Adventures in identity management
I’ve been helping a customer along the path towards a proper IAM solution, which has involved a lot of data clean-up, as it so often does. Criteria groups in MIM can encourage data quality as users don’t get the groups they need if their attributes aren’t correct – so I thought, how about getting them…
I recently wanted to do some analysis of existing groups in a well established AD that has a lot of groups (more groups than users in fact). I was hoping to find groups that looked like good candidates for conversion to role-based (aka criteria-based) groups.
My general negativity about FIM codeless sync aka “declarative provisioning” aka “Synchronization Rule Provisioning” is, I think, reasonably well-known by now. While Markus wrote an excellent document about importing AD groups into the FIM Portal using the codeless rules, I think there are still plenty of reasons to go old skool, and here’s how you’d…
I’ve been having a bit of a play with the powershell interface to the FIM Portal. I wanted to pre-populate a demo environment with an interesting set of criteria-based Securoity and Distribution groups, but they get a bit tedious to create by hand, and I wanted to see if powershell was the answer. I’m pretty…
Following on from my last post about the overlaps between FIM and Exchange 2010 I wanted to clarify for myself the group management capabilities in FIM, Exchange 2010 and ILM. Warning: I will have to revisit this post – as I haven’t yet installed Exchange 2010 in a production environment the Exchange comments are based…
I’d like to be able to manage groups through the Portal but, unlike in the one published walkthrough on group management with ILM2, I don’t want to start from scratch. I want to start by importing all the existing groups from AD, and then, well we’ll see how we go. Getting information about my AD…
In some implementations, it makes sense (usually by improving performance) to separate your user and group provisioning into seperate MAs. One downside of this approach, however, is that you can run into export errors when trying to update a group with a member who doesn’t exist in the external directory – and this includes delete…
Thanks to Joe Stepongzi for pointing this one out to me: you can flow a metaverse string attribute direct to a connector space relational DN attribute, as long as the metaverse string holds a valid DN.
This is a repost of an article which was originally about multivalue attributes in general, but with a focus on group members. I realised I had made some generalisations about multivalue attributes which actually specifically apply only to attributes like member, which contain reference DN values. So I am now re-releasing the post, with a…
Getting members into groups seems to be an early hurdle for many people. Microsoft provide the Group Populator – an obtusely round-about method involving SQL tables, Select queries, input text files and code that must be run outside of MIIS. Once I got the hang of the multivalue aspect of the SQL MA, I couldn’t…