Adventures in identity management
For anything above the simplest GALSync deployment, and particularly if you have the FIM Portal, you must have development and test environments. There are always a number of different ways you can approach each problem, and you need a suitably representative Dev environment to try them all out. Meanwhile Test should be as close to…
The Sync Service is good at maintaining connections between objects, and synchronising data between them. What it has never been so good at is constructing data from complex rules and lookups, so as much as possible, do the complex processing outside the Sync Service and present the data in a way that it can use…
There’s a box you can tick on the Deprovisioning Options page in your MA configurations – it says “Do not recall attributes on disconnection”. My advice: don’t tick this box.
When creating an MA that is a projection source or a provisioning target it is easy to overlook the join rules, as the objects are effectively already joined. But you should still have them. The other part to this is about complex join rules. While joining a new directory for the first time you may…
The first custom workflow activity I wrote was one to select a unique value from a list of possible values placed in WorkflowData variables. I’ve now re-written this as a PowerShell script to use with the open source FIM PowerShell activity. The script here just checks again the Portal, but it would be a simple…
Our Metaverse should be the defining store of digital identities along with the best quality data we can gather about them. And ideally each person in our environment should only be represented once in the Metaverse.
I’ve been wanting to explore the possibilities of Craig Martin’s FIM PowerShell Workflow Activity for a while, and now my lab is out of it’s TechEd bubble-wrap I can get back to play. In this post a couple of extra steps I had to take to get it working on R2. I’ll post sample scripts…
It is almost always a bad idea to create extra objects types for the same basic “thing”. An object type should encompass all the possible states an identity can transition to. A person can never become a group, but they can definitely be staff, contractor or student (sometimes all at the same time) so a…
When integrating an existing directory or application into an IAM system a period of data cleanup should be expected, assumed, embraced! There’s no getting away from it – the Sync Service runs best when everything is properly joined, and when expected attributes are consistently filled in.
FIM is all about data. It’s identity data, sure – but it’s still just data. And it needs to come from somewhere. Typically we will have multiple sources of data coming into FIM, but as with everything, there are good and bad ways to manage this.