Tuesday, June 25, 2013

Using Compare-Object to Find the Missing Permission in FIM

It might be obvious that I’m a huge PowerShell fan, but I just can’t help showing how cool it is, and how it makes my job so much easier.  In this example I want to show a tricky FIM problem; finding out why a FIM Request matches an MPR but still fails to grant the permission.  The way to figure this out is to compare the list of attributes in the Request Parameters to the MPRs list of included attributes.  Scanning this visually is just a pain (not to mention a waste of time).  Here’s how to do it with PowerShell:



### Get the list of attributes from the MPR


$ActionParameterList = Export-FimConfig -Only -Custom "/ManagementPolicyRule[DisplayName='FOO: Users can Create Contractors']" |

Convert-FimExportToPSObject |

Select-Object -ExpandProperty ActionParameter



### Get the list of attributes from the Request


$RequestParameterList = Export-FimConfig -Only -Custom "/Request[ObjectID='b92fee8a-e8db-4b45-9da1-c0603af21c94']" |

Convert-FimExportToPSObject |

Get-FimRequestParameter |

Select-Object -ExpandProperty PropertyName



### Compare the two lists


Compare-Object $RequestParameterList $ActionParamterList


Here is the output from Compare-Object:


InputObject SideIndicator

----------- -------------

NamePrefix  =>          

NameSuffix  =>          

PostalCode  <=          

ObjectID    <=          

Creator     <=           


Compare-Object is a general-purpose diff tool (most PowerShell cmdlets are general-purpose BTW).  So feeding in two lists to Compare-Object results in the diff output showing me which attributes are different on each side.  Armed with this, I can now change the MPR to include more attributes (without specifying ALL attribute), or change the code that is submitting the Request so it submits less attributes.

Love me some PowerShell!

Tuesday, June 04, 2013

Microsoft announces PowerShell v4, DSC

From the PowerShell.org site:

Microsoft announces PowerShell v4, DSC


More PowerShell v4 and DSC Details

This is exciting for a couple of reasons:

1. If you are a FIM Sync nut, then you already live and breathe DSC

The sync engine enforces the state of objects according to its rules.  So it is already doing DSC for identities.  Blam!  You just became an Identity-DSC person!  However, do you manage your FIM deployment with DSC in mind?  FIM doesn’t exactly make this easy today, but it IS possible.

2. If you ever deploy FIM, you should care about DSC

Lately I’ve been on an automation kick to improve the quality of FIM deployments through deployment automation (see http://fimpowershellmodule.codeplex.com).  Once the system is deployed there is always the challenge of patching, and ensuring our configuration isn’t drifting from what we have in source control.  I’m really excited to see what PowerShell V4 brings to the table to make this challenge easier.