FIM 2010 R2: Requesting Bulk Changes in the FIM Portal

Recently created a tool in the FIM Portal to request bulk changes in the FIM Portal. Most of it was built using native Portal configuration items. I will talk about it from an architectural view, the coding and deployment will take a series of posts due to the length. I did a video presentation of this tool to the Unify Solutions FIM Usergroup. For this post, I assume you have a medium to expert level for the FIM Portal.

The Environment

I have FIM Portal all setup with the management of Users, groups and workstations. For User management FIM Portal has virtually replaced Active Directory Users and computers, almost all the ADUC tasks you can do are on an Admin tab page for a user object. So you can request FIM Portal to

  • Disable an Account in AD and the Portal
  • Enable an Account in AD and the Portal
  • Delete an Account in AD and the Portal
  • Reset Password for an Account in AD and the Portal
  • Unlock an Account in AD and the Portal
  • Change Email Address
  • Set Password to never expires
  • Move an AD account from one OU tanother

I am using PowerShell workflow engine to execute the updates in the Portal and in AD. In all of these tasks, there are business rules tied in to them. For instance, disabling an account would require checking AD if there is a secondary Administrative account that the person has and also disable that account. It would also require that the person should be filtered out of the Cloud sync. The FIM Portal has all these extra steps built in and saves IT support staff remembering to do all these additional tasks. The workflow engine is of course triggered by submitting a request in the Portal. So there is a user attribute I created for instance called “RequestDisableUser” when it is set to “Yes”, it triggers the PowerShell workflow to disable that user in AD and the Portal. Take a look at this post for a foundation on how make changes in AD via the Portal

The Requirements

So we do not just want bulk changes in AD we want bulk changes in the Portal via the workflow engine. So get a batch file of say 20 users and run the bulk change to for example disable these accounts by submitting requests in the Portal, by setting the attribute “RequestDisableUser” to “Yes” for each user in the file. We want to also do the following

  • User: Bulk disable/Enable users
  • User: Bulk Move user
  • User: Bulk create User
  • User: Bulk Update specific User attributes
  • User: Bulk Delete User
  • User: Bulk Password reset/Unlock Account
  • Group: Bulk Delete SGs
  • Group: Bulk Add/Remove Users to SGs
  • Group: Bulk create SGs
  • Group: Bulk update SG Owner.
  • Workstation: Bulk Move Workstation
  • Workstation: Bulk Delete Workstation

The Solution: Create a Resource object

Create a Resource object in the Portal call it “FIM Bulk Admin”, system name “FIMBulkAdmin”. I used the FIM Technet instruction for creating a Computer object. I added the following fields to the object.

  • FIMBulkAdminRequest: This shows the request date and time
  • FIMBulkAdminRequestDispN: This shows the object been requested service for – user/Group/Computer, a drop down
  • FIMBulkAdminRequestType – What is the exact service for that object e.g disable, create etc. A drop down filtered by the RequestDispN drop down. I will use Jquery for that. See my posts on Jquery.
  • FIMBulkAdminRequestorDispN – the requestor displayname. This will be derived from the Request owner
  • FIMBulkAdminRequestorID – the request Accountname: This will be derived from the Request Owner
  • FIMBulkAdminRequestOwner – the owner of the request, an Identity control in the RCDC
  • FIMBulkAdminFileName – The name of the batch file.

Create an All FIMBulkAdmin set

Create MPR for Admins to manage the resource

Create a Usage Keyword called FIMBulkAdmin, give the necessary permissions

Create a NavBar item for the FIMBulkAdmin

Create a Search scope for the FIMBulkAdmin

Create an RCDC Page. Arrange controls as needed.

Create a File Share for users to copy the batch file to.

The Solution: The workflow Engine

File Format: One key question is how will the user be identified? There are 3 possible identifiers SAM, EmployeeID and Email. Lets take the example of the user object, the file for disable an account will be

Identifer;user

SAM;Tbrown

SAM:JDoe

SAM tells PowerShell the identifier that is being used, now in your script search Xpath using “Accountname”. Here is a sample code

$file = Get-Content $GetFilename

for($i=1;$i -lt $file.count;$i++){

$csvobj = ($file[$i] -split “;”)

#Get the identifier

$userIden = $csvobj[0]

If ($userIden -eq “Email”){ $SearchID = “Email” }

If ($userIden -eq “SAM”){ $SearchID = “AccountName” }

If ($userIden -eq “EID”){ $SearchID = “EmployeeID” }

#Get the Objectid of the user

$SearchVal = $csvobj[1]

GetFIMObjects -filter “/Person[$SearchID=’$SearchVal’]”| where-object {$_.ResourceManagementObject.ResourceManagementAttributes} |

foreach { $UserTargetID = ($_.ResourceManagementObject.ResourceManagementAttributes | Where-Object {$_.AttributeName -eq “ObjectID”}).Value

$UserTargetID = $UserTargetID.substring(9) }

For a seperator I used “;”. I also used txt files although you can use csv.

PowerShell Script: Create PowerShell script to read the FIMBulkAdmin request get details of the service been request for by reading the RequestDispN field, say “Disable users” and also get the name of the file. Then read the file, get the SAM. Use an Xpath filter and get the Object ID then submit the request. Build functions in your script to submit the various requests.

Create one script for User requests, one for Group, one for Computer.

Create Workflow to run the powershell.

Create sets for User/Group/Computer requests

Create Transition-in MPRs

Example of using this tool

See my post on using this tool to do bulk changes to the Manager attribute.

Advertisements

2 thoughts on “FIM 2010 R2: Requesting Bulk Changes in the FIM Portal

  1. Pingback: FIM 2010 R2 : Perform AD tasks directly via the FIM Portal | tlktechidentitythoughts

  2. Pingback: FIM 2010 Portal: Bulk Clearing and Updating of the Manager field | tlktechidentitythoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s