
On this page, you can also see both instances of the Account Name binding, which instance applies to the User resource type, and which instance applies to the Group resource type.
Implementing the Procedures in This Document
To implement the procedures for the scenario described in this document, you must complete the following steps in order:
Create a custom resource type
Create attributes
Bind attributes to a custom resource type
Setting permissions for a new resource type
Enable administrators to use the new attributes in filters
Add a new attribute to the User resource and allow users to view it
Creating a custom resource
Update the custom resource
Localizing schema elements
Delete the custom resource
Create a custom resource type
In this procedure, you create a new resource type named Computer. When you create the new resource type, an instance of this resource type is added to the FIM 2010 system.
To create a custom resource type
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management – All Resource Types page, click New.
On the Create Resource Type page, type the following information in the following fields:
System name – Computer
Note
This name cannot be changed after the resource type has been created.
Display Name – Computer
Description – Enter a user-friendly description for the Computer resource that you are creating, such as Computers in the organization.
Click Next.
Click Finish to go directly to the Summary page.
On the Summary page, click Next.
Click Submit.
Create attributes
In this procedure, you create three new attributes for the Computer resource named Memory, AccessLevel, and Processor.
To create attributes
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management – All Resource Types page, click All Attributes.
Click New.
On the Create Attribute page, under General, type the following information in the following fields:
System name – AccessLevel
Display name –Access Level
Data Type – In the menu, click Indexed String.
Multivalued – Ensure that the check box is cleared.
Description – Enter a user-friendly description of the attribute that you created.
Note
The System Name, Data Type, and Multivalued properties cannot be changed after the attribute has been created.
Click Finish to move directly to the Summary page.
On the Summary page, click Submit.
Repeat the steps in this procedure to create two additional attributes, both of data type Indexed String:
Memory
Processor
Bind attributes to a custom resource type
In this procedure, you bind the new attributes that you created (AccessLevel, Processor, and Memory) to the new custom resource type that you created (Computer).
To bind attributes to a custom resource type
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management – All Resource Types page, select the check box next to the Computer resource type, and then click Binding. The list view displays all the attributes that are currently bound to the Computer resource by default. For more information about navigating the schema elements, see Viewing the FIM Schema Elements earlier in this document.
On the Schema Management – All Bindings page, click New.
On the General page, enter the following information in the following fields:
- Resource Type – To select the required bound resource type, do the following:
Click the Browse icon next to Resource Type.
On the Please Select A Resource Type page, in Search for, type Computer, and then press ENTER.
Under Display Name, select the Computer check box, and then click OK.
-or-
You can also type Computer in Resource Type and press Ctrl+K or click the Validate icon. Sometimes there is more than one matching result. You can select the desired item in the list that appears.
- Attribute Type – To select the required bound attribute type, do the following:
Click the Browse icon located next to the Attribute Type box.
In Search for, type Access Level, and then press ENTER or click the search icon.
Under Display Name, select the Access Level check box, and then click OK.
-or-
You can type Operation System and press Ctrl+K or click the Validate icon. Sometimes there is more than one matching result. You can select the desired item in the list that appears.
Note
The combination of Resource Type and Attribute Type must be unique in the system. FIM displays an error message if it detects a duplicate binding.
- Required – Leave this box empty.
Click Next, and then click Next again.
On the Validation tab, in String Pattern type the following regular expression:
^(None|Internet|All)?$
and then click Next.
On the Summary page, click Submit.
Repeat these steps, omitting step 7, to bind the remaining attributes to the Computer resource:
Processor
Memory
Important
Although it is not covered in this guide, you may have taken the optional step to bind the Domain attribute to the Computer resource as well. If this is the case, you must also bind the Domain Configuration attribute to the Computer resource or the Create request will fail.
Setting permissions for a new resource type
After you create a custom resource type and after you bind attributes to the resource type, you set the necessary permissions to manage the custom resource type. By completing the following procedures, you create a Set, All Computers, and an MPR that will grant permissions to create, modify, and delete a Computer resource. For more information about these procedures, see this section and Modeling Business Policy Rules with FIM in the FIM 2010 documentation.
