Forefront Identity Management – Certificate Management (FIM CM 2010) – Part 5

FIM Permission Model

As this is the most difficult part in the FIM CM deployment, I will try to make it easy and simple. Please refer to Microsoft TechNet for basics and then read this section to complete the missing points.

I will be referring to the following terms here:

  • FIM CM Subscribers : those are usually end user ( certificate consumers)
  • FIM CM managers: those are the users that are assigned a management role through the FIM CM portal. This can be the FIM CM full admin, or just a help desk that is assigned the task to offline unblock smart cards.

FIM Permissions: are the new permissions that are introduced by the FIM CM Installation Schema extension (Please refer to Microsoft TechNet for more information about FIM CM Extended Permissions)

 

FIM_CIM_Permission_Model_334

The permissions and rights are assigned in five different places:

  • FIM CM subscribers Group: Permissions are FIM Extended permissions.
  • Service Connection Point: Permissions are FIM Extended permissions.
  • CA Certificate Templates: Permissions are (Read) and/or (Enroll).
  • FIM CM Management Policy: what you see when you configure a profile template.
  • FIM CM Profile Templates:
    • Profile Template Container : Permissions are (Read) and/or (Write)
    • Profile Templates : Permissions are :
      • “Read” and “CLM Enroll”: For Certificate Consumers.
      • “Read” and “Write”:  For FIM CM Full Admins.

Note that FIM CM managers will need permissions on all five locations, while end users (FIM subscribers) should have permissions only on those places:

  • Service Connection Point (Required)
  • Profile Template container and Profile Templates (Required).
  • CA certificate Template: Only if they will do the actual enrollment.
  • FIM CA Management Policy: Only if they will do the actual enrollment.

1.  Permissions at the Service Connection Point SCP

Rights at the service connection point SCP determine if the user is a typical FIM subscriber (FIM CM Certificate consumer) or has a management role in the FIM CM portal

  •  FIM CM Subscribers Group : “Read”
  • FIM CM Managers : “Read” and “FIM Extended Permissions”

For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards , they should have ( CLM Request Unblock) and ( CLM Enrollment Agent) , and frankly speaking this is confusing but this is how things work.

 

FIM_CIM_Permission_Model_SCP_44867

2. Permission at the FIM CM Subscribers Group

Once FIM CM manager got the required permissions on the SCP, to restrict their permissions to a group of users, you should assign FIM CM extended permissions on the group of users that you choose :

  • FIM CM Full admin : should have all the FIM CM Extended Permissions
  • FIM CM Manager : This is an admin

For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards , they should have ( CLM Request Unblock) and ( CLM Enrollment Agent) , and frankly speaking this is confusing but this is how things work.

FIM_CIM_Permission_Model_Group_44767

 

3. Permission at the Certificate Templates

The golden role is:

  • If the end user can enroll a certificate from the FIM CM portal by himself, then he needs (Read + Enroll) permissions on the certificate template.
  • If the Actual Enrollment is done by a FIM CM Manager, then that manager only needs the (Read + Enroll) permissions on the certificate template.

FIM_CIM_Permission_Model_CA_58987654

4. Permission at the Profile Template

There are two places to assign permissions here:

  1. Profile Template Container :
    1. FIM Subscribers : Read
    2. FIM Full Manager only : Read + Write
    3. FIM Managers : Read
  2. Profile Templates
    1. FIM Subscribers: Always should have (Read + CLM Enroll).[1]
    2. FIM Manager : The FIM manager that will perform enroll on behalf of the user , should also have ( Read + CLM enroll)

Note: FIM Subscribers should ALWAYS have Read and CLM Enroll at the profile template even if they do not do the actual enrollment.

So in case of a centralized deployment were the FIM Manager will initiate the request and will enroll on behalf of user and thus executes the enrollment , both the FIM manager AND the FIM subscribers should have (Read + CLM Enroll) at the profile template.

 

FIM_CIM_Permission_Model_Profile_Template_4343

5. Permission at the FIM Management Policy

Here where you configure the Profile Template by accessing the FIM CM admin portal. A new role is introduced here which is (Approve Request), which could be the user business manager. The (Approve Request) role should be granted the following:

  1. (CLM Audit) and (Read) at the service connection point.
  2. (CLM Audit) and (Read) at the FIM CM Subscribers group.
  3. Assigned the (Approve Requests) from within the FIM CM management Policy.

 

FIM_CIM_Permission_Model_FIM_Policy_$343

 

Summary

 So here is a quick summary for all FIM CM Permission Model 🙂

 

FIM_CIM_Permission_Model_FIM_Summary_$3354

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s