missmiis : Adventures in identity management

IAM Design Principle: Lifecycle Events

I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with:

How to detect the event, and
What to do when the event is detected.

So for each target system I will have a table like the following. The “Lifecycle Events” I’ve listed I think are fairly universal. How you detect them (the “Trigger”), and what actions the IAM solution takes will of course be solution-specific. In some cases the IAM Solution’s action will be “none”, but that should still be documented.
Continue reading ›

2016 11 18 Carol Best Practice Comments (2) Permalink

IAM Design Principle: User Status Values

A field indicating a person’s “status” with respect to the organisation is a standard feature of all IAM implementations. Over many solutions I’ve boiled it down to four status values that satisfy all the lifecycle use cases I’ve come across:

Pending – We know about this person but their hire (or re-hire) date is in the future,
Active – Active employment or other relationship,
Suspended – A temporary state where all accounts are disabled but otherwise unchanged, perhaps due to long leave or temporary suspension of duties,
Inactive – Relationship with the organisation has ceased.

The designer of the IAM solution shouldn’t have to be concerned with why a person is in any one of these states – all we need to know is:

how to identify the status, and
what to do when the status changes.

Obviously the staus is sometimes combined with other attribute values to determine actions, but these are the four status values I have found to be generally applicable across a range of solutions and organisation types.

2016 11 16 Carol Best Practice Comments (0) Permalink

IAM Design Principle: Don’t make decisions on an absense of data

I’ve been going on about this one for a long time, but in case anyone still isn’t on-board with this principal I’ll state it another way: data disappearing from a feed is not a suitable trigger for action.

When we treat disappearance of data as a “trigger” we are interpreting a root cause from a received effect. We are saying “there can only ever be one possible reason why this piece of data has gone missing from our feed” – but is that really the case? Continue reading ›

2016 11 14 Carol Best Practice Comments (0) Permalink

IAM Design Principle: The Source of Truth is the place where people care about the data being right

I’ve recently started a new project and we’re in the requirements gathering phase, so lots of meetings and discussions, and also (thankfully) enthusiasm for the project.

There’s also been lots of me repeating stuff I always say when trying to explain Good IAM Design, so I’ve decided to start a new series of short blog posts on the subject. There will be some overlap with an earlier series I did on FIM Best Practises, but I’ll be keeping this one product independant. Continue reading ›

2016 11 12 Carol Best Practice Comments (0) Permalink

Breaking the AADConnect link – an Alumni example

I presented this at the MIM Team User Group meeting last week, but was having some computer issues and apparently people couldn’t hear me. There did seem to be quite a bit of interest from the comments window, so I figured I’d write it up as a blog post.

This solution allows an Office 365 account to automatically transition from “Synchronized” to “Cloud managed”. It was designed for a university where:

Student accounts are synchronised to Office 365, including the password hash, using AADConnect, and
Alumni accounts should remain active in Office 365 but disabled on-prem – therefore we want to stop syncing them with AADConnect following graduation.

Following are some pictures I put together to present the solution. A licensing process is mentioned but not covered – this just focuses on the change in management source.

It should also be noted that this solution has been in production for over a year.

2016 10 31 Carol Cloud
FIM Sync Service
powershell Comments (0) Permalink

It always comes back to Requirements

I’m just going to say it – many people in IT don’t give enough thought to requirements. They might think they do, there may even be a document with the word “Requirements” in the title, but are they good enough for the job?

2016 10 21 Carol Philosophising Comments (0) Permalink

Using the MIMWAL to create Policy objects

I worked with the FIMWAL in the past on a couple of MCS engagments, but hadn’t yet had the opportunity to use the open-sourced MIMWAL on an engagment. I have, however, just been converting something I’ve done before to all-MIMWAL workflows, in preparation for re-using the concepts on a new project.

This is a pretty complex “pack” of stuff, including schema, policy and UI. Part of the solution is that new, customised policy objects are generated in response to certain changes made in the Portal. Converting this solution to the MIMWAL has been a lot of fun, and really quite intuitive, with everything I wanted to do covered – and in some cases simplified compared to what I had before. A lot of the workflows I was replacing were PowerShell scripts – I now have only a very small amount of in-Workflow PowerShell left and no external scripts at all.

2016 10 18 Carol MIMWAL
Workflow Comments (0) Permalink

PowerShell: Split a large CSV and process in multiple Jobs

I had a large CSV of data to be loaded in through the FIM Service. Single threading this operation could have taken (literally) days, so I decided to have a go at multi-threading it, and here’s the skeleton script. Continue reading ›

2016 04 23 Carol powershell
Scripting Comments (0) Permalink

Script: Compare-ADGroups.ps1

I recently wanted to do some analysis of existing groups in a well established AD that has a lot of groups (more groups than users in fact). I was hoping to find groups that looked like good candidates for conversion to role-based (aka criteria-based) groups. Continue reading ›

2016 01 30 Carol AD
Groups
powershell Comments (0) Permalink

Pre-wired access control

Here’s a picture I once used in a presentation (credited to wallwin.ca) to illustrate the mess access control in directories and applications often looks like when you try and do any kind of review and analysis.

These days I don’t go into server and patch rooms all that often, but even so it’s been a long time since I’ve seen anything this messy. Patch cabinets are now more likely to be neatly wired like this (picture from clever-idea.co.uk):

The question is – is there any way we can get our access management looking more like the second picture than the first? Continue reading ›

2016 01 04 Carol Best Practice
Philosophising Comments (0) Permalink

missmiis

IAM Design Principle: Lifecycle Events

IAM Design Principle: User Status Values

IAM Design Principle: Don’t make decisions on an absense of data

IAM Design Principle: The Source of Truth is the place where people care about the data being right

Breaking the AADConnect link – an Alumni example

It always comes back to Requirements

Using the MIMWAL to create Policy objects

PowerShell: Split a large CSV and process in multiple Jobs

Script: Compare-ADGroups.ps1

Pre-wired access control

About this blog

Copyright Notice

My social media policy

RSS

Twitter

Popular Posts

Pages

Archives

Blogroll