2015年4月13日月曜日

[FIM/MIM]ビルトインの管理ポリシールールの拡張

今年夏にリリースされる予定のMicrosoft Identity Manager 2015(MIM)では特権アカウント管理に関する各種の機能拡張が行われています。

今回はMIM Serviceの管理ポリシールール(Management Policy Rule/MPR)が現行バージョンであるForefront Identity Manager 2010R2 SP1(FIM)とどのように変わったのかを見てみます。
※MIM 2015 CTP3とFIM 2010R2 SP1を比較していますので、リリースまでに変わる可能性があります。

以下のスクリプトで定義されているMPR一覧が取得できるので、変化点を見てみましょう。

Add-PSSnapin FIMAutomaion
$curObject = Export-FIMConfig -Uri http://localhost:5725/resourcemanagementservice -OnlyBaseResources -CustomConfig ("/ManagementPolicyRule")
foreach ($fimobject in $curObject)
{
   $attributes = $fimobject.ResourceManagementObject.ResourceManagementAttributes
   $displayName = $attributes | where {$_.AttributeName -eq 'DisplayName'}
   write-host $displayName.Value
}

結果、以下の通りとなりました。
色を付けた部分のセルが新規追加になっているMPRです。
PAM(Privilege Access Management/特権アカウント管理)部分だけですね。
MPR一覧
Administration - Schema: Administrators can change selected attributes of non-system attribute type descriptionresources
Administration - Schema: Administrators can change selected attributes of non-system binding description resources
Administration - Schema: Administrators can change selected attributes of non-system schema related resources
Administration - Schema: Administrators can change selected attributes of schema related resources
Administration - Schema: Administrators can create attribute type description resources
Administration - Schema: Administrators can create binding description resources
Administration - Schema: Administrators can create resource type description resources
Administration - Schema: Administrators can delete non-system schema related resources
Administration: Administrators can control requests
Administration: Administrators can control synchronization configuration resources
Administration: Administrators can delete non-administrator users
Administration: Administrators can read all resources
Administration: Administrators can read and update Users
Administration: Administrators can update synchronization filter resources
Administration: Administrators control configuration related resources
Administration: Administrators control management policy rule resources
Administration: Administrators control set resources
Administration: Administrators control synchronization rule resources
Administration: Administrators control workflow definition resources
Administrators have full control over filter scope resources
Anonymous users can reset their password
Button viewable management: Members could read all attributes of the sets in all button viewable sets
Distribution list management: Owners can read attributes of group resources
Distribution list management: Owners can update and delete groups they own
Distribution list Management: Users can add or remove any members of groups subject to owner approval
Distribution list management: Users can add or remove any members of groups that don't require owner approval
Distribution List management: Users can create Static Distribution Groups
Distribution list management: Users can read selected attributes of group resources
General workflow: Filter attribute validation for administrator
General workflow: Filter attribute validation for non-administrators
General workflow: Registration initiation for authentication activity
General: Users can read non-administrative configuration resources
General: Users can read schema related resources
Group management workflow: Group information validation for dynamic groups
Group management workflow: Group information validation for static groups
Group management workflow: Owner approval on add member
Group management workflow: Validate requestor on add member to open group
Group management workflow: Validate requestor on remove member
Group management: Group administrators can create and delete group resources
Group management: Group administrators can read attributes of group resources
Group management: Group administrators can update group resources
[新規]PAM: Administrators control PAM Requests
[新規]PAM: Administrators control PAM Roles
[新規]PAM: User can read Pam Roles that he can request
[新規]PAM: User can see PAM requests that he created
[新規]PAM: Users can create a PAM Request
Password reset users can read password reset objects
Password Reset Users can update the lockout attributes of themselves
Reporting Administration: Administrators can control reporting binding resources.
Reporting Administration: Administrators can control reporting job resources.
Request management: Request approvers can read their approval resources
Request management: Request approvers can read their approval response resources
Request management: Request creators can cancel their requests
Request management: Request creators can read related approval response resources
Request management: Request creators can read their approval resources
Request management: Request creators can read their request resource
Request management: Request participants can read related approval resources
Request management: Request participants can read related approval response resources
Request management: Request participants can read their request resource
Security group management: Owners can read selected attributes of group resources
Security group management: Owners can update and delete groups they own
Security group management: Users can add or remove any member of groups subject to owner approval
Security Group management: Users can create Static Security Groups
Security group management: Users can read selected attributes of group resources
Security groups: Users can add and remove members to open groups
Synchronization: Synchronization account can delete and update expected rule entry resources
Synchronization: Synchronization account can read group resources it synchronizes
Synchronization: Synchronization account can read schema related resources
Synchronization: Synchronization account can read synchronization related resources
Synchronization: Synchronization account can read users it synchronizes
Synchronization: Synchronization account controls detected rule entry resources
Synchronization: Synchronization account controls group resources it synchronizes
Synchronization: Synchronization account controls synchronization configuration resources
Synchronization: Synchronization account controls users it synchronizes
Temporal policy workflow: Impending group resource expiry notification
User management: Users can read attributes of their own
User management: Users can read selected attributes of other users
Users can create registration objects for themselves
Users can modify registration objects for themselves

0 件のコメント:

コメントを投稿