Working with Profile Templates
At the core of all Forefront Identity Manager Certificate Management (FIM CM) management activity is the profile template. A profile template provides a single administrative unit that includes all the information that is required to manage all the certificates that a user might require throughout a certificate’s life cycle. In addition, a profile template includes information about the certificate's final location, which can be software-based (stored on the local computer) or hardware-based (stored on a smart card). When certificates are stored on a smart card, the FIM CM profile template is also configured with the information necessary to manage the smart card, providing a single administration point.
FIM CM requests, software profiles, and smart card profiles all include the identifier of the underlying profile template. Profile templates are identified by a GUID.
A client application may want to get a profile template for any one of a number of reasons. Examples of reasons include:
To determine how many approvals are required for a particular operation.
To determine what certificate requests the application must create in order to execute a FIM CM Enroll request.
To determine the data collection items for a particular operation.
To examine any of the other policy settings for a particular operation.
To determine smart card specific settings such as whether Base CSP admin key diversification is enabled in the smart card configuration.
To examine any of the other policy configuration settings governing the management of certificates and smart cards that are issued under the profile template.
Getting Profile Templates
A profile template is stored in Active Directory as a serialized XML representation of the policy management information. Standard user access controls are enforced on the reading of profile templates based on the user’s permissions. The Provision API provides a number of methods for accessing these profile templates. The profile templates are represented by objects of the ProfileTemplate class.
A ProfileTemplate class object is an immutable object that provides a read-only view of the configuration information that is stored in the profile template definition in Active Directory. A client application does not create a profile template object directly, but instead uses the FIM CM Provision API methods to obtain an instance of the object.
Getting the Profile Template for a Profile
A client application can call the GetProfileTemplate method to get the profile template for a software profile or a smart card profile. For example:
profileTemplate = FindOperations.GetProfileTemplate(profile.ProfileTemplateUuid);
The caller must have Read permissions on the specified profile template object in Active Directory for the call to the GetProfileTemplate method to be successful.
Getting the Profile Template for a FIM Certificate Management Request
A client application can call the GetProfileTemplate method to get the profile template for a FIM CM request. For example:
profileTemplate = FindOperations.GetProfileTemplate(request.ProfileTemplateUuid);
The caller must have Read permissions on the specified profile template object in Active Directory for the call to the GetProfileTemplate method to be successful.
Getting all of the Profile Templates
A client application can call the FindAllProfileTemplates method to get a collection of all of the profile template objects for which the user has Read permissions in Active Directory.
profileTemplateCollection = FindOperations.FindAllProfileTemplates();
Remarks
Using the FIM CM Provision API, a client application can only read the data contained within a profile template. The FIM CM Provision API does not support modifying the profile template to change the profile template's policy settings or other configuration settings. Changes to the profile template must be performed through the FIM CM management web interface.
Client applications cannot instantiate profile template objects.