none
User Management with IDM RRS feed

  • Question

  • I am implementing an IDM solution from another vendor. The consultant is telling me that all user group management must now be accomplished with the IDM solution. And if group membership is changed with another method (ADUC or PowerShell), it will be overwritten by IDM upon the next change within IDM. the app wants to lead now that it is in place.

    I find real issue with this. I am loath to give up powershell and ADUC. Is this true? Do all IDM solutions require you to use them for all ongoing user management? Note: I am talking about group management mostly, not every possible aspect of user management.

    Is this how FIM works?

    Thanks,

    Paul

    Monday, June 30, 2014 5:04 PM

All replies

  • The basic concept in FIM  is the same. If a group is managed by FIM it should only be managed by FIM.

    But please note that this can be implemented on a per group basis. Meaning that one group can be managed by FIM and another can still be managed by other ways. It is typical that some groups are managed by HR system (organisational groups), others are managed manually in AD and yet other groups are managed by FIM to take advantage of the dynamic groups and self-service aspects in FIM.

    The problem is called precedence in FIM, for each attribute on each object there is only one "winner". If FIM has higher precedence than AD for the member attribute for a specific group then FIM will overwrite any changes made in AD on the member attribute.

    Monday, June 30, 2014 7:13 PM
  • Thank you for the reply Kent. So, I don't have to give up PowerShell for user/group management after implementing IdM. But, on a per group basis we can set precedence which defines who owns the group, FIM or AD. Hmm, I like that.

    Thanks,

    Paul

    Monday, June 30, 2014 7:55 PM
  • If you think about it, this is desired behaviour. If you put an IDM solution in charge of managing group memberships based on rules, you don't want another person or script then subverting those rules and manually changing the membership. The easy way around this with FIM (for all objects, not just groups) is to put the objects FIM manages in one OU and leave manually-managed objects in another OU. Then point the FIM AD MA (or whichever MA) at the FIM OU so it doesn't know about the other objects. Having two methods of updating a group list will result in flip-flopping of data and subverting of business rules.

    Dave

    Tuesday, July 1, 2014 8:59 AM