none
Bhold attestation setup if FIM POrtal is already used for Group Membership RRS feed

  • Question

  • Background - We had a FIM 2010 deployment in production deployment. Few months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.

    Problem Statement -  The requirement is to attest the existing and ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership. Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.

    From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.

    Please suggest on how to attest the group memberships.


    Mayank Vaish

    Wednesday, December 3, 2014 7:29 AM

All replies

  • I would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem like overkill.

    However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required, in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.

    Cheers,

    Dave

    Thursday, December 4, 2014 10:17 AM