This was a great session from Carol WapshereMVP (@miss_miis) about the essential ingredients of a successful identity management project using FIM – Microsoft ForeFront Identity Manager.
The current latest and greatest is FIM 2010 R2 and it has the following technical components:
- Synchronisation Service – connects matched objects in directories and applications
- Password Synchronisation – updates passwords of joined use accounts following AD password changed.
- Portal and Service (added with 2010) – SharePoint based portal for user administration, self-service and workflow.
- Self-Service Password reset – greatly improved with 2010 R2.
- Reporting – new to 2010 R2. Audit and reporting using System Center Data Warehouse.
- Role Management – new component, acquisition of a third party component. BHOLD and RBAC System Role modelling, role assignment, compliance.
- Certificate Manager – Request and renew certificates
A critical point about FIM to understand is that it is a state based system.
- What is the current state of the object
- What is the future state of the object
- It doesn’t care about how or who.
And the essential ingredients for a successful FIM project are suprisingly familiar.
Planning
- Who’s driving – why now?
- Often IT led efficiency initiatives don’t go anywhere unless there is a compelling reason.
Understand the environment
- Get account policies in writing
- Talk to the people who really know
- Data analysis. There can be a lot of B/A work required to ensure success.
Get the requirements
- Essential v desirable
- Focus on outcomes, not current processes
- Get specifics
- Don’t try to do everything at once.
- Typical project scope management issues are typical in identity management projects.
FIM is an extensible product, with the following components the extension points:
- The Sync service
- Custom workflow
- Web services
Like most COTS products, the same rules and common sense apply:
- Use out of the box before extending wherever possible
- Use only support methods – see MSDN documentation for guidance.
**Get a full production data set for Dev and Test**
- Rules must be able to deal with real, not idealised data
- Joins and data cleaning analysis
- Identify exceptions
- Understand scale
When FIM is running in Prod, it will impact real accounts – so it is worth the effort to get Prod data into Dev and encounter these issues early.
Expect teething problems
- Production data and practices may bring surprises
- People suddenly remember vital requirements
- Confusing about what can be changed where
On-going Administration
- It’s not a “set and forget” system
- Data errors and duplicates will happen
- Business rules will change
Key takeaway points:
- Understand the environment
- Develop for automation
- Be realistic
As I said earlier, these principles apply to most IT products but good to get them reinforced.