Tuesday, June 25, 2013

Using Compare-Object to Find the Missing Permission in FIM

It might be obvious that I’m a huge PowerShell fan, but I just can’t help showing how cool it is, and how it makes my job so much easier.  In this example I want to show a tricky FIM problem; finding out why a FIM Request matches an MPR but still fails to grant the permission.  The way to figure this out is to compare the list of attributes in the Request Parameters to the MPRs list of included attributes.  Scanning this visually is just a pain (not to mention a waste of time).  Here’s how to do it with PowerShell:

 

###

### Get the list of attributes from the MPR

###

$ActionParameterList = Export-FimConfig -Only -Custom "/ManagementPolicyRule[DisplayName='FOO: Users can Create Contractors']" |

Convert-FimExportToPSObject |

Select-Object -ExpandProperty ActionParameter

 

###

### Get the list of attributes from the Request

###

$RequestParameterList = Export-FimConfig -Only -Custom "/Request[ObjectID='b92fee8a-e8db-4b45-9da1-c0603af21c94']" |

Convert-FimExportToPSObject |

Get-FimRequestParameter |

Select-Object -ExpandProperty PropertyName

 

###

### Compare the two lists

###

Compare-Object $RequestParameterList $ActionParamterList

 

Here is the output from Compare-Object:

 

InputObject SideIndicator

----------- -------------

NamePrefix  =>          

NameSuffix  =>          

PostalCode  <=          

ObjectID    <=          

Creator     <=           

 

Compare-Object is a general-purpose diff tool (most PowerShell cmdlets are general-purpose BTW).  So feeding in two lists to Compare-Object results in the diff output showing me which attributes are different on each side.  Armed with this, I can now change the MPR to include more attributes (without specifying ALL attribute), or change the code that is submitting the Request so it submits less attributes.

Love me some PowerShell!

1 comment:

Carol Wapshere said...

Hmm interesting. I'm still using fc! Might see if I can get some better output trying this. Been working on a Sync Service config comparer.