Adventures in identity management
I’ve had this post sitting in draft for a long time and for some reason hadn’t posted it yet – but then today my colleague Matt sent me a link to the Scripting Guy’s PowerShell Holiday Gift Guide. Yes I do love my PowerShell (and I’m hoping that Santa will bring me a copy of…
As much as possible I like to keep my Workflows simple with a minimum number of steps. When updating attributes I prefer, wherever possible, to only update a single attribute per Workflow Definition. So for example I’ll have separate Workflows for “Set DisplayName” and “Set AccountName” rather than rolling the two together in a single…
MPRs should either have “Grants Permission” ticked, or they should trigger Workflows, but preferably not both.
Run History should be regularly cleared to keep your database file sizes under control. There’s also not a lot of point keeping weeks (let alone months or years) worth of run history in the Sync Service. It shows when profiles ran and whether there were any errors, but click on a CS object and you…
Both in the Sync Service and the Portal there may be regular error messages that we just live with. We’ve figured out they’re “low priority” or perhaps they’re false alerts, where FIM thinks there’s an error but the end result is fine. However, as much as possible, we should aim for a system that runs…
I have two personal rules I always follow when implementing disabling and deprovisioning: Never make decisions on an absence of data, and Never make destructive changes straight away.
The extensibility of FIM has always been one of its great features – allowing us to tailor it to suit the specific needs of the environment. But don’t get carried away!
I am not aware that anyone has has yet found a way to automate full testing of a FIM solution. I know some people unit test their extension code but that doesn’t tell you anything beyond the inputs and outputs of the code. Full testing may need to encompass data entry in the Portal or…
For anything above the simplest GALSync deployment, and particularly if you have the FIM Portal, you must have development and test environments. There are always a number of different ways you can approach each problem, and you need a suitably representative Dev environment to try them all out. Meanwhile Test should be as close to…
The Sync Service is good at maintaining connections between objects, and synchronising data between them. What it has never been so good at is constructing data from complex rules and lookups, so as much as possible, do the complex processing outside the Sync Service and present the data in a way that it can use…