Hi all, I need to implement the Segregation of Duty on FIM 2010. The segragation would be carried by the RBAC model : so for each user's role, there would be a set of roles that could not be given to the concerned user, and other that could be. Do you have any idea on how to implement this ? Many thanks !

there's nothing available out-of-the-box for complex RBAC scenarios, but you can refer to this for simple implementaion: http://social.technet.microsoft.com/wiki/contents/articles/enterprise-roles-in-microsoft-forefront-identity-manager-2010-fim.aspx for RBAC system, I'm using SET as roles, and extending the SET schema object for "permissions" attribute, in permissions I store groups references then I have custom workflow activity that run on that SET/role, to add the user to the permissions/groups attachedIt's never too late in life ... to start living

The Omada Role Manager for FIM 2010 supports advanced RBAC functionality, including Segregation of Duties. Have a look at http://www.omada.net/. Regards,Thomas Boel Sigurdsson - Omada - http://omada.net

Jan Macherzyski from Microsoft did a presentation on this (at TechEd 2009, I think) showing how you could do this with a few custom workflows; can't seem to find the presentation anywhere though, but as I remember it, it was a fairly simple approach.Regards, Soren Granfeldt http://granfeldt.blogspot.com