今回はMIM Serviceの管理ポリシールール(Management Policy Rule/MPR)が現行バージョンであるForefront Identity Manager 2010R2 SP1(FIM)とどのように変わったのかを見てみます。
※MIM 2015 CTP3とFIM 2010R2 SP1を比較していますので、リリースまでに変わる可能性があります。
以下のスクリプトで定義されているMPR一覧が取得できるので、変化点を見てみましょう。
Add-PSSnapin FIMAutomaion
$curObject = Export-FIMConfig -Uri http://localhost:5725/resourcemanagementservice -OnlyBaseResources -CustomConfig ("/ManagementPolicyRule")
foreach ($fimobject in $curObject)
{
$attributes = $fimobject.ResourceManagementObject.ResourceManagementAttributes
$displayName = $attributes | where {$_.AttributeName -eq 'DisplayName'}
write-host $displayName.Value
}
結果、以下の通りとなりました。
色を付けた部分のセルが新規追加になっているMPRです。
PAM(Privilege Access Management/特権アカウント管理)部分だけですね。
| MPR一覧 |
|---|
| Administration - Schema: Administrators can change selected attributes of non-system attribute type descriptionresources |
| Administration - Schema: Administrators can change selected attributes of non-system binding description resources |
| Administration - Schema: Administrators can change selected attributes of non-system schema related resources |
| Administration - Schema: Administrators can change selected attributes of schema related resources |
| Administration - Schema: Administrators can create attribute type description resources |
| Administration - Schema: Administrators can create binding description resources |
| Administration - Schema: Administrators can create resource type description resources |
| Administration - Schema: Administrators can delete non-system schema related resources |
| Administration: Administrators can control requests |
| Administration: Administrators can control synchronization configuration resources |
| Administration: Administrators can delete non-administrator users |
| Administration: Administrators can read all resources |
| Administration: Administrators can read and update Users |
| Administration: Administrators can update synchronization filter resources |
| Administration: Administrators control configuration related resources |
| Administration: Administrators control management policy rule resources |
| Administration: Administrators control set resources |
| Administration: Administrators control synchronization rule resources |
| Administration: Administrators control workflow definition resources |
| Administrators have full control over filter scope resources |
| Anonymous users can reset their password |
| Button viewable management: Members could read all attributes of the sets in all button viewable sets |
| Distribution list management: Owners can read attributes of group resources |
| Distribution list management: Owners can update and delete groups they own |
| Distribution list Management: Users can add or remove any members of groups subject to owner approval |
| Distribution list management: Users can add or remove any members of groups that don't require owner approval |
| Distribution List management: Users can create Static Distribution Groups |
| Distribution list management: Users can read selected attributes of group resources |
| General workflow: Filter attribute validation for administrator |
| General workflow: Filter attribute validation for non-administrators |
| General workflow: Registration initiation for authentication activity |
| General: Users can read non-administrative configuration resources |
| General: Users can read schema related resources |
| Group management workflow: Group information validation for dynamic groups |
| Group management workflow: Group information validation for static groups |
| Group management workflow: Owner approval on add member |
| Group management workflow: Validate requestor on add member to open group |
| Group management workflow: Validate requestor on remove member |
| Group management: Group administrators can create and delete group resources |
| Group management: Group administrators can read attributes of group resources |
| Group management: Group administrators can update group resources |
| [新規]PAM: Administrators control PAM Requests |
| [新規]PAM: Administrators control PAM Roles |
| [新規]PAM: User can read Pam Roles that he can request |
| [新規]PAM: User can see PAM requests that he created |
| [新規]PAM: Users can create a PAM Request |
| Password reset users can read password reset objects |
| Password Reset Users can update the lockout attributes of themselves |
| Reporting Administration: Administrators can control reporting binding resources. |
| Reporting Administration: Administrators can control reporting job resources. |
| Request management: Request approvers can read their approval resources |
| Request management: Request approvers can read their approval response resources |
| Request management: Request creators can cancel their requests |
| Request management: Request creators can read related approval response resources |
| Request management: Request creators can read their approval resources |
| Request management: Request creators can read their request resource |
| Request management: Request participants can read related approval resources |
| Request management: Request participants can read related approval response resources |
| Request management: Request participants can read their request resource |
| Security group management: Owners can read selected attributes of group resources |
| Security group management: Owners can update and delete groups they own |
| Security group management: Users can add or remove any member of groups subject to owner approval |
| Security Group management: Users can create Static Security Groups |
| Security group management: Users can read selected attributes of group resources |
| Security groups: Users can add and remove members to open groups |
| Synchronization: Synchronization account can delete and update expected rule entry resources |
| Synchronization: Synchronization account can read group resources it synchronizes |
| Synchronization: Synchronization account can read schema related resources |
| Synchronization: Synchronization account can read synchronization related resources |
| Synchronization: Synchronization account can read users it synchronizes |
| Synchronization: Synchronization account controls detected rule entry resources |
| Synchronization: Synchronization account controls group resources it synchronizes |
| Synchronization: Synchronization account controls synchronization configuration resources |
| Synchronization: Synchronization account controls users it synchronizes |
| Temporal policy workflow: Impending group resource expiry notification |
| User management: Users can read attributes of their own |
| User management: Users can read selected attributes of other users |
| Users can create registration objects for themselves |
| Users can modify registration objects for themselves |
投稿
0 件のコメント:
コメントを投稿