The Forefront Identity Manager Certificate Management (FIM CM) Provision API has several methods that give the caller access to sensitive data. These methods are collectively referred to as the Sensitive API group.
The topics in this section discuss the security configuration for the methods in the Sensitive API group.
Sensitive API Group
The Sensitive API group includes the methods of the Microsoft.Clm.Provision.ExecuteOperations class. These methods have access to the administrator personal identification number (PIN), the user PIN, the administrator authentication key for the Microsoft® Smart Card Base Cryptographic Service Provider (Base CSP), or the Base CSP challenge response information. The following methods are included in this group:
For a call to a method in this group to succeed, the caller of the method must be authorized to call the methods in the Sensitive API group.
To authorize a user or group of users to call the methods in the Sensitive API group, you must follow these steps to configure FIM CM:
- Open the Web.config file that is associated with the CLM 2007
virtual Web folder.
The default location for this file is %Programfiles%\Microsoft Certificate Lifecycle Manager\Web\Web.config.
- Locate the configuration section for the Sensitive API group,
which resembles the following:
<add key="Clm.ProvisionApi.SensitiveApiGroup" value="" />
- Set the value to the name of a security group that contains the
users to authorize to call the methods in the Sensitive API
You must specify the security group in the domainname\groupname format, as shown in the following example:
<add key="Clm.ProvisionApi.SensitiveApiGroup" value="Contoso\SensitiveApiUserGroup" />
- Save the Web.config file.