Introduction to Security Group Management

Applies To: Forefront Identity Manager 2010

In a typical enterprise environment, managing Security Groups (SGs) is a common task that has an impact on operational costs and user productivity. Because this task is considered to be an administrative task, it involves, in many cases, interaction with a department that has appropriate rights to update SGs. Other considerations include the cost of the operational staff and the required interaction with another department, which has an impact on the productivity of the end users. To address these issues, a key goal of Microsoft® Forefront® Identity Manager (FIM) 2010 is to reduce help desk calls and improve productivity by automating administrative tasks.

One aspect of achieving this goal is the ability for an end user to fully manage groups themselves by using the FIM 2010 Portal. The following concepts play an important role in this group management task:

  • Manually managed and criteria-based membership

  • Owner approval

  • Displayed owner

Manually managed and criteria-based membership: Today, the most common way to specify members of a group is to select them manually from a list. This is referred to as “manually managed membership.” In FIM 2010, by default, you can also define memberships based on the object properties. This implementation is also known as criteria-based membership. With criteria-based membership, the members of a group are determined based on a set of specified conditions. For example, you can specify that all users that have a specific title or that are part of a specific department are added to a group. Criteria-based membership represents a convenient way to let the system add and remove the correct members from a group, based on the changing properties of users and other resources in FIM 2010.

Owner approval: In FIM 2010, a group with manually managed membership can be open for anyone to join, or it can require the owner’s approval. For a group that requires owner approval to join, others can submit a request for membership in a group, which has to be approved by one of the owners. This increases the usability of a group while maintaining the membership in a controlled manner.

Owner and displayed owner: In FIM 2010, the owners of a distribution list have the rights to make changes to the group, to delete the group, and, if the group requires owner approval for joining, to approve requests to join the group. You can load-balance the management of distribution lists by assigning multiple owners, and, more importantly, you can ensure continuity in the management of the group if one of the owners leaves the organization or otherwise happens to no longer be an owner. However, because some external systems support ownership of a group only as single-valued, each group must have one of the owners designated as the Displayed owner so that ownership can be indicated correctly in those connected data sources that require Owner to be single-valued.

What This Document Covers

This document demonstrates and highlights the new filter builder feature in FIM 2010 that you can use to define dynamic membership on the basis of an SG.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of Active Directory® SGs.


This document is intended for information technology (IT) planners, systems administrators, architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy and use the FIM 2010 feature to define dynamic SGs.

Time Requirements

The procedures in this document require 30 to 45 minutes to complete.

Scenario Description

Fabrikam, a fictitious corporation, is in the process of evaluating the new dynamic membership feature on the basis of an SG.

One requirement Fabrikam has is to create SGs that contain a manager and the direct reports. To evaluate this new feature, Fabrikam decided to set up a lab environment with a set of sample users. The following sections provide detailed instructions about the lab setup and the test steps.

Testing environment

To perform the procedures in this document, your environment should have the following characteristics:

  • A server computer (FabrikamDC1) that is a member of the Fabrikam forest and that hosts the FIM 2010 server components.

Implementing the Procedures in This Document

To implement the procedures in this document, you complete the following steps in order:

  1. Create sample users in the FIM Portal.

  2. Create an SG with calculated membership.

  3. Delete an SG.

Create sample users in the FIM Portal

The scenario in this document is based on five sample users. To create the sample users, you use the New Users Wizard in the FIM Portal.

The following table lists the required attributes for all users.

Display name Department Job title Manager

Melissa Meyers


Finance Director

Terry Adams

Human Resources

Human Resources Specialist

Jossef Goldberg


Accounts Payable Specialist

Jimmy Bischoff

Britta Simon


Accounting Manager

Melissa Meyers

Jimmy Bischoff


Tax Manager

Melissa Meyers

To create sample users

  1. On your computer, log on as an administrator.

  2. Start Windows® Internet Explorer®.

  3. To go to the FIM Portal, in the address bar, type https://FabrikamDC1/Identitymanagement.

  4. To open the Users page, in the Quick Launch Bar, select Users.

  5. For each row in the previous table, complete the following steps:

    1. To open the Create User Wizard, on the toolbar, click the New button.

    2. Specify the attribute values shown for that row in the table.

    3. Click Finish.

    4. To submit the new request, click Submit.

Create an SG

To create a new SG, you use the Create Security Group Wizard.

To create a new SG

  1. On your computer, log on as an administrator.

  2. Start Internet Explorer.

  3. To go to the FIM Portal, in the address bar, type https://FabrikamDc1/Identitymanagement.

  4. To open the Security Groups page, on the Quick Launch Bar, click Security Groups.

  5. To open the Create Security Group Wizard, on the toolbar, click New.

  6. On the Basic Info page, provide the following information, and then click Next:

    • Display Name: Finance Department

    • Domain: Fabrikam

    • Account Name: fdept

    • Scope: Domain Local

    • Member Selection: Criteria-based

  7. On the Members page, provide the following information, and then click Next:

    1. In the filter statement, replace Resource ID is administrator with Department is Finance.

    2. To verify the group membership, click the View Members button.

    3. To display the summary information of your new group, click Finish.

  8. To submit your group creation request, click Submit.

Delete an SG

In this section, you delete the SG.

To delete the new SG

  1. On your computer, log on as an administrator.

  2. Start Internet Explorer.

  3. To go to the FIM Portal, in the address bar, type https://FabrikamDC1/Identitymanagement.

  4. To open the Security Groups page, on the Navigation Bar, select Security Groups (SGs).

  5. To display the available SGs, click the Search for button.

  6. To delete the SG, select the group called Finance Department, and then on the toolbar, click Delete.

  7. To submit the deletion, on the Delete Group(s) page, click Submit.