Time Based Application Access via Active Directory Groups using FIM 2010 R2 RRS feed

  • Question

  • Hello,

    In FIM  2010 R2, is there any way of achieving time based application access?

    Scenario- A user to be allowed to access application for a certain duration only let's say for 1 month. The application is linked to Active Directory Group which has to be managed via FIM and user to be kept as member for the fixed duration only. If the user needs to have access for more time, user can request for extension.

    Approach 1- Create 1 attribute("Valid Upto"-Datetime Type) and bind it with user object. Store the expiry date to future date for the users who need to have access to the application. Now, created one Criteria Based / RBAC Group mentioning the desired criteria based on "ValidUpto" attribute. As soon as the criteria doesn't match for any user, it will be thrown out of the group and for the ones whose dates will be extended will still remain a part of the group.

    The above approach is challenged by client asking if they need to do this for 100 Applications, there would be a need to create 100 new attributes which will increase the data load for FIM Server as the present user count is approx - 50k(inactive) & 30k(active)

    Is there any other standard way of achieving this in FIM 2010 R2, i.e. if there can be any attribute which can be created and bind to request object rather than user object which can be used commonly for all applications or the mentioned approach is standard in terms of industry best practice which won't hamper the database or any other feature of FIM 2010 R2.


    Manuj Khurana

    Wednesday, January 4, 2017 6:39 AM

All replies

  • There are various ways to handle especially if you consider custom consulting solutions.  It seems to me what you're trying to build is already created in the form of the PAM component of MIM 2016 except you would want to deploy PAM within the same domain/forest.  Tracy Yu talks about deploying within the same domain/forest here.  All you would need to do is upgrade to MIM 2016, install the PAM component, and determine a way to pre-set new users with the initial month time on your default groups -- could be done via PowerShell MA.  If upgrading to MIM is not an option, I'd suggest you follow the same model the PAM component uses.  There's not much to it - basically instead of setting value(s) on the user it places an expiration on the request.  When that request expires, say after 30 days, the PAM Component Service removes the user from the group.

    Hope that helps.


    Jeff Ingalls

    Wednesday, January 4, 2017 4:40 PM
  • Hey Jeff,

    Thanks for the information but still It isn't clear in the response on how to use the PAM component in FIM 2010 R2 as the client doesn't want to upgrade to MIM as of now. Is the request attribute method the industry wide best solution and can you elaborate more on the request attribute you're referring to as I did a dry run by making attribute in request but it has various challenges like-

    1. User wants to extend the duration of access.

    2. The user won't be able to raise request until it has been thrown out of the group as it is still the member of the group.

    Or is there any industry wide standard solution available apart from upgrading to MIM?

    Manuj Khurana

    Thursday, January 5, 2017 6:47 AM
  • Industry wide solution for time-based group management from Microsoft perspective is PAM available in MIM.  If your customer does not want to upgrade to MIM then I would model the solution how MIM PAM works since that is exactly what it does, time-based group management.  It can handle user extending access.  There is a sample PAM Web Portal that you can download and setup to see how and end-user could go to a web-page and make such a request.


    Jeff Ingalls

    Thursday, January 5, 2017 5:26 PM
  • Thanks again Jeff,

    Which means we have to use PAM solution. Is it also usable with FIM 2010 R2? If yes, can you share some of the useful links.

    Manuj Khurana

    Friday, January 6, 2017 6:14 AM
  • You don't have to use PAM.  You have the power of the .NET Framework when working with FIM and MIM, so its a matter of time/money.  In my opinion, you ask the customer if they are willing to invest time and money into a custom solution to solve the problem or do you invest the time and money into upgrading a product (which provides future support, hotfix, feature upgrades) that already has time-based group management.  If they are fully against upgrade, then you can build your own custom solution that fits their needs and I would model such a thing around what PAM does.

    Here's the MSFT document on PAM and the PAM FAQ that I try to keep up-to-date.  Note that PAMs goal is around reducing permanent membership of elevated groups via time-based end-user requests which sounds exactly what you are trying to accomplish.

    Hope that helps a little.


    Jeff Ingalls

    Friday, January 6, 2017 9:09 PM