Microsoft® Forefront Identity Manager 2010 (FIM) provides a Resource Management Service (RMS) that enables client applications to execute queries and retrieve the results to use in reporting solutions.
The RMS provides the following extensions to the operations defined by the WS-Enumeration specification:
- The Enumeration Endpoint
can inform the client of the total number of objects in the
collection of objects that match the client's specified search
- The client can traverse the objects in the
collection both forward and backward.
- The client can go to a subset of the
collection based on a specified object index.
- The client can indicate the specific elements
of the objects to retrieve.
- The client can specify the sort order for the
You can use the Enumeration Endpoint to query FIM data. A query consists of the following steps:
- Define your search criteria.
- Initiate your query.
- Retrieve the results.
Define Your Search Criteria
Example Search Criteria
The following query will return the security groups that are expiring in the next week:
/Group[Type= 'Security' and ExpirationTime<=op:add-dayTimeDuration-to-dateTime(fn:current-dateTime(), xs:dayTimeDuration(\"P7D\"))]
The following query returns groups of which members of the "Executive Team" group are members or owners:
/Group[Owner = /Group[DisplayName = 'Executive Team']/ComputedMember or ComputedMember = /Group[DisplayName = 'Executive Team']/ComputedMember]
The following query returns members who are members of both the "Executive Team" and "Financial Approvers" groups:
/Group[DisplayName = 'Executive Team']/ComputedMember[ObjectID = /Group[DisplayName = 'Financial Approvers']/ComputedMember]
The following query returns interns or contract employees in the "Full Time Employees" group:
/Person[EmployeeType = 'Contractor' or EmployeeType = 'Intern' and ObjectID=/Group[DisplayName = 'Full Time Employees']/ComputedMember]
The following query returns requests that are completed and were submitted by members of the "Elevated Access Security Group" to update groups:
/Request[Creator=/Group[DisplayName='Elevated Access Security Group']/ComputedMember and Operation='Put' ' and Status='Completed']
The following query returns all requests made during the last 10 days that consisted of updates to mail-enabled security groups
/Request[Target=/Group[Type='MailEnabledSecurity'] and Operation='Put' and CreatedTime >= op:subtract-dayTimeDuration-from-dateTime(fn:current-dateTime(), xs:dayTimeDuration('P10D'))]
Initiate Your Query
To identify the XPath Filter Dialect as the filter
dialect of a WS-Enumeration Enumerate message, set the value of the
WS-Enumeration Dialect attribute to
If the Enumerate operation succeeds, you will receive three things in response:
- An XML representation of an enumeration context. An enumeration
context lets you refer back to the query that you sent in the
previous Enumerate invocation. With this you can retrieve its
results by making subsequent requests to the Enumeration
- The expiration time for the enumeration context.
- A count of the number of objects that match the query. This is
an extension to the WS-Enumeration specification.
Retrieve the Results
To retrieve the results of a query, invoke the Pull operation of the Enumeration Endpoint, passing the enumeration context as input. You will receive a batch of objects that match your query. If there are additional objects that match your query, invoke the Pull operation again to retrieve the next batch, until you have retrieved all objects that match your query. You can also specify the maximum number of objects to be included in each batch.
You can also specify the index number of a particular object in the collection of objects that match your query. With this, you can specify the starting number from which to retrieve objects in the next batch. You can also specify the direction in which to add objects to the batch: forward or backward. These are extensions to the WS-Enumeration specification.