When integrating an existing directory or application into an IAM system a period of data cleanup should be expected, assumed, embraced! There’s no getting away from it – the Sync Service runs best when everything is properly joined, and when expected attributes are consistently filled in.
Joins
Without joins there are no updates and provisioning decisions may be wrong. If bad joins exist then the side effects can be anything from odd to downright destructive. With FIM it is imperative to get the joins right!
While compromises must sometimes be made to get a project moving, the best practices to aim for are:
- All in-scope objects joined to an authoritative object source,
- No disconnectors – if they are not to be managed by FIM then move them out of the MA’s scope.
For any existing environment that has been primarily managed by hand, a period of account matching will be required. I’ve written before about various techniques you can use here. In one really complex, messy environment I had to run a separate “joins” server doing pattern matching and join reporting, until we could get everything properly identified.
You will need to allow sufficient time for this joins phase and get the right people involved, Account joining is not always a straight-forward exercise and personal knowledge of the actual account owners may be needed. For some “finger in the air” estimates see here.
Data Formatting
Another point to consider is data formatting. Free text data is useless for anything other than syncing straight through. If we want to do interesting things with the data (groups and RBAC, provisioning and placement decisions) then we need it to be in a predictable format.
For best results, data formatting should be cleaned up on existing identities as well. People often assume that the new rules will only apply to new accounts, but FIM doesn’t care which accounts are “new” – they’re all just connectors and FIM should be able to apply its rules equally to all, with the same expectation of data quality.
