I recently deployed a MIM 2016 solution into Production that took about 10 months to build, test and deploy. I decided to take a look at the percentage of overall time spent on broad work categories in the whole project, and that’s what this post is about. First I had to get the data on…
Role Mining, and why it’s a fantasy
Over the years I’ve had a play with a few role mining tools, and while I can’t claim that as any type of industry review, it did leave me with a general feeling that the whole concept is a fantasy. The main problem I have is that role mining assumes there is a logical structure out…
Unable to get preview XML from server
Just had an odd issue with a small number of synchronised objects in a MIM 2016 Dev environment. The connector space objects in the HR MA had an “unexpected-error” reported in the Sync Service. When I try to preview sync one of the objects I get the following error: Unable to get preview XML from…
Error 0x8023060c when trying to delete a MA
I was trying to delete a CSV MA from a MIM sync service. The connector space was empty but all I got was the error “Unable to delete the management agent” and the code 0x8023060c. Nothing in the event logs at all. I was convinced it was something to do with the database and rolled…
Link to the SSPR Unlock page from the Edit User RCDC
The “Unlock User” page in the FIM/MIM Portal is entirely seperate from the main User management page – which is not especially user-friendly. This post shows a way you can add a personalised link to the User Edit page which, when clicked, takes the operator straight to the correct User Unlock page.
IAM Design Principle: Good design is simple to explain
Let’s start with a statement that can be made about any design: good design makes sense, it is coherent, it is self-evident and doesn’t need a lot of explanation. While a simple IAM solution would be a fine thing, the reality is that we must deal with complexity in technical connectivity, data, business rules and…
SQL MA Failed to retrieve the schema
This week I battled with an error from the OOB SQL MA for MIM 2016 (which I don’t think has changed at all from FIM 2010, and probably not earlier versions as well). The MA was working with a SQL database table on a server in another, non-trusting AD forest, and using Windows authentication. The…
Test non-trusting cross-domain Windows authentication to SQL using PowerShell
Sometimes I want to simulate connectivity from an application another way, usually for troubleshooting or verifying networks and accounts have been set up correctly. One thing that’s always been difficult is testing I can connect to a SQL database in a non-trusting domain, using an AD account in the other domain. I can’t hardcode credentials in…
IAM Design Principle: Handle Non-Standard in a Standard Way
The “ideal” IAM solution would have a reliable flow of pre-checked data and a list of sound, proven business rules from which to provision all the accounts and access each person needs to do their job. This is a fantasy. The types of work people do, and the IT landscape they do it in, are…
IAM Design Principle: Plan for data errors
Automation isn’t just about replicating an existing manual processes. Yes we want the same end results, but the process will have to be different because it’s a dumb computer doing it and not a human. Humans are really good at spotting patterns, including ones we’ve never seen before. A human operator will be able to…