Adventures in identity management
When collecting requirements for an IAM solution we associate actions with various ways of categorising users – in other words, we are mapping “form” to “function”. When designing the IAM Solution, however, we need to provide a layer of separation between the two. The best way to illustrate why is with a real-life example.
I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with: How to detect the event, and What to do when the event is detected. So for each target system I will have a table like…
A field indicating a person’s “status” with respect to the organisation is a standard feature of all IAM implementations. Over many solutions I’ve boiled it down to four status values that satisfy all the lifecycle use cases I’ve come across: Pending – We know about this person but their hire (or re-hire) date is in…
I’ve been going on about this one for a long time, but in case anyone still isn’t on-board with this principal I’ll state it another way: data disappearing from a feed is not a suitable trigger for action. When we treat disappearance of data as a “trigger” we are interpreting a root cause from a…
I’ve recently started a new project and we’re in the requirements gathering phase, so lots of meetings and discussions, and also (thankfully) enthusiasm for the project. There’s also been lots of me repeating stuff I always say when trying to explain Good IAM Design, so I’ve decided to start a new series of short blog…
Here’s a picture I once used in a presentation (credited to wallwin.ca) to illustrate the mess access control in directories and applications often looks like when you try and do any kind of review and analysis. These days I don’t go into server and patch rooms all that often, but even so it’s been a…
I feel like I’m always trying to convince people that the quality and maintence of identity data is important and worth putting effort into, while they nod and say “sure, sure”, while thinking “this crazy lady knows nothing about reality”. But you know what? I’m not crazy – and here are some reasons why.
I’ve been struggling lately with poor SQL performance in a Test environment and I’m pretty sure that has been causing an intermittent problem with objects not transitioning in to Sets and Groups straight away. They all get sorted out when the FIMTemporalEvents job runs overnight – but that’s not very comforting to the testers who…
I’ve had this post sitting in draft for a long time and for some reason hadn’t posted it yet – but then today my colleague Matt sent me a link to the Scripting Guy’s PowerShell Holiday Gift Guide. Yes I do love my PowerShell (and I’m hoping that Santa will bring me a copy of…
As much as possible I like to keep my Workflows simple with a minimum number of steps. When updating attributes I prefer, wherever possible, to only update a single attribute per Workflow Definition. So for example I’ll have separate Workflows for “Set DisplayName” and “Set AccountName” rather than rolling the two together in a single…