Microsoft® Forefront Identity Manager 2010 (FIM) provides a Resource Management Service (RMS) that enables client applications to execute queries and retrieve the results to use in reporting solutions.

The RMS provides the following extensions to the operations defined by the WS-Enumeration specification:

You can use the Enumeration Endpoint to query FIM data. A query consists of the following steps:

  1. Define your search criteria.

  2. Initiate your query.

  3. Retrieve the results.

Define Your Search Criteria

The RMS supports the FIM XPath Filter Dialect as its query language. The FIM XPath Filter Dialect topic shows how to define search criteria.

Example Search Criteria

The following query will return the security groups that are expiring in the next week:

  Copy Code
/Group[Type= 'Security' and ExpirationTime<=op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration(\"P7D\"))]

The following query returns groups of which members of the "Executive Team" group are members or owners:

  Copy Code
/Group[Owner = /Group[DisplayName = 'Executive Team']/ComputedMember or ComputedMember = /Group[DisplayName = 'Executive Team']/ComputedMember]

The following query returns members who are members of both the "Executive Team" and "Financial Approvers" groups:

  Copy Code
/Group[DisplayName = 'Executive Team']/ComputedMember[ObjectID = /Group[DisplayName = 'Financial Approvers']/ComputedMember]

The following query returns interns or contract employees in the "Full Time Employees" group:

  Copy Code
/Person[EmployeeType = 'Contractor' or EmployeeType = 'Intern' and ObjectID=/Group[DisplayName = 'Full Time Employees']/ComputedMember]

The following query returns requests that are completed and were submitted by members of the "Elevated Access Security Group" to update groups:

  Copy Code
/Request[Creator=/Group[DisplayName='Elevated Access Security Group']/ComputedMember and Operation='Put' ' and Status='Completed']

The following query returns all requests made during the last 10 days that consisted of updates to mail-enabled security groups

  Copy Code
/Request[Target=/Group[Type='MailEnabledSecurity'] and Operation='Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]

Initiate Your Query

You initiate your query by invoking the Enumerate operation of the Enumeration Endpoint and passing in a query expression in the form of the XPath Filter Dialect.

To identify the XPath Filter Dialect as the filter dialect of a WS-Enumeration Enumerate message, set the value of the WS-Enumeration Dialect attribute to

If the Enumerate operation succeeds, you will receive three things in response:

  1. An XML representation of an enumeration context. An enumeration context lets you refer back to the query that you sent in the previous Enumerate invocation. With this you can retrieve its results by making subsequent requests to the Enumeration endpoint.

  2. The expiration time for the enumeration context.

  3. A count of the number of objects that match the query. This is an extension to the WS-Enumeration specification.

Retrieve the Results

To retrieve the results of a query, invoke the Pull operation of the Enumeration Endpoint, passing the enumeration context as input. You will receive a batch of objects that match your query. If there are additional objects that match your query, invoke the Pull operation again to retrieve the next batch, until you have retrieved all objects that match your query. You can also specify the maximum number of objects to be included in each batch.

You can also specify the index number of a particular object in the collection of objects that match your query. With this, you can specify the starting number from which to retrieve objects in the next batch. You can also specify the direction in which to add objects to the batch: forward or backward. These are extensions to the WS-Enumeration specification.

See Also