First, you create a Set that contains all the Computer resources in the organization.
To create the All Computers Set
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, in the navigation pane on the left side of the screen, under Management Policy Rules, click Sets.
On the Sets page, click New.
On the General page, type the following information in the following fields:
Display name – All Computers
Description – Enter a user-friendly description for the Set that you are creating, such as All Computers.
Click Next.
On the Criteria-based Members page, ensure that Enable criteria-based membership in current set is selected, and then click all resources. On the menu, click computer.
Click Finish.
Click Submit.
Next, we create an MPR so that administrators have the necessary permissions to create, modify, or delete a computer resource. In your system, you will probably need to create one or more MPRs that give certain users delegated rights to manage a computer.
To create the “Administrators can create, modify, or delete a computer resource” MPR
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, click Management Policy Rules.
On the Create Management Policy Rule page, click New.
In Display name, type Administrators can create, modify, or delete a computer resource.
In Type, select Request.
Click Next.
In Requestors, select Specific Set of Requestors, enter Administrators, and then click the validate icon.
In Operation, select Create resource, Delete resource, and Modify a single-valued attribute.
In Permissions, select Grants Permission
Click Next.
In Target Resource Definition Before Request, enter All Computers, and then click the validate icon.
In Target Resource Definition After Request, enter All Computers, and then click the validate icon.
In Resource Attributes, select All Attributes, and then click Finish.
Click Submit.
Enable administrators to use the new attributes in filters
To enable users to use the new attributes in any filters, a user must add the new attributes to one of the two Filter Permissions or create a new Filter Permission and grant appropriate permission to that Filter Permission.
To allow Administrators to use the new attributes Operation System in filters
Log on to the FIM Portal as the administrator.
In the navigation pane, click Administration.
On the Administration page, click Filter Permission.
On the Filter Permission page, click Administrator Filter Permission.
On the Permitted Filter Attributes tab, add Access Level, Processor, and Memory to Allowed Attributes. Separate each attribute with a semicolon (;).
Click Ok.
On the Summary page, click Submit.
Note
If you want to allow end users to create dynamic groups based on these new attributes, add the attributes to the Allowed Attributes of the Non-Administrator Filter Permission.
Add a new attribute to the User resource and allow users to view it
You can also add a new attribute to an existing resource. In this procedure, you create a new attribute, computer, bind it to the User resource, and grant permissions to nonadministrators to view it.
To create the computer attribute
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management – All Resource Types page, click All Attributes.
Click New.
On the Create Attribute page, under General, type the following information in the following fields:
System name – Computer
Display name –Computer
Data Type – On the menu, select Reference.
Multivalued – Ensure that the check box is selected.
Description – Enter a user-friendly description of the attribute you created.
Note
The System Name , Data Type, and Multivalued properties cannot be changed after the attribute has been created.
Click Finish to move directly to the Summary page.
On the Summary page, click Submit.
To bind the computer attributes to the user resource type
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click Schema Management.
On the Schema Management – All Resource Types page, select the check box next to the User resource type, and then click Binding. The list view displays all the attributes that are currently bound to the User resource.
On the Schema Management – All Bindings page, click New.
On the General page, in Resource Type type User and then press Ctrl+K or click the validate icon.
In Attribute Type, type Computer, and then press Ctrl+K or click the validate icon.
Note
The combination of Resource Type and Attribute Type must be unique in the system. FIM dispays an error message if it detects a duplicate binding.
Click Finish, and on the Summary page, click Submit.
To allow non-administrators to view the computer attribute
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, click Management Policy Rules.
Search for User management: Users can read selected attributes of other users and then click the display name.
Add Computer to Allowed Attribute of this MPR.
On the FIM home page, under Administration, click Resource Control Display Configurations.
Click Configuration for User Editing.
Modify the Configuration Data field to expose this new field with UOCIdentityPicker. For more information, see Introduction to Configuring and Customizing the FIM Portal in the FIM documentation.
