FTE Owner Requirement Activity is custom workflow activity designed for use with Microsoft Forefront Identity Manager 2010.
The goal is the activity is to prevent any non-Full-Time-Employee user (Contractor, Vendor, etc. ) from creating a group that he or she solely owns. By asking non-FTEs to add a Full Time Employee co-worker as a co-owner to the group he or she create/modifies we are decreasing odds of a group becoming an "orphan" (without an owner) and therefore maintaining tighter Lifecycle Management of group objects created by end-users. The assumption is that FTE works are less "transient" than non-FTEs and more likely to remain within an organization and therefore remain an owner of the new-created or updated group.


In Download section of this site you can choose to download the MSI package that will install on an FIM 2010 Web-Portal system.
Installer will ensure that appropriate libraries are placed in the portal directory and registered in Global Assembly Cash of Web Portal host. It will also restart your FIM service


After successful installation of the FTE Owner Requirement Activity you will need to configure your Forefront Identity Manager 2010 Web-Portal to consume this activity.

Creating Activity Information Configuration

Note By default Administrators do not have rights to manipulate 'Activity Information Configuration' object. Ensure that you have created an MPR within FIM to provide an installer such right(s)
  • On the front page of the FIM portal click "Administration" link
  • Click "All Resource" link
  • Click "Activity Information Configuration" link
  • Click "New" button/icon
    • Description: Insures that an object of specified type have at least one "owner" listed as a "Full Time Employee"
    • Display Name: MSIT: FTE Owner Requirement Validation
  • Click "Next" button
    • Activity Name: Microsoft.Msit.ActivityLibrary.FteOwnerRequirement
    • Assembly Name: Microsoft.Msit.ActivityLibrary.FteOwnerRequirement, Version=, Culture=neutral, PublicKeyToken=a8b1a8493861fc95, Custom=null
    • Is Authorization Activity: True
    • Type Name: Microsoft.Msit.ActivityLibrary.FteOwnerRequirementUI
  • Click "Finish" button
  • Click "Submit' button
  • Perform IISRESET operation on the portal's IIs server to ensure that newly created object is visible and accessible in UI
Properly installed Activity Information Configuration object will be displayed as one of the available activities in FIM Portal UI during Workflow setup described below. If UI is not reflecting Alias Management Activity, above described installation failed

Creating Authorization Workflow

  • Under "Management Policy Rules" click "Workflows" link
  • Click "New" icon/button
  • In "Create Workflow" window:
    • Workflow Name: MSIT: FTE Owner Requirement
    • Description: Verifies whether group owner list contains at least one FTE
    • Workflow Type: Authorization
  • Click "Next" button
    • In "Add Activity" block select: "MSIT: FTE Owner Requirement Validation"
    • Click "Select" button
  • Click "Save" button
  • Click "Finish" button
  • Click "Submit" button

Creating Management Policy Rules

  • Click "Management Policy Rules" link
  • Click "New" button/icon
    • Display Name: MSIT: FTE Owner Requirement
    • Description: Captures creation and modification of group's owner set and insures that at least one FTE is listed in the list of group owners
  • Type: Request
  • Click "Next" button
    • Specific Set of Requestors: All People Except Build-in Sync Engine
    • Click "Validate and Resolve" button of "Requestors" box
    • Operations:
  • Create Resource
  • Add a value to a multivalued attribute
  • Remove a value from a multivalued attribute
  • Click "Next" button
    • Target Resource Definition Before Request: All Groups
    • Click "Validate and Resolve" button of " Target Resource … before" box
    • Target Resource Definition After Request: All Groups
    • Click "Validate and Resolve" button of " Target Resource … after" box
    • Select Specific Attributes: Owner
    • Click "Validate and Resolve" button of " Select Specific Attributes " box
  • Click "Next"
    • Under "Authorization Workflows" select "MSIT: FTE Owner Requirement"
  • Click "Finish"
  • Click "Submit"


FTE Owner Requirement Activity contains build-in tracing capabilities. Tracing is designed for troubleshooting purposes and should not be enabled by default, since overtime it will create large log file which could consume considerable amount of disk space.
Tracing can be enabled by modifying Microsoft.ResourceManagement.Service.exe.config file located in "Service" folder of the FIM portal


Modify <sources> node of the document by adding following node as it's child node:
<source name="FteOwnerRequirementSource" switchName="sourceSwitch" switchType="System.Diagnostics.SourceSwitch">
<add type="System.Diagnostics.ConsoleTraceListener" name="FteOwnerRequirement" >
<filter type="System.Diagnostics.EventTypeFilter" initializeData="Verbose"/>
<add name="ExceptionEventFteOwnerRequirementLogListener"/>


Modify <switches> node by adding follwing node as a child node
<add name="sourceSwitch" value="Verbose"/>

Shared Switches

Modify <sharedListeners> node by adding following node as a child node:
<add name="ExceptionEventFteOwnerRequirementLogListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Temp\ExceptionEventFteOwnerRequirementLogListener.log">
<filter type="System.Diagnostics.EventTypeFilter" initializeData="Verbose"/>
Attention: Insure that initializeData attribute is pointing to an existing directory of the file system
  • Restart FIMPortal service for this change to take effect

Last edited Apr 20, 2010 at 12:06 AM by kdmitry, version 2


No comments yet.