Auditing with the FIM Query Tool

Brad Turner recently received a question from a blog reader:

"I am interested in knowing how can we track/audit which user did a certain change on a user/group account through the ILM portal. Have you written a previous post about this issue? Do you have any information that might help me?"

There are a few ways you could approach this challenge. First, you could find all requests on an object. Here's how you can do that with the FIM Query Tool:

1. Run the FIM Query Tool and filter for "Request" object types.



2. Select the following attributes to capture in your audit:
   
   • Created Time
   • Creator
   • Display Name
   • Operation
   • Request Parameters
   • Target


3. Change the Reference Format to DisplayName, so that you're not just looking at GUIDs.



4. Finally, use the following XPath filter:
   
   /Request[Target = /Person[DisplayName = 'Joe Zamora']]
   
   To kind of translate this XPath, we're looking for Request objects whose Target matches the following condition: a Person whose display name is "Joe Zamora". In a production scenario, you'd probably want to use the object's GUID to do the search (ObjectId = '12345678-ABCD-1234-ABCD-1234567890AB'), but I use the display name to make it more readable.

One nice feature of the FIM Query Tool is that, because the results are displayed in a data grid view, you can sort results without re-running the query. Just click on a column header to sort by that column.



One additional note on the results set: to see the details of the request, you'll want to pay attention to the RequestParameters attribute. This is where you'll find which attributes were updated and their new values. This is also where the FIM Query Tools falls a bit short. The attribute is stored in XML, and isn't formatted neatly for quick review. There's a good enhancement request!

Now, this query is pretty handy, but if the object has been updated many times, you may find yourself waiting longer than you'd bargained for to see the results of the audit. Brad suggested that we use the XPath historical query functions to narrow the results set down to a certain time window.

So, the second approach is to use the "betweenTime" XPath function to plug in the time window of interest. Try this in the FIM Query Tool with the rest of the settings remaining the same as above:

betweenTime(/Request[Target = /Person[DisplayName = 'Joe Zamora']], '2008-10-31', '2008-12-31')

Voila! Now you see all the users who made updates to the object during your desired time period. Brad also mentioned a few other XPath functions that he and David Lundell presented at TEC 2009:

• allTime(filter) - Show me the objects that ever satisfied this filter


• betweenTime(filter, begin datetime, end datetime) - Show me the objects that ever satisfied this filter during the time range specified


• atTime(filter, datetime) - Show me the object that satisfied the filter at the specified date and time

David builds some good examples here:

Who were payroll admins at the precise moment of the theft?
atTime(/Person[ObjectID = /Group[DisplayName = 'Payroll Admins']/ComputedMember, '2009-02-01T00:00')

Who were the payroll admins in the merry merry month of of May?
betweenTime(/Person[ObjectID = /Group[DisplayName = 'Payroll Admins']/ComputedMember, '2008-05-01T00:00' , '2008-05-31T23:59:59')

Webinar: Geneva (aka WIF)

Ensynch will be co-presenting a webinar with Quest next week on the Geneva framework (now called Windows Identity Foundation).

When: Wednesday, July 29, 2009 10:30 to 11:30 (PST) 12:30 to 1:30 (CST) 1:30 to 2:30 (EST) Where: Web/Online Live Meeting Information will be sent to attendees Presenters: David Lundell, Identity Management Practice Leader, Ensynch Jonathan Sander IAM and Security Analyst Quest Software	Webinar: How Microsoft Geneva Streamlines Business - Learn How to Reap the Benefits of True Web  Single-Sign-On and Federation Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology? Are your employees tired of using multiple logins for all kinds of access needs? Having trouble managing shared resources users both inside and outside of your organization? Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future. I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the 1st in a 4-part Identity Management Webinar Series from Ensynch's Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you. Webinar Agenda: - Yikes! The business pain points of managing lots of identities - High level discussion of Microsoft Geneva - Business value of Geneva - Gaps of the Geneva framework - Possible solutions to the gaps - ROI of Geneva versus other Single-Sign-On solutions - Geneva and the Cloud - Q & A Stay Tuned for the other three parts of this webinar series: A Technical Overview of the Microsoft Geneva Infrastructure Thursday, August 20, 2009 Using the Microsoft Geneva Framework to Solve Your Federation Needs Thursday, September 10, 2009 Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud Thursday, October 1, 2009   [Register Now]

What is SRS?

SRS is the (misused) abbreviation of SSRS ([Microsoft] SQL Server Reporting Services). Yes, that's right; an abbreviation of an acronym. Good grief, folks.

The reason for this short & sweet post is that I see SRS used all the time in certain circles. But if you Google it (or Bing it, whatever your preference), you'll find many other definitions before you come across this one (if you ever do, that is).

