Forefront Identity Management FIM CM Permission Model Examples

Sometimes it is very tricky to assign permission on your FIM CM model. Here is couple of practical examples :

Example 1 – Self Service Registration Model

 Requirements:

  • The certificate subscriber initiates the request for the smart card.
  • The request is left pending until a certificate manager approval.
  • One approved, the certificate subscriber execute the smart card request.

Permissions:

  • SCP and Subscriber Group: Assign the approval manager both Read and CLM Audit.
  • Profile Template: Assign the subscriber Read and CLM Enroll on the profile template.
  • Certificate Template: Assign the subscriber Read and Enroll on the profile template.
  • Management Policy: Ensure that Self Service is enabled on the General Settings, and assign the manager: Approve requests.

Note: Although the user is going to initiate and execute the enrollment, you don’t need to give him any FIM Extended Permissions. Instead, enabling the Self Service in the management policy is sufficient.

Example 2 – Manager Initiated Registration Model

 Requirements:

  • The certificate manager initiates the request.
  • If further approvals are required, then another manager should approve it.
  • One approved, OTP is sent to the subscriber.
  • The subscriber inputs the OTP and completes the request.

Permissions:

  • SCP and Subscriber Group: Assign the approval manager both Read and CLM Request Enroll.
  • Profile Template: Assign the subscriber Read and CLM Enroll on the profile template. Assign the manager Read permission.
  • Certificate Template: Assign the subscriber Read and Enroll on the profile template.
  • Management Policy: Assign the first manager initiate privilege .Assign the manager: Approve requests.

Example 3 – Centralized Management

Requirements:

  • There are four parties here :
    • FIM Full admins: Has Full Permissions.
    • FIM Security Officer: Enroll smart card for users.
    • FIM Help Desk: Unblock Smart Cards.
    • FIM Subscribers.
  • FIM Security Officer Initiates the smart card request and executes the enrollment for smart cards (Smart Card PIN is randomized).
  • FIM Subscribers receive their smart card, log to the FIM portal to perform the initial online unblock.
  • FIM Help Desk will perform offline unblock operations if needed.

Permissions:

  • SCP and Subscriber Group:
    • FIM Full Admin: Full Permissions.
    • FIM Security Officer: Read and all FIM Extended Permissions.
    • FIM Help Desk:  Read + CLM Request Offline Unblock + CLM Enrollment Agent.
  • Profile Template: all four parties will have Read and CLM Enroll.
  • Certificate Template: FIM Full Admin and FIM Security Officer will have Read and Enroll.
  • Management Policy:
    • Enroll Policy: “Initiate Enroll Request” and “Enroll Agent For Enroll Requests”: FIM Full Admins and FIM Security Officer.
    • General Settings: Self Service Disabled.
    • Offline Unblock policy: “Initiate Offline Unblock Requests” and “Unblock Agent for Offline Unblock Requests”: FIM Full Admin, FIM Security Officer and FIM Help Desk. 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s