locked
uniquely identify mv objects RRS feed

  • Question

  • In ILM 2007 implementation with only a one way synchronization of users and contacts from AD to ADAM, we uniquely identified MV objects based on anchor (cn and dn attributes for that record in AD) along with another custom attribute.

    Now in ILM "2" RC evaluation I am exploring provisioning of new users and contacts from multiple authoritative data sources, and re-thinking ways to uniquely identify MV objects for searches, joins etc. I was thinking of using objectGUID and/or objectSID in conjunction with cn and a custom attribute. Any thoughts?

    Thanks.


    Anu
    Wednesday, September 2, 2009 4:22 PM

Answers

  • You are right on the money!

    You might want to take a look at the Design Concepts for Correlating Digital Identities.
    This document should answer your questions.

    To answer your current question - the ideal Correlation ID doesn't change and does not contain any kind of encoded information.
    This pretty much eliminates SIDs as CID.

    In general, GUIDs are a good thing to use for this purpose.

    Cheers,
    Markus

    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    • Marked as answer by Anu Melkote Wednesday, September 2, 2009 9:54 PM
    Wednesday, September 2, 2009 5:31 PM

All replies

  • You are right on the money!

    You might want to take a look at the Design Concepts for Correlating Digital Identities.
    This document should answer your questions.

    To answer your current question - the ideal Correlation ID doesn't change and does not contain any kind of encoded information.
    This pretty much eliminates SIDs as CID.

    In general, GUIDs are a good thing to use for this purpose.

    Cheers,
    Markus

    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    • Marked as answer by Anu Melkote Wednesday, September 2, 2009 9:54 PM
    Wednesday, September 2, 2009 5:31 PM
  • Thanks Marcus - great to share an "ah-ha" moment.

    Cheers.


    Anu
    Wednesday, September 2, 2009 9:56 PM
  • Hi Markus,

    Very useful article and one which may solve an auditing dilemma we have.  We've created a custom event log to capture all changes in the portal so that our audit team have a log that they can capture with an audit trail.  however, correlation of changes in FIM to the resulting changes in AD is difficult as AD reports on things like accountName whereas FIM uses displayName (reference user) in its requests.  I'm thinking whether we should go along the lines of generating a 'correlationID' attribute in FIM as part of all create, modify etc requests and then passing that to a multi-valued attribute in AD for storage and look up.  Our audit team are whingeing that otherwise its virtually impossible to correlate changes in FIM to changes in AD.  Any thoughts?

    Rob

    Monday, March 18, 2013 9:39 AM