Permission Operations
The Forefront Identity Manager Certificate Management (FIM CM) Provision API includes methods that perform an access check to test if the current user has permissions on another user or on a FIM CM request. The caller of the method specifies the particular permissions that are to be checked.
Access Checks
Access Check on a User
The AccessCheck method tests if the current user has the specified permissions on a specified user. The UserPermission enumeration describes the different permissions that can be checked.
Access Check on a Request
The AccessCheck method tests if the current user has the specified permissions on a specified FIM CM request. The RequestPermission enumeration describes the different permissions that can be checked.
Security Configuration
There is a FIM CM configuration setting that impacts the results of these permission operations. This setting only applies to the evaluation of permissions for a FIM CM manager user on a target user to determine if the FIM CM manager can initiate a request for the target user. The possible values for the setting are UseUser
, UseGroups
, UseUser,UseGroups, which are described in the following sections.
UseUser
For this setting, FIM CM will evaluate the target user's Active Directory entry to determine what permissions FIM CM managers have on the user. The access check will return true only if the FIM CM manager has the specified permissions on the target user's entry itself.
UseGroups
For this setting, FIM CM will enumerate all of the Active Directory groups (including nested groups) to which the target user belongs. Then FIM CM will determine what permissions FIM CM managers have on each of those groups. The access check will return true only if the FIM CM manager has the specified permissions on at least one of the groups and the FIM CM manager does not have an explicit DENY on any of the other groups.
UseUser,UseGroups
For this setting, FIM CM will evaluate both the target user's Active Directory entry and the Active Directory groups to which the target user belongs to determine what permissions FIM CM managers have on each of those groups. The access check will return true only if the FIM CM manager has the specified permissions on either the target user's entry or on at least one of the groups, and the FIM CM manager does not have an explicit DENY on the target user's entry or on any of the groups. This is the default setting.
If UseGroups
or UseUser,UseGroups
is specified, the set of Active Directory groups that are evaluated to determine the permissions can be limited to a specified list of groups rather than every group to which the target user belongs. This can improve performance if there are many nested Active Directory groups.
To change these configuration settings, FIM CM can be configured as follows:
Open the
web.config
file that is associated with the FIM CM Web Virtual Directory (the default location of this file is%programfiles%\Microsoft Certificate Lifecycle Manager\web\web.config
).Locate the configuration section for the request security flags, which looks like the following:
<add key="Clm.RequestSecurity.Flags" value="UseUser,UseGroups" />
Set the value to
"UseUser"
,"UseGroups"
, or"UseUser,UseGroups"
.Locate the configuration section for the request security groups, which looks like the following:
<add key="Clm.RequestSecurity.Groups" value="" />
Set the value to a comma separated list of Active Directory groups (Global or Universal) that will be used to determine FIM CM manager access for users that are members of these groups. If this list is empty, FIM CM will use all of the groups to which a user belongs to determine if FIM CM managers have permissions on that user.
These groups must be specified in the "domainname\groupname" format. For example:
<add key="Clm.RequestSecurity.Groups" value="Contoso\Group1,Contoso\Group2" />
This value is ignored if the request security flags value is set to
"UseUser"
.Save the
web.config
file.
Remarks
The permission model is described in the CLMStart.chm
help file that is included with the FIM CM software distribution.
These methods check only the user permissions or request permissions. They do not check service connection point permissions.
Also these methods do not check certificate template permissions. A client application should use the standard Active Directory access check APIs to check certificate template permissions.
In addition to the AccessCheck methods in the FIM CM Provision API, a client application will also need to verify, using the standard Active Directory access check APIs, that the user has permission to read and enroll for a certificate template, the user has permission to read and enroll for a profile template, and the user is a FIM CM manager.
For more information, see the FIM CM Access Control topic in the Installing and Configuring FIM CM guide.
See Also
Reference
AccessCheck
RequestPermission
UserPermission