Adventures in identity management
It should be fairly obvious, but an automated system won’t perform a task the same way a person can. The automated system will be fast and consistent, but the person will be able to use their judgement and provide flexibility where needed. So automation means compromise and change, and it’s best when everyone can accept…
The single most important concept about FIM to understand, and to make sure that others involved in the project also understand, is that it is state-based. What this means is that we only care about the current state of the data, and the future state of the data, after we’ve applied our rules. Most importantly,…
You can’t buy a fully functional IAM system off the shelf, install it into your environment with minimal configuration, and expect it to do something. IAM is intricately bound with your specific systems, business rules and priorities. The best IAM solution is “grown” within the organisation, and growing takes time.
With IAM projects you need great site knowledge and you need great product knowledge. As the consultant I bring the product knowledge, but I’m completely dependent on the customer to supply the site knowledge. This doesn’t always go as easily as it sounds. The customer’s assumptions and misunderstandings about FIM may lead them to leaving…
In any IT project we start with a requirements list. With IAM it can be hard to define just what a single “requirement” is – when a person creates an account, or adds a member to a group they think of that as “one action”. However when automating you need to break the action down…
In organisations with no established practise of IAM, introducing it can be an uphill battle. Attempts to introduce IAM for its own sake are often not successful – you need something else driving the project, something high profile with fixed deadlines and high-level sponsorship within the organisation.
I upgraded a Dev server to R2 today. It seems to have gone ok though I have yet to test all the components. Here’s some quick observations:
A long time ago now I posted a basic SQL method of archiving the Requests history to another database. I’m still using this with FIM 2010 and have updated the method now to also grab info about Approvals. Note I haven’t tested this with R2.
I’ve publish a new script that will duplicate any object in the FIM Portal, naming it “Copy of ” plus the Display Name of the copied object. I’ve tested it on MPRs, Workflow Definitions, Sets, Search Scopes, Navigation Bar Resources, AIC’s … You can get it here.
I was trying to update a script so it could resolve references to various resource types. I’d seen in the help that you can do this: Export-FIMConfig -customConfig (“/ConstosoCustomResource”, “/Group”) So in my script I spent ages trying to construct a string like “(“/ConstosoCustomResource”, “/Group”)” and then wondering why it wouldn’t work.