none
Design decisions using FIM portal and MS's intent of the product RRS feed

  • Question

  • We are using FIM to provision users to down stream directory stores and while still in design mode there could be 6 or 7 directories to provision to when all said and done - an assortment of Oracle DB, SQL, AD and LDAP.

    As expected, not all users created within FIM need accounts in all downstream directories and it may be the case where some users already exist in one and not the other when we go live.

    I'm trying to envision what would be ideal for a FIM admin with respect to what he or she sees when opening a new user form.  I suppose it would be ideal for the admin to search for a user and see that the user has accounts in system A and B, but not in C, D, and E.  Then, if desired, the admin could check a box for systems C, D, and E. and upon a sync, presto! the user has accounts in those systems too.

    Is this a plausible solution? Could you share thoughts on how hard this would be? LOE guestimate.

    In another scenario, a new user comes on board.  I can imagine opening a FIM Portal new user form, filling out the necessary fields, then checking boxes A, B, C, E and upon sync, presto! again.  The admin could have perhaps seen while checking those boxes that the user did not have an account in any of those systems, as he would have expected.  Just by entering the user's name and perhaps a special unique ID, the form prepopulated to show where he's been provisioned or not.  This seems beyond the current dynamic nature of the FIM portal user form, but??? is it plausible to create something like this? LOE guestimate?

    I seem to be driving the conversation here from the perspective of FIM portal being the center of the universe, and I'm really not sure if that is the intent of FIM portal.  Is it more accurate to cast it in the light of a maintenance tool, rather than a central admin interface to all that is identity management within an environment?  Perhaps it is easier to create all the functionality I mention above in a .net app that integrates with FIM and let FIM portal be used for maintenance only?

    The customer really wants a one stop shop for managing identities and provisioning.  I just don't know if that is what FIM portal is actually designed for or the intent of it?  Would really like to hear how some of you have addressed such requirements!


    • Edited by Osho27 Wednesday, February 6, 2013 5:21 PM
    Wednesday, February 6, 2013 5:20 PM

Answers

  • To expand on Brian's comments:

    Scenario 1:

    - Have a checkbox for each system, tied to boolean attributes

    - Have a set for each system ("All System A Users"), where that boolean value is true.

    - Create a SR that provisions the users to each system

    - Create an MPR that adds users to that SR when they "transition in" to your set.

    Scenario 2:

    As per Scenario 1, however as Brian says, you can't really do it the way you've described. Options are:

    - Have a custom workflow activity that detects the user creation, queries the external system to see if the user exists, then unsets the boolean attribute if they do. You might also configure it to send a notification to the creator that this occurred. 

    - Bring all users from System X into the MV. Have an attribute called SystemXID, with a uniqueness constraint (see Jorge's blog). When creating a user, an error will notify the user that SystemXID is not unique, and hence already exists in SystemX. This solution has some drawbacks, though - mainly the overhead of bringing all System X users into the portal (impacts your CALs, as well as performance), and you'd probably end up with two identities within FIM for your user, which is just bad practise.

    Long story short... FIM is definitely your center of the universe tool. You just have to understand that it does have some limitations - so to achieve what you want, you need to be a bit creative at times.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010

    • Proposed as answer by Ross Currie Friday, February 8, 2013 8:00 AM
    • Marked as answer by Osho27 Friday, February 8, 2013 3:50 PM
    Friday, February 8, 2013 8:00 AM

All replies

  • I think Scenario 1 is very doable. Add some Boolean attributes for each directory and trigger off of them to do the provisioning.

    Scenario 2 is just a derivative of Scenario 1 - so quite doable. Your dynamic pre-fill scenario isn't something you can do in the portal, though.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Proposed as answer by Ross Currie Friday, February 8, 2013 7:32 AM
    Wednesday, February 6, 2013 7:44 PM
    Moderator
  • To expand on Brian's comments:

    Scenario 1:

    - Have a checkbox for each system, tied to boolean attributes

    - Have a set for each system ("All System A Users"), where that boolean value is true.

    - Create a SR that provisions the users to each system

    - Create an MPR that adds users to that SR when they "transition in" to your set.

    Scenario 2:

    As per Scenario 1, however as Brian says, you can't really do it the way you've described. Options are:

    - Have a custom workflow activity that detects the user creation, queries the external system to see if the user exists, then unsets the boolean attribute if they do. You might also configure it to send a notification to the creator that this occurred. 

    - Bring all users from System X into the MV. Have an attribute called SystemXID, with a uniqueness constraint (see Jorge's blog). When creating a user, an error will notify the user that SystemXID is not unique, and hence already exists in SystemX. This solution has some drawbacks, though - mainly the overhead of bringing all System X users into the portal (impacts your CALs, as well as performance), and you'd probably end up with two identities within FIM for your user, which is just bad practise.

    Long story short... FIM is definitely your center of the universe tool. You just have to understand that it does have some limitations - so to achieve what you want, you need to be a bit creative at times.

    - Ross Currie


    FIMSpecialist.com | MCTS: FIM 2010

    • Proposed as answer by Ross Currie Friday, February 8, 2013 8:00 AM
    • Marked as answer by Osho27 Friday, February 8, 2013 3:50 PM
    Friday, February 8, 2013 8:00 AM