TechEd - FIM Best Practices

This was a great session from Carol WapshereMVP (@miss_miis) about the essential ingredients of a successful identity management project using FIM – Microsoft ForeFront Identity Manager.



The current latest and greatest is FIM 2010 R2 and it has the following technical components:

• Synchronisation Service – connects matched objects in directories and applications
• Password Synchronisation – updates passwords of joined use accounts following AD password changed.
• Portal and Service (added with 2010) – SharePoint based portal for user administration, self-service and workflow.
• Self-Service Password reset – greatly improved with 2010 R2.
• Reporting – new to 2010 R2. Audit and reporting using System Center Data Warehouse.
• Role Management – new component, acquisition of a third party component. BHOLD and RBAC System Role modelling, role assignment, compliance.
• Certificate Manager – Request and renew certificates



A critical point about FIM to understand is that it is a state based system.

• What is the current state of the object
• What is the future state of the object
• It doesn’t care about how or who.



And the essential ingredients for a successful FIM project are suprisingly familiar.

Planning

• Who’s driving – why now?
• Often IT led efficiency initiatives don’t go anywhere unless there is a compelling reason.



Understand the environment

• Get account policies in writing
• Talk to the people who really know
• Data analysis. There can be a lot of B/A work required to ensure success.



Get the requirements

• Essential v desirable
• Focus on outcomes, not current processes
• Get specifics
• Don’t try to do everything at once.
• Typical project scope management issues are typical in identity management projects.



FIM is an extensible product, with the following components the extension points:

• The Sync service
• Custom workflow
• Web services



Like most COTS products, the same rules and common sense apply:

• Use out of the box before extending wherever possible
• Use only support methods – see MSDN documentation for guidance.

**Get a full production data set for Dev and Test**

• Rules must be able to deal with real, not idealised data
• Joins and data cleaning analysis
• Identify exceptions
• Understand scale

When FIM is running in Prod, it will impact real accounts – so it is worth the effort to get Prod data into Dev and encounter these issues early.



Expect teething problems

• Production data and practices may bring surprises
• People suddenly remember vital requirements
• Confusing about what can be changed where



On-going Administration

• It’s not a “set and forget” system
• Data errors and duplicates will happen
• Business rules will change



Key takeaway points:

• Understand the environment
• Develop for automation
• Be realistic



As I said earlier, these principles apply to most IT products but good to get them reinforced.