Adventures in identity management
It is almost always a bad idea to create extra objects types for the same basic “thing”. An object type should encompass all the possible states an identity can transition to. A person can never become a group, but they can definitely be staff, contractor or student (sometimes all at the same time) so a…
When integrating an existing directory or application into an IAM system a period of data cleanup should be expected, assumed, embraced! There’s no getting away from it – the Sync Service runs best when everything is properly joined, and when expected attributes are consistently filled in.
FIM is all about data. It’s identity data, sure – but it’s still just data. And it needs to come from somewhere. Typically we will have multiple sources of data coming into FIM, but as with everything, there are good and bad ways to manage this.
It should be fairly obvious, but an automated system won’t perform a task the same way a person can. The automated system will be fast and consistent, but the person will be able to use their judgement and provide flexibility where needed. So automation means compromise and change, and it’s best when everyone can accept…
The single most important concept about FIM to understand, and to make sure that others involved in the project also understand, is that it is state-based. What this means is that we only care about the current state of the data, and the future state of the data, after we’ve applied our rules. Most importantly,…
You can’t buy a fully functional IAM system off the shelf, install it into your environment with minimal configuration, and expect it to do something. IAM is intricately bound with your specific systems, business rules and priorities. The best IAM solution is “grown” within the organisation, and growing takes time.
With IAM projects you need great site knowledge and you need great product knowledge. As the consultant I bring the product knowledge, but I’m completely dependent on the customer to supply the site knowledge. This doesn’t always go as easily as it sounds. The customer’s assumptions and misunderstandings about FIM may lead them to leaving…
In any IT project we start with a requirements list. With IAM it can be hard to define just what a single “requirement” is – when a person creates an account, or adds a member to a group they think of that as “one action”. However when automating you need to break the action down…
In organisations with no established practise of IAM, introducing it can be an uphill battle. Attempts to introduce IAM for its own sake are often not successful – you need something else driving the project, something high profile with fixed deadlines and high-level sponsorship within the organisation.
I upgraded a Dev server to R2 today. It seems to have gone ok though I have yet to test all the components. Here’s some quick observations: