今年夏にリリースされる予定のMicrosoft Identity Manager 2015(MIM)では特権アカウント管理に関する各種の機能拡張が行われています。
今回はMIM Serviceの管理ポリシールール(Management Policy Rule/MPR)が現行バージョンであるForefront Identity Manager 2010R2 SP1(FIM)とどのように変わったのかを見てみます。
※MIM 2015 CTP3とFIM 2010R2 SP1を比較していますので、リリースまでに変わる可能性があります。
以下のスクリプトで定義されているMPR一覧が取得できるので、変化点を見てみましょう。
結果、以下の通りとなりました。
色を付けた部分のセルが新規追加になっているMPRです。
PAM(Privilege Access Management/特権アカウント管理)部分だけですね。
今回はMIM Serviceの管理ポリシールール(Management Policy Rule/MPR)が現行バージョンであるForefront Identity Manager 2010R2 SP1(FIM)とどのように変わったのかを見てみます。
※MIM 2015 CTP3とFIM 2010R2 SP1を比較していますので、リリースまでに変わる可能性があります。
以下のスクリプトで定義されているMPR一覧が取得できるので、変化点を見てみましょう。
Add-PSSnapin FIMAutomaion
$curObject = Export-FIMConfig -Uri http://localhost:5725/resourcemanagementservice -OnlyBaseResources -CustomConfig ("/ManagementPolicyRule")
foreach ($fimobject in $curObject)
{
$attributes = $fimobject.ResourceManagementObject.ResourceManagementAttributes
$displayName = $attributes | where {$_.AttributeName -eq 'DisplayName'}
write-host $displayName.Value
}
結果、以下の通りとなりました。
色を付けた部分のセルが新規追加になっているMPRです。
PAM(Privilege Access Management/特権アカウント管理)部分だけですね。
| MPR一覧 |
|---|
| Administration - Schema: Administrators can change selected attributes of non-system attribute type descriptionresources |
| Administration - Schema: Administrators can change selected attributes of non-system binding description resources |
| Administration - Schema: Administrators can change selected attributes of non-system schema related resources |
| Administration - Schema: Administrators can change selected attributes of schema related resources |
| Administration - Schema: Administrators can create attribute type description resources |
| Administration - Schema: Administrators can create binding description resources |
| Administration - Schema: Administrators can create resource type description resources |
| Administration - Schema: Administrators can delete non-system schema related resources |
| Administration: Administrators can control requests |
| Administration: Administrators can control synchronization configuration resources |
| Administration: Administrators can delete non-administrator users |
| Administration: Administrators can read all resources |
| Administration: Administrators can read and update Users |
| Administration: Administrators can update synchronization filter resources |
| Administration: Administrators control configuration related resources |
| Administration: Administrators control management policy rule resources |
| Administration: Administrators control set resources |
| Administration: Administrators control synchronization rule resources |
| Administration: Administrators control workflow definition resources |
| Administrators have full control over filter scope resources |
| Anonymous users can reset their password |
| Button viewable management: Members could read all attributes of the sets in all button viewable sets |
| Distribution list management: Owners can read attributes of group resources |
| Distribution list management: Owners can update and delete groups they own |
| Distribution list Management: Users can add or remove any members of groups subject to owner approval |
| Distribution list management: Users can add or remove any members of groups that don't require owner approval |
| Distribution List management: Users can create Static Distribution Groups |
| Distribution list management: Users can read selected attributes of group resources |
| General workflow: Filter attribute validation for administrator |
| General workflow: Filter attribute validation for non-administrators |
| General workflow: Registration initiation for authentication activity |
| General: Users can read non-administrative configuration resources |
| General: Users can read schema related resources |
| Group management workflow: Group information validation for dynamic groups |
| Group management workflow: Group information validation for static groups |
| Group management workflow: Owner approval on add member |
| Group management workflow: Validate requestor on add member to open group |
| Group management workflow: Validate requestor on remove member |
| Group management: Group administrators can create and delete group resources |
| Group management: Group administrators can read attributes of group resources |
| Group management: Group administrators can update group resources |
| [新規]PAM: Administrators control PAM Requests |
| [新規]PAM: Administrators control PAM Roles |
| [新規]PAM: User can read Pam Roles that he can request |
| [新規]PAM: User can see PAM requests that he created |
| [新規]PAM: Users can create a PAM Request |
| Password reset users can read password reset objects |
| Password Reset Users can update the lockout attributes of themselves |
| Reporting Administration: Administrators can control reporting binding resources. |
| Reporting Administration: Administrators can control reporting job resources. |
| Request management: Request approvers can read their approval resources |
| Request management: Request approvers can read their approval response resources |
| Request management: Request creators can cancel their requests |
| Request management: Request creators can read related approval response resources |
| Request management: Request creators can read their approval resources |
| Request management: Request creators can read their request resource |
| Request management: Request participants can read related approval resources |
| Request management: Request participants can read related approval response resources |
| Request management: Request participants can read their request resource |
| Security group management: Owners can read selected attributes of group resources |
| Security group management: Owners can update and delete groups they own |
| Security group management: Users can add or remove any member of groups subject to owner approval |
| Security Group management: Users can create Static Security Groups |
| Security group management: Users can read selected attributes of group resources |
| Security groups: Users can add and remove members to open groups |
| Synchronization: Synchronization account can delete and update expected rule entry resources |
| Synchronization: Synchronization account can read group resources it synchronizes |
| Synchronization: Synchronization account can read schema related resources |
| Synchronization: Synchronization account can read synchronization related resources |
| Synchronization: Synchronization account can read users it synchronizes |
| Synchronization: Synchronization account controls detected rule entry resources |
| Synchronization: Synchronization account controls group resources it synchronizes |
| Synchronization: Synchronization account controls synchronization configuration resources |
| Synchronization: Synchronization account controls users it synchronizes |
| Temporal policy workflow: Impending group resource expiry notification |
| User management: Users can read attributes of their own |
| User management: Users can read selected attributes of other users |
| Users can create registration objects for themselves |
| Users can modify registration objects for themselves |