Microsoft® Forefront Identity Manager (FIM) 2010 creates three groups during installation that control which tasks in Synchronization Service Manager that users can perform. The following groups are created by FIM:
- FIMSyncAdmins—Members of this group
have full access to everything in Synchronization Service
Manager.
- FIMSyncOperators—Members of this group
have access to Operations in the Synchronization Service Manager
only. FIMSyncOperators can run management agents, view
synchronization statistics for each run, and save the run histories
to a file. Members of the FIMSyncOperators group must also be
members of the FIMSyncBrowse group to open links in synchronization
statistics.
- FIMSyncJoiners—Members of this group
have access to Joiner and Metaverse Search in Synchronization
Service Manager. FIMSyncJoiners can join or project disconnectors
by using Joiner, and they can use Metaverse Search to view object
properties and disconnect objects from the metaverse.
|
Note |
|
During installation and setup, FIM adds the user account that is running the installation to the FIMSyncAdmins group, but only if the FIMSyncAdmins group is also created during setup. If you specify a preexisting group during setup, the user account that is running the installation will not be added to the preexisting group. |
FIM also creates two security groups during installation that do not have access to Synchronization Service Manager but are used for authentication during password management operations:
- FIMSyncBrowse—Members of this group
have permission to gather information about a user's lineage when
resetting passwords by using Windows Management Instrumentation
(WMI) queries.
- FIMSyncPasswordSet—Members of this
group have permission to perform all operations by using the
password management interfaces with WMI. Members in this group
inherit all FIMSyncBrowse permissions. For more information about
setting passwords by using WMI, see the FIM Developer Reference.
The following table lists the permissions granted during the default FIM installation.
|
|
Notes |
|
|
|
Note |
|
The default location of INSTALLDIR is Program Files\Microsoft Forefront Identity Server\2010\Synchronization Service |
| Folder | Assigned Permissions |
|---|---|
|
INSTALLDIR (Inherited from Program Files) |
Administrators – Full Control SYSTEM – Full Control Creator Owner – Special TrustedInstaller – Special Users – Read & Execute |
|
INSTALLDIR \bin \SourceCode \UIShell \Data |
Inherit from parent. |
|
INSTALLDIR \Extensions \ExtensionsCache \MaData |
Does not inherit from parent. Permissions removed:
Permissions assigned:
|
|
INSTALLDIRX86 |
Inherit from parent. |
|
Program Files\Common Files\Microsoft Shared\Forefront Identity Manager |
Inherit from parent. |
|
Windows\Temp |
Does not inherit from parent. Permissions assigned:
|
|
Important |
|
The local computer administrator account also has full rights to all FIM folders. |
Local computer groups and domain local groups
By default, FIM setup creates these groups as local computer groups, rather than domain local groups. Local computer groups are known only to that server, whereas domain local groups can be recognized throughout the domain. There might be cases where you need to use domain local groups for these roles. For example, the following situations demonstrate why you might need to use domain local groups:
- If you plan to have two servers running FIM
share a database for the purposes of redundancy, it is recommended
that the same users be members of the security groups that you
create, and that they be recognized as such by FIM. You can
accomplish this by using domain local groups.
- If FIM management is distributed across the
organization, using domain local groups enables you to grant access
to the appropriate people within your organization.
- If the FIM configuration needs to be moved
from one server to another, using domain local groups enables you
manage access from a single location.
- If your log files from other systems are
located on other servers or in folders that are not accessible to
FIM, you can use domain local groups to control access to these
folders and remote servers.
- If you are enabling password synchronization
on FIM, you must use a domain account for the FIM Synchronization
Service service account.
|
|
Important |
|
If you plan to use domain local groups, create the groups before installing FIM. For more information about creating domain local groups in Active Directory, see Windows Server® 2008 operating system Help. |