Run iisreset.
You should be able to edit the new Computer field when you edit a user.
To enable the User page to display the new computer attribute, see Introduction to Configuring and Customizing the FIM Portal in the FIM documentation.
Creating a custom resource
After creating a Set and granting permissions to the Computer resource type, you now manage the Computer resource type. By using the FIM 2010 UI, you assign values to the attributes of the custom resource type, Computer. We recommend that you run iisreset after all schema operations to ensure that the schema that is cached in the FIM Portal is correct.
To create a custom resource
Log on to the FIM Portal as the administrator.
On the home page, under Administration, click All Resources.
Navigate through the page until you find the Computer resource type. Under Display Name, click Computer.
On the Computer page, click New.
Under Common Attributes, there are several attributes to which you can assign a value. The only attribute that requires a value is Display Name. For this example, in the box next to Display Name, enter a user-defined friendly name for the computer resource that you are creating, such as MartinB's Laptop.
Click Next.
On the Extended Attributes page, enter values for the attributes Memory, Access Level, and Processor. These are the attributes that you previously bound to the custom resource type Computer.
Click Next.
On the Summary page, click Submit.
Note
You can customize the look of a computer detail by editing its RCDC. For more information, see Introduction to Configuring and Customizing the FIM Portal in the FIM documentation.
Update the custom resource
After you create the instance of the custom resource type, you may have to update the computer instance that you created in the “Create a custom resource type” section of this document; for example, when the computer instance that you created has its memory increased.
To update the custom resource
Log on to the FIM Portal as the administrator.
On the home page, under Administration, click All Resources.
On the upper-right side of the page, in the Search for list-view Search Scope, type Computer, and then click the search icon.
In the Display Name column, click Computer.
On the Computer page, click the name of the computer resource that you created.
Click the Extended Attributes tab.
In Memory, update the memory attribute. For example, if you created a computer resource with 2 gigabytes (GB) of memory, update this attribute to 4 GB.
In Access Level, update the Access Level attribute. For example, if you created a computer with Microsoft Vista, update this attribute to Windows 7, and then click OK.
The following page displays a summary of your changes:
Single-Value Attributes – This column designates the attributes that you modified.
Old Value – This column designates the old value that is assigned to the attribute.
New Value – This column designates the new value that you assigned to the attribute.
Click Submit.
Localizing schema elements
In an environment in which FIM may be supporting multiple languages, you can specify how your custom resource type, attribute, and binding will appear in different languages.
Note
To complete the following procedure, you should have at least one FIM language pack installed. For more information, see Testing Environment earlier in this document.
To localize the custom resource name
Log on to the FIM Portal as the administrator.
On the home page, under Administration, click All Resources.
Click Computer.
On the Localization tab, in Supported Languages, select a language other than your default language.
In Localized Display Name, type the display name of the custom resource as it should appear in the selected language.
In Localized Description, type the description of the custom resource as it should appear in the selected language.
As an option, repeat steps 4 through 6 for any additional languages that you have installed.
Click OK, and then click Submit.
Delete the custom resource
After you create an instance of a computer resource, your enterprise environment has changed and you may no longer need the instance of the computer resource that you created.
To delete the custom resource
Log on to the FIM Portal as the administrator.
On the FIM Portal home page, under Administration, click All Resources.
Under the column Display Name, click Computer.
On the Computer page, under Display Name, select the check box next to the computer that you created.
Click Delete.
On the Delete Objects page, you are given a summary of the deletion operation that you just requested to perform. Click Submit.
Summary
After you completed the procedures in this guide, you successfully used the schema UI by using the FIM Portal to create a custom resource type in the FIM 2010 database. As a next step, use the schema UI to create some resource types and attributes that further reflect the needs of your organization. In addition, see Introduction to Configuring and Customizing the FIM Portal in the FIM 2010 document to configure the FIM Portal to display your custom resource on the FIM 2010 navigation bar, home page, or Search Scope.