{"id":2094,"date":"2012-09-18T21:38:48","date_gmt":"2012-09-18T21:38:48","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=2094"},"modified":"2022-08-21T16:25:55","modified_gmt":"2022-08-21T16:25:55","slug":"fim-best-practice-understand-the-environment","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/fim-best-practice-understand-the-environment","title":{"rendered":"FIM Best Practice: Understand the Environment"},"content":{"rendered":"<p>With IAM projects you need great site knowledge <em>and<\/em> you need great product knowledge. As the consultant I bring the product knowledge, but I&#8217;m completely dependent on the customer to supply the site knowledge. This doesn&#8217;t always go as easily as it sounds. The customer&#8217;s assumptions and misunderstandings about FIM may lead them to leaving out (or not bothering to find out) vital information. And without information, I can&#8217;t design an appropriate solution.<\/p>\n<p><!--more--><\/p>\n<p>Here are some of the things that need to be well understood:<\/p>\n<p><strong>What are the <em>official<\/em> policies for dealing with all aspects of user account lifecycle?<\/strong><\/p>\n<p>These should include <span style=\"text-decoration: underline;\">written<\/span> policies for:<\/p>\n<ul>\n<li>Exactly who gets an account in the target system?<\/li>\n<li>How are access permissions and application roles assigned?<\/li>\n<li>What can\/can&#8217;t be changed on existing accounts?<\/li>\n<li>When should access be revoked?<\/li>\n<li>How is deprovisioning handled?<\/li>\n<\/ul>\n<p><strong>Where is the data coming from?<\/strong><\/p>\n<p>FIM is data-driven. While it can manipulate data it can&#8217;t conjure it out of thin air; it has to come from somewhere. So we need to understand:<\/p>\n<ul>\n<li>What is the authoritative source for each individual object type <em>and<\/em> each individual attribute to be managed in the target system?<\/li>\n<li>Is the source data in a format we can use?<\/li>\n<li>Does the source data link to identities in a way we can import? Eg., a list of locations is all very well, but I need to know <em>who<\/em> is at each location. And I have to be able to join on the <em>who<\/em>.<\/li>\n<\/ul>\n<p><strong>How much effort will be needed for data clean-up?<\/strong><\/p>\n<p>This is a difficult question to answer. FIM works best with a fully identified and fully joined connector space, where its rules are allowed to apply equally to new and pre-existing identities. Joining and clean-up of identity data has to be done.<\/p>\n<p>While the only way you can really work out how long it will take to do the joins is to do the joins, I do offer this general rule of thumb:<\/p>\n<ul>\n<li>Up to 80% of accounts will join pretty easily,<\/li>\n<li>Another 10-15% will join on weaker rules with a manual verification,<\/li>\n<li>the last 5-10% will be very difficult and various people will have to be involved.<\/li>\n<\/ul>\n<p>Depending on the number of identities you have to deal with this can be anything from a couple of days to a couple of months work!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With IAM projects you need great site knowledge and you need great product knowledge. As the consultant I bring the product knowledge, but I&#8217;m completely dependent on the customer to supply the site knowledge. This doesn&#8217;t always go as easily as it sounds. The customer&#8217;s assumptions and misunderstandings about FIM may lead them to leaving&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[55,42],"tags":[],"class_list":["post-2094","post","type-post","status-publish","format-standard","hentry","category-best-practice","category-fim-2010"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-xM","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=2094"}],"version-history":[{"count":9,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2094\/revisions"}],"predecessor-version":[{"id":3289,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2094\/revisions\/3289"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=2094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=2094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=2094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}