FIM Permission Model
As this is the most difficult part in the FIM CM deployment, I will try to make it easy and simple. Please refer to Microsoft TechNet for basics and then read this section to complete the missing points.
I will be referring to the following terms here:
- FIM CM Subscribers : those are usually end user ( certificate consumers)
- FIM CM managers: those are the users that are assigned a management role through the FIM CM portal. This can be the FIM CM full admin, or just a help desk that is assigned the task to offline unblock smart cards.
FIM Permissions: are the new permissions that are introduced by the FIM CM Installation Schema extension (Please refer to Microsoft TechNet for more information about FIM CM Extended Permissions)
The permissions and rights are assigned in five different places:
- FIM CM subscribers Group: Permissions are FIM Extended permissions.
- Service Connection Point: Permissions are FIM Extended permissions.
- CA Certificate Templates: Permissions are (Read) and/or (Enroll).
- FIM CM Management Policy: what you see when you configure a profile template.
- FIM CM Profile Templates:
- Profile Template Container : Permissions are (Read) and/or (Write)
- Profile Templates : Permissions are :
- “Read” and “CLM Enroll”: For Certificate Consumers.
- “Read” and “Write”: For FIM CM Full Admins.
Note that FIM CM managers will need permissions on all five locations, while end users (FIM subscribers) should have permissions only on those places:
- Service Connection Point (Required)
- Profile Template container and Profile Templates (Required).
- CA certificate Template: Only if they will do the actual enrollment.
- FIM CA Management Policy: Only if they will do the actual enrollment.
1. Permissions at the Service Connection Point SCP
Rights at the service connection point SCP determine if the user is a typical FIM subscriber (FIM CM Certificate consumer) or has a management role in the FIM CM portal
- FIM CM Subscribers Group : “Read”
- FIM CM Managers : “Read” and “FIM Extended Permissions”
For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards , they should have ( CLM Request Unblock) and ( CLM Enrollment Agent) , and frankly speaking this is confusing but this is how things work.
2. Permission at the FIM CM Subscribers Group
Once FIM CM manager got the required permissions on the SCP, to restrict their permissions to a group of users, you should assign FIM CM extended permissions on the group of users that you choose :
- FIM CM Full admin : should have all the FIM CM Extended Permissions
- FIM CM Manager : This is an admin
For example: in a help desk scenario where help desk team needs to be able to only offline unblock smart cards , they should have ( CLM Request Unblock) and ( CLM Enrollment Agent) , and frankly speaking this is confusing but this is how things work.
3. Permission at the Certificate Templates
The golden role is:
- If the end user can enroll a certificate from the FIM CM portal by himself, then he needs (Read + Enroll) permissions on the certificate template.
- If the Actual Enrollment is done by a FIM CM Manager, then that manager only needs the (Read + Enroll) permissions on the certificate template.
4. Permission at the Profile Template
There are two places to assign permissions here:
- Profile Template Container :
- FIM Subscribers : Read
- FIM Full Manager only : Read + Write
- FIM Managers : Read
- Profile Templates
- FIM Subscribers: Always should have (Read + CLM Enroll).[1]
- FIM Manager : The FIM manager that will perform enroll on behalf of the user , should also have ( Read + CLM enroll)
Note: FIM Subscribers should ALWAYS have Read and CLM Enroll at the profile template even if they do not do the actual enrollment.
So in case of a centralized deployment were the FIM Manager will initiate the request and will enroll on behalf of user and thus executes the enrollment , both the FIM manager AND the FIM subscribers should have (Read + CLM Enroll) at the profile template.
5. Permission at the FIM Management Policy
Here where you configure the Profile Template by accessing the FIM CM admin portal. A new role is introduced here which is (Approve Request), which could be the user business manager. The (Approve Request) role should be granted the following:
- (CLM Audit) and (Read) at the service connection point.
- (CLM Audit) and (Read) at the FIM CM Subscribers group.
- Assigned the (Approve Requests) from within the FIM CM management Policy.
Summary