The FIM data access activities can be used in Visual Studio to build activities and workflows that can be used in the FIM Portal. The execution context of the activity at runtime determines the operations that that activity can perform. Each activity has an ActorId property that determines the execution context.

Regardless of the execution context of an activity or the Management Policy Rules that are configured, operations performed by workflow activities will not trigger Authentication or Authorization workflows (see Request Processing).

This topic explains the use of the ActorId property and describes the use of the FIM service account.

Use of the ActorId Property

Activities are able to perform only the operations for which the “actor” of the activity (stored in an ActorId property) has been granted rights. This includes create, read, update (modify, insert, remove) and enumerate operations.

ActorId is a Guid representing the ObjectID of the actor resource that is used to determine what management policy rules affect a any Request objects created by the activity. The ActorId will default to the Creator attribute of the parent Request resource.

ActorId can reference any resource, not just Person resources. For example, it is possible for the current WorkflowDefinition that the activity is part of to be used for the ActorId. This setup may be desirable in cases in which the goal is to manage resources dynamically through workflow. To accomplish that, the management policy rules would be set up to allow enterprises to grant rights to WorkflowDefinition resources and not Person resources.

The execution context of out-of-the-box FIM activities cannot be modified. The ActorId property of data access activities used in custom activities and workflows can be configured in Visual Studio.

FIM Service Account

The FIM Service Account is an instance of a Resource that is created by setup and cannot be deleted, regardless of policies that grand users permission to delete resources.

The out-of-box activities that execute in the context of the FIM Service Account are immune from rights checks and will always have permission to perform the operations they require, regardless of the policies defined in the system.

The FIM Service Account has the default attribute values shown in the following table. If an attribute is not included here, its default is null.




Reference to the default administrator created out of the box. This is the value set as the creator for all out-of-the-box resources.


Determined by setup


Forefront Identity Manager Service Account


The Forefront Identity Manager Service Account has rights to create, read, delete and update all resources and attributes.

A deletion request for the FIM Service Account results in an InvalidOperation exception. Attribute values of the FIM Service Account can be modified if there is a relevant management rule policy that grants permissions to modify the resource.

The following activities operate under the context of the FIM Service Account.

See Also