FIM Portal Resource Requests And Approvals RRS feed

  • Question

  • All,

    Lately I’m involved in a project where I’m being asked more and more advanced Identity Management related tasks to be implemented.

    So I think I might be reaching the boundaries of the FIM Portal, or what my mind can build of solutions ;)

    E.g. Suppose you want a manager to be able to choose whether or not a user should receive an account for an SAP system. How would you implement this? I’m aware of the Set/MPR/WF/SR thingy. But would you add a Boolean attribute on the user for this like “RequireSAPAccount”? What if you have more and more of these items. Add them all on the user? Wouldn’t a user object end up like a garbage object?

    Other examples could be "user should have limited/standard/full internet", "user should receive a laptop/desktop" ," user should be able work from home (smartcard)", "user requires access to file share X and Y"....

    As I see it, ideally each of these "rights/entitlments" would be translated to a group membership. That way you can use the existing objects/GUI/approval capabilities and present a more or less user friendly way of working.

    Second, regarding approvals. Suppose you don’t configure an escalation approver, and an approval goes into the escalation timeframe, is it lost inevitably? Because an “administrator” can see the approval, but even he can’t approve as he’s not part of the “approvers” list for this WF. So what’s the typical approach here? Add a windows group in the escalation approvers list? Add na “emergency service account”.

    I'm aware that an exact answer is probably not possible, but I'm just wondering how you guys are tackling these challenges.

    Kind regards,

    Tuesday, December 18, 2012 12:21 PM

All replies

  • I don't have any answers for you, but I think Markus should sticky this convo.  I would love to see this conversation evolve.

    I would also suggest some customer training and expectations mitigation.  It sounds like some folks, including my customer, really see the benefit of FIM and need to turn from an AD provisioning environment to a role-based provisioning scenario which would require something more robust like BHOLD.  ??

    Tuesday, December 18, 2012 2:40 PM
  • I have more and more customers that are turning to building their own front-end for the FIM Service. Mostly, because they want to present a much more intuitive interface to the end-users and the FIM Portal has some short-comings in that regard.

    Also, I see a lot of implementations where the additional information that you are talking about is modelled in the HR systems (or other already in-place workflow system) and NOT in FIM - effectively sending only final decisions to FIM for ordinary sync processing. A few other examples have been customers building workflows in SharePoint (with Nintex underneath) and again presenting the "approved" states to FIM - I've been involved in a few of such projects.

    All in all, I'm seeing a lot of these workflow moving out of the FIM service. And don't get me started on Orchestrator :-) But on the good side, a lot of customers are very interested in role management / BHOLD and would like to see that go even further...

    Regards, Soren Granfeldt
    blog is at | twitter at!/MrGranfeldt

    Tuesday, December 18, 2012 7:29 PM
  • I agree with Soren.  We here have also decided to use the much more robust workflow framework within Sharepoint 2010 to do all the approvals and requests for provisioning and simply sending the final status to a SQL backend which FIM will pull from and set attributes.  It is becoming more and more like just a Group gateway.
    Tuesday, December 18, 2012 7:43 PM
  • I am looking at FIM 2010 R2 (includes BHOLD suite now) to support an enterprise IAM/IAG solution.  A potential first step may need to be replacement of a custom system access request UI with the FIM portal.  I am interested to know more about the shortcomings of the FIM portal as you, Søren, and gdtilghman clearly have knowledge of this.

    Can you share?  Thanks in advance.

    Phil Ross [energy utility, Sydney Australia]

    Tuesday, April 2, 2013 5:43 AM