FIM Best Practice: Understand the Environment

With IAM projects you need great site knowledge and you need great product knowledge. As the consultant I bring the product knowledge, but I’m completely dependent on the customer to supply the site knowledge. This doesn’t always go as easily as it sounds. The customer’s assumptions and misunderstandings about FIM may lead them to leaving out (or not bothering to find out) vital information. And without information, I can’t design an appropriate solution.

Here are some of the things that need to be well understood:

What are the official policies for dealing with all aspects of user account lifecycle?

These should include written policies for:

  • Exactly who gets an account in the target system?
  • How are access permissions and application roles assigned?
  • What can/can’t be changed on existing accounts?
  • When should access be revoked?
  • How is deprovisioning handled?

Where is the data coming from?

FIM is data-driven. While it can manipulate data it can’t conjure it out of thin air – it has to come from somewhere. So we need to understand:

  • What is the authoritative source for each individual object type and each individual attribute to be managed in the target system?
  • Is the source data in a format we can use?
  • Does the source data link to identities in a way we can import? Eg., a list of locations is all very well, but I need to know who is at each location. And I have to be able to join on the who.

How much effort will be needed for data clean-up?

This is a difficult question to answer. FIM works best with a fully identified and fully joined connector space, where its rules are allowed to apply equally to new and pre-existing identities. Joining and clean-up of identity data has to be done.

While the only way you can really work out how long it will take to do the joins is to do the joins, I do offer this general rule of thumb:

  • Up to 80% of accounts will join pretty easily,
  • Another 10-15% will join on weaker rules with a manual verification,
  • the last 5-10% will be very difficult and various people will have to be involved.

Depending on the number of identities you have to deal with this can be anything from a couple of days to a couple of months work!

Got something to add? Disagree? Comments are open!

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


One thought on “FIM Best Practice: Understand the Environment”

  1. Great write-up, Carol.

    Especially some good points on the rule of thumb for the percentages of users, that are joined.

    I am very interested in how other people handle that process of identifying which accounts will cause problems, have discrepancies etc.

    At my current gig, we have create a concept of “discrepancy reports”, where we simulate what would happen, if we switched ILM on for a company/location/department, that is currently not under FIM/ILM control. We match naming/email rules/start and end-dates up against what is manually created in AD already, and that is a great dynamic report for use during the cleanup-process – and eventually HR has to sign off on that report, before we switch on ILM/FIM for that company/location/department, so everybody knows exactly, what will happen.

Leave a Reply

Your email address will not be published. Required fields are marked *


*