Share via

FIM 2010 & MIM 2016: Planning security setup for accounts, groups and services - Appendix B (Compact Check List)

  • Article

Return to Table of Contents of the article series 

Appendix B: Documentation - Compact Check list

Pre-installation: Backend configuration

SPN

  Importance LOC Acct.  Type Account Reference Name (to fill)  
¨ HIGH D SPN SQL Database Account <domain>\<account>
¨ HIGH D SPN FIM Service Account <domain>\<account>
¨ HIGH D SPN SharePoint Service Account <domain>\<account>
¨ HIGH D SPN Password Registration Server Account <domain>\<account>
¨ HIGH D SPN Password Reset Server Account <domain>\<account>
¨ HIGH D SPN FIM CM Web Pool Agent Account  

Kerberos Constrained delegation

  Importance LOC Acct.  Type Account Reference Name (to fill)  
¨ HIGH D msDS-AllowedToDelegateTo FIMService/<FIM Service Server> FIM Service Account <domain>\<account>
¨ HIGH D msDS-AllowedToDelegateTo FIMService/<FIM Service Server> SharePoint Service Account <domain>\<account>

Pre-installation: Account creation

Back End

SQL
  Importance LOC Acct.  Type Account Reference Name (to fill)
¨ HIGH D Service SQL Server Database engine acct. <domain>\<account>
¨ HIGH D Service SQL Server Agent service* acct. <domain>\<account>
¨ HIGH D Service SQL Server Analysis Services acct. <domain>\<account>
¨ HIGH D Service SQL Server Reporting Services acct. <domain>\<account>
¨ HIGH D Service SQL Server Browser acct. <domain>\<account>

 

SharePoint
  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Functional SharePoint Setup administrator acct* <domain>\<account>
¨ HIGH D Functional Farm service account <domain>\<account>
¨ LOW D Functional search service account <domain>\<account>
¨ LOW D Functional search content access account <domain>\<account>
¨ LOW D Functional SharePoint Application pool account <domain>\<account>

All FIM Platforms

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Functional FIM setup administrator account* <domain>\<account>

FIM Synchronization

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Service FIM Sync service <domain>\<account>
¨ HIGH D Security Group FIMSyncAdmins <domain>\<account>
¨ HIGH D Security Group FIMSyncOperators <domain>\<account>
¨ HIGH D Security Group FIMSyncJoiners <domain>\<account>
¨ HIGH D Security Group FIMSyncBrowse <domain>\<account>
¨ HIGH D Security Group FIMSyncPasswordSet <domain>\<account>
¨ HIGH D Technical FIM Task scheduler <domain>\<account>

FIM Sync MAs

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Technical ADMA Account <domain>\<account>
  See below D Technical FIMMA Account  
¨ HIGH D Technical SQL MA Account <domain>\<account>
¨ HIGH D Technical Other MAs: 1 account per type of MA and by preference 1 account per MA. <domain>\<account>

FIM Service

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Service FIM service <domain>\<account>
¨ HIGH D Technical FIMMA Account <domain>\<account>
¨ HIGH D Functional Backup Portal Administrator <domain>\<account>

FIM Portal

  Importance LOC Account Type Account Reference Name (to fill)
¨ MEDIUM D Functional Backup Portal Administrator <domain>\<account>
¨ HIGH D Functional FIM Portal - Application Pool Account <domain>\<account>

FIM SSPR Registration Portal

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Functional FIM SSPR Registration Portal - Application Pool Account <domain>\<account>

FIM SSPR Reset Portal

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Functional FIM SSPR Reset Portal - Application Pool Account <domain>\<account>

FIM CM

  Importance LOC Account Type Account Reference Name (to fill)
¨ HIGH D Functional FIM CM Agent <domain>\<account>
¨ HIGH D Functional FIM CM Authorization Agent  
¨ HIGH D Functional FIM CM CA Manager Agent  
¨ HIGH D Functional FIM CM Enrollment Agent  
¨ HIGH D Functional FIM CM Key Recovery Agent  
¨ HIGH D Functional FIM CM Web Pool Agent  

Pre-installation: Account lock down

General

  Importance LOC Account Type Account Reference Procedure
¨ HIGH D Functional FIM Installer account Just before installation[1] Grant local admin rights

FIM Sync

ýþ¨ Action Account
¨ Account creation  
¨ Account Configuration  
  Importance LOC Account Type Account Reference Procedure
¨ HIGH D Functional FIM ADMA Replicating Directory Changes
¨ HIGH D Functional FIM ADMA Lock down the account to the minimum required permissions to the minimum required containers

Post-Installation

Account Assignment

FIM Service & FIM Portal

  Account Type Account Reference Name (to fill)
¨ Functional account Add Backup Portal Administrator account to Administrators set  

FIM Sync

  Account Type Account Reference Name (to fill)
¨ Personal account Add FIM Administrator account to FIMSyncAdmins group  

Hotfix installation

Account Assignment

All FIM platforms

  Account Type Account Reference Name (to fill)
¨ Functional account Add FIM Setup account to

-          SQL SA

-          Local server admin (via AD)

  

FIM Service & FIM Portal

  Account Type Account Reference Name (to fill)
¨ Functional account Add Backup Portal Administrator account to Administrators set  

FIM Sync

  Account Type Account Reference Name (to fill)
¨ Personal account Add FIM Administrator account to FIMSyncAdmins group  

 

[1] This applies both to fresh installation of FIM component or implementation of an hotfix or service pack. Only during implementation of a service pack, the installation account that runs the installation needs the elevated rights. Only DURING installation, not before, not after.

 

Back to top