View a PAM User's Roles with Advanced Search Scope Configuration

First published on MSDN on Dec 05, 2018
During a recent MIM PAM deployment, I was asked if it would be possible to create a page in the portal to display a user's roles in PAM. Out of the box, MIM does not provide such a view for an administrator. The only view that comes close is the “My PAM Roles” page and it is only viewable by the specific user.
Additionally, the PAM cmdlets don't provide an efficient means of calculating the mappings of a user to the assigned roles. It would require a nifty PowerShell function utilizing the Get-PAMRole and Get-PAMUser functions, which is not in the scope of this post.
To successfully implement the ask, I added a new search scope utilizing the Advanced Filter attribute. The Advanced Filter attribute is available to modify once a search scope object has been created. The attribute allows you to define the x-path query that is used. For more information about the Advanced Filter and how you can design your own, head over to the Microsoft Docs post.

Create New Search Scope

Let's go ahead and create a new search scope. As a warning, implement this in a LAB environment and verify that all functionality works as expected while not breaking any existing configuration. Do your due diligence ensuring your FIMService database is backed up prior to making changes in your environments.
First, navigate to Adminstration -> Search Scopes
Next, fill in the required values on the General tab. The usage keywords define where the scope will be present. Change the Order value to what you prefer. If you leave the value as 1, then this search scope will be shown first ahead of the default PAM Roles scope. The MIM version in my lab is and the default All PAM Roles search scope has order value 400. To keep this scope first, set your value to a number greater than 400.
Set the Attribute Searched value to msidmPamCandidates which represents all candidates of a role.
Set the Search Scope Filter to msidmPamRole because our desired results will be the PAM roles.
Lastly, set the Resource Type as msidmPamRole because that object type will represent our search results.
Finish creating the object by submitting the changes.

Configure the Advanced Filter

Now that the search scope has been created, let's go back into the Extended Attributes tab of the object. A relevant snippet from the Advanced Filter document linked earlier outlines how we can use the value typed into and submitted from the search box:
Although not listed in the document, I extrapolated the formatting of the token to cover string values.
The Advanced Filter added is the following:
/msidmPamRole[msidmPamCandidates= /Person[AccountName='%SEARCH_TERM_STRING%']/ObjectID]
This filter requires the searched value be the user's account name. For the most appropriate results, you want to search an attribute that would hold a unique value to that user. That is why this filter uses the account name and specifically checks that the search value is equal to the account name and not starts-with or contains.
After submitting the updates to the Search Scope object, restart IIS.

Verify New Search Functionality

The search scope will appear on the PAM Roles page Search within: drop down. Submitting a search with an account name yields all the attributed PAM roles in the results.


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.