none
Identity Lifecycle Management - a newbie question RRS feed

  • Question

  • Hi, I am totally newbie to FIM as a product and in general, but I do have some questions about FIM.

    In an enterprise where I had a project, I noticed that they are struggling with keeping user access and identity at a manageable level. The problem is this:

    1.  The company is delivering IT-Operations in several countries. Each operator (usually a MCSE or similar) only have access to the AD domains the operator is serving. And the user normally access the customers servers and domains trough RDP (or VMWare console sometimes). 

    2. If a new operator starts working for the company, someone who has domain admin rights in the customers domain have to manually create a domain admin account for the operator. 

    3. In case the operator is serving maybe up to 20 different customers (and many more AD domains, some customers have more than 1 domain), the process of getting access and having a domain admin account created, is very ....uhm... error prone and not in a streamlined workflow (manually emails "Please create a new domain admin account for my new sysadmin" etc). 

    4, In case the operator leaves the company, it almost never happens that the domain admin account at the customers gets deleted in a timely manner, usually only trough regularly audits. But of course that is not a good and secure way. 

    I wonder if FIM 2010 (or 2012) could help me to solve this problem. And most specifically, can a user account created within a FIM environment automatically be assign a domain admin account for selected AD domains (think external customers) ? And when that users leaves the company, the user account will also delete all the operators domain admin accounts at the customers AD? I guess that FS or Domain trusts are necessary as a requirement, but can FIM do all this? I am thinking of Identity Lifecycle Management, meaning controlling the Identity for a specific user during the lifetime of the user. 

    Thanks for all help. 

    Sunday, January 13, 2013 8:47 PM

Answers

  • The short answer is that FIM is capable of doing this.

    The longer answer is. You need to create a central identity store which contains information about the user and the domains which that user will administer. That could be done by creating a central AD with workflows to assign the different domains/customers. To be able to work with the workflows someone must be made responsible for assigning the users to a domain. When a user is removed from the central AD, al the other accounts will be removed from the different domains.

    To be able to create, change and delete the users connections must be made with FIM to the different domains.

    Monday, January 14, 2013 9:59 AM
  • Thats right, but I would recommend using the FIM portal as the Central Identity Store, and it is meant to be used that way.

    Creating a user in FIM would then create users in the requested identity applications (Active Directories). Removing it from FIM Should remove the users from all the applications (Active Directories)

    Monday, January 14, 2013 11:56 AM

All replies

  • The short answer is that FIM is capable of doing this.

    The longer answer is. You need to create a central identity store which contains information about the user and the domains which that user will administer. That could be done by creating a central AD with workflows to assign the different domains/customers. To be able to work with the workflows someone must be made responsible for assigning the users to a domain. When a user is removed from the central AD, al the other accounts will be removed from the different domains.

    To be able to create, change and delete the users connections must be made with FIM to the different domains.

    Monday, January 14, 2013 9:59 AM
  • Thats right, but I would recommend using the FIM portal as the Central Identity Store, and it is meant to be used that way.

    Creating a user in FIM would then create users in the requested identity applications (Active Directories). Removing it from FIM Should remove the users from all the applications (Active Directories)

    Monday, January 14, 2013 11:56 AM
  • Sounds great, just what I need. Now I just need to convince the upper managmenet of a 10.000+ company to start testing it... :) The company itself has a similar solution regarding network access (IP access) to each customer for the operator, but that is an entirely different application and it's made inhouse.

    Thanks for your quick answers.

    Monday, January 14, 2013 4:22 PM