Another reason for this post is, of course, that I admittedly once went on a wild goose chase to figure out what someone was asking of me. :)

Introducing the FIM Query Tool

I've had a bit of downtime recently, so I decided to make good on a statement that I made to my colleagues at lunch one day, "I should create an interface for querying the ILM2 web service." Well, I just polished off a first draft and published it to CodePlex. Please take it for a test drive, kick the tires, and leave me some feedback!

FIM Query Tool

As I mention on the CodePlex site, this tool is a Windows Forms front end to the ILM2 enumeration client. It's intended to be a one-stop shop for testing XPath filters on the ILM2 web service. And although it's called 'FIM Query Tool', it's currently written for the only available version of FIM, which is ILM2 RC0. Obviously, I'm expecting this tool to evolve with the technology.

Here's a first glance at the tool.



There are a few bells & whistles on this first draft. First, it populates the object & attribute lists when you first run it, but then it caches those lists so that subsequent sessions are faster. If you create a new object or attribute, you can always refresh the schema with the corresponding buttons.

Next, it uses the extensions formerly known as TEIMO (now called MS-WSTIM) to filter the attributes returned from the web service, so that you can cut down on the SOAP message size and save a bit of time on each query.

The tool displays the results in a table, and although it's not obvious in this first draft, you can use Ctrl-A, Ctrl-C to copy all the cells so that you can paste them into Excel. The tool also gives you the raw XML for your perusing pleasure, as well as some verbose messages on separate tabs.

Finally, you can choose to dereference GUIDs when displaying the output. This means that it will resolve GUIDs to their display names, but if you choose this option, you'll get a warning that performance may be poor.

Now let me mention the biggest limitation of the first draft: there's no filter builder to help you with the XPath syntax. Thus, you're sort of on your own when typing up the XPath filter that you'd like to test. I do give you the underlying attribute name when you skate your mouse over the attributes in the list. I hope this helps you out for now.

One quick note on the application settings. You can find all of the settings in the FIMQueryTool.exe.config file. For example, the enumeration endpoint is set to http://localhost:526/... If you have a different URL for your server/port, you'll have to update this in the config file. Note that I set the SOAP message size to the max (maxReceivedMessageSize="0x7fffffff"), but you may want to tweak other settings like WsEnumerationDefaultPull (batch size).

Oh! I forgot to mention that since this project is on CodePlex, you have access to the source code. Enjoy! Try not to blow anything up. :)

As I mentioned, please download it, try it out, and leave me feedback either through the Discussions section of the CodePlex project or on this blog.

Create a set with all objects having a non-empty attribute (i.e. XPath filter for 'child exists')

Today I answered a question on the FIM forums, and I thought I'd publish it for reference.

Objective
How can we create a Set of objects whose certain attribute is not blank (meaning that the attribute exists)? For example, how do we create a Set of all people who have a JobTitle assigned? The FilterBuilder won't let you do something like Job Title is not        .

Solution
The answer is that we have to edit the Set's XPath filter manually.

But first, a quick note on semantics. :) In FIM we talk about objects and their attributes, but 'attribute' is something different in XML (which is what XPath is operating on). So, the objective for our XPath query is to find all nodes whose child node (of a certain name) is not blank.

1. We can begin by using the filter builder as a crutch. Create the following filter with the filter builder:
   
   Select people that match all of the following conditions:
   Job Title is not junk
   
   If you view membership, it will give you all people who don't have a job title; and the filter will be:
   
   /Person[not(JobTitle = 'junk')]
   


2. Finish & submit the Set creation.


3. Go back and edit the Set; Click on Advanced View, and change the filter manually to:
   
   /Person[JobTitle != 'junk']
   


4. Finish and submit the changes.

Now, if you do an XPath query for /Set[DisplayName = 'Those with job title']/ComputedMember, you'll see all people who do have a job title (provided you don't actually have a job title named 'junk').

Webinar recording & slides posted

We've posted the video recording of my April webinar, and you can also download the presentation in PDF format.

Ensynch IDA Resources

Note that I've corrected myself since the webinar. The Enumerate Resources activity does indeed work; there's just a trick to making it work. Please find that trick in my previous post.

Henrik Nilsson's RegexReplaceActiviy

Henrik just made a great post about his RegexReplaceActivity. In it, he shows you how to capture the power of regular expressions (pun intended :).

While you're developing and tuning your regular expressions, it's handy to have a quick way to test them. I'd like to point you to a phenomenal online resource for testing regex patterns:

http://gskinner.com/RegExr/

If you paste Henrik's sample regex pattern into the site, and then type a date into the text box, it'll highlight the pattern that's matched. Then, if you hold your mouse over the highlighted pattern, it'll show you the groups that are captured. Instant gratification!