Adventures in identity management
Our Metaverse should be the defining store of digital identities along with the best quality data we can gather about them. And ideally each person in our environment should only be represented once in the Metaverse.
I’ve been wanting to explore the possibilities of Craig Martin’s FIM PowerShell Workflow Activity for a while, and now my lab is out of it’s TechEd bubble-wrap I can get back to play. In this post a couple of extra steps I had to take to get it working on R2. I’ll post sample scripts…
It is almost always a bad idea to create extra objects types for the same basic “thing”. An object type should encompass all the possible states an identity can transition to. A person can never become a group, but they can definitely be staff, contractor or student (sometimes all at the same time) so a…
When integrating an existing directory or application into an IAM system a period of data cleanup should be expected, assumed, embraced! There’s no getting away from it – the Sync Service runs best when everything is properly joined, and when expected attributes are consistently filled in.
FIM is all about data. It’s identity data, sure – but it’s still just data. And it needs to come from somewhere. Typically we will have multiple sources of data coming into FIM, but as with everything, there are good and bad ways to manage this.
It should be fairly obvious, but an automated system won’t perform a task the same way a person can. The automated system will be fast and consistent, but the person will be able to use their judgement and provide flexibility where needed. So automation means compromise and change, and it’s best when everyone can accept…
The single most important concept about FIM to understand, and to make sure that others involved in the project also understand, is that it is state-based. What this means is that we only care about the current state of the data, and the future state of the data, after we’ve applied our rules. Most importantly,…
You can’t buy a fully functional IAM system off the shelf, install it into your environment with minimal configuration, and expect it to do something. IAM is intricately bound with your specific systems, business rules and priorities. The best IAM solution is “grown” within the organisation, and growing takes time.
With IAM projects you need great site knowledge and you need great product knowledge. As the consultant I bring the product knowledge, but I’m completely dependent on the customer to supply the site knowledge. This doesn’t always go as easily as it sounds. The customer’s assumptions and misunderstandings about FIM may lead them to leaving…
In any IT project we start with a requirements list. With IAM it can be hard to define just what a single “requirement” is – when a person creates an account, or adds a member to a group they think of that as “one action”. However when automating you need to break the action down…