Portrait of a MIM project

I recently deployed a MIM 2016 solution into Production that took about 10 months to build, test and deploy. I decided to take a look at the percentage of overall time spent on broad work categories in the whole project, and that’s what this post is about. First I had to get the data on…

Role Mining, and why it’s a fantasy

Over the years I’ve had a play with a few role mining tools, and while I can’t claim that as any type of industry review, it did leave me with a general feeling that the whole concept is a fantasy. The main problem I have is that role mining assumes there is a logical structure out…

Unable to get preview XML from server

Just had an odd issue with a small number of synchronised objects in a MIM 2016 Dev environment. The connector space objects in the HR MA had an “unexpected-error” reported in the Sync Service. When I try to preview sync one of the objects I get the following error: Unable to get preview XML from…

Link to the SSPR Unlock page from the Edit User RCDC

The “Unlock User” page in the FIM/MIM Portal is entirely seperate from the main User management page – which is not especially user-friendly. This post shows a way you can add a personalised link to the User Edit page which, when clicked, takes the operator straight to the correct User Unlock page.

IAM Design Principle: Good design is simple to explain

Let’s start with a statement that can be made about any design: good design makes sense, it is coherent, it is self-evident and doesn’t need a lot of explanation. While a simple IAM solution would be a fine thing, the reality is that we must deal with complexity in technical connectivity, data, business rules and processes, and…

SQL MA Failed to retrieve the schema

This week I battled with an error from the OOB SQL MA for MIM 2016 (which I don’t think has changed at all from FIM 2010, and probably not earlier versions as well). The MA was working with a SQL database table on a server in another, non-trusting AD forest, and using Windows authentication. The…

Test non-trusting cross-domain Windows authentication to SQL using PowerShell

Sometimes I want to simulate connectivity from an application another way, usually for troubleshooting or verifying networks and accounts have been set up correctly. One thing that’s always been difficult is testing I can connect to a SQL database in a non-trusting domain, using an AD account in the other domain. I can’t hardcode credentials in…

IAM Design Principle: Handle Non-Standard in a Standard Way

The “ideal” IAM solution would have a reliable flow of pre-checked data and a list of sound, proven business rules from which to provision all the accounts and access each person needs to do their job. This is a fantasy. The types of work people do, and the IT landscape they do it in, are…

IAM Design Principle: Plan for data errors

Automation isn’t just about replicating an existing manual processes. Yes we want the same end results, but the process will have to be different because it’s a dumb computer doing it and not a human. Humans are really good at spotting patterns, including ones we’ve never seen before. A human operator will be able to…