If you would like to read the next part of this article series please go to Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1 (Part 2).
Even in 2013, many organizations continue to struggle with ongoing identity management needs. If you’re unfamiliar with the term, identity management in the world of IT refers to the “management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.” In layman’s terms, identity management is the overarching process by which organizations answer the following questions:
- Who? Who is allowed to access particularly systems or services in the organization?
- What? What level of access is allowed to individual systems and services?
- How? By what methods is a user allowed to access these systems and services?
For many, identity management simply boils down to user account creation and password management. While this is one element of identity management, these are important aspects of the service. However, a comprehensive identity management solution should be able to do much more, including:
- Automatic creation of a user’s Active Directory account based on information gleaned from a database considered an authoritative source. In many cases, this is the human resources or payroll database.
- Automatic creation of a user’s Exchange or Office 365 mailbox.
- Automatic creation of a user’s home directory on a file server.
- Automatic inclusion of a user’s account in any security groups that are appropriate for his job. Again, whether or not access to a particular group is appropriate would be dictated by information in the authoritative source database.
- Self-service management of a user’s password. A user should be able to reset his password on demand and be provided with a mechanism by which to reset his password in the event that it is forgotten.
Note that everything in the list above implies that IT takes a mostly hands off stance with regard to ongoing identity management. Since this activity can fully consume people, particularly in organizations that see a lot of turnover, automation and self-services shifts the burden of the process away from personnel and turns it in just another IT service. Personally, I see identity management in many organizations as “low hanging fruit” that can save IT a lot of time and help the department focus more on bottom line-driven needs.
Moreover, robust identity management provides organizations with an additional layer of security. For example, IT may not be informed right away that a high level person has been fired, but you can bet that payroll has been notified. A rule could be created to deactivate an account when payroll performs a termination action in their system. This can help the organization ensure that only those that are authorized have access to the system.
Identity management can also become a compliance issue, particularly if it’s done poorly.
There are many, many ways to attack the identity management gorilla, but I’ll be focused in this series on Microsoft Forefront Identity Manager 2010 R2 SP1. With this product, administrators overseeing Microsoft-centric environments can automate and distribute significant identity and rights-related tasks. With FIM, for example, an administrator can automate the provisioning of an Active Directory account and distribute to an administrative assistant the ability to manage the permissions in distribution and security groups in that person’s division.
That’s another way by which IT can return to the users some carefully controlled keys to the kingdom, thus further reducing IT’s need to be involved in every account-related activity in the organization. With a fully realized identity management solution, IT’s involvement moves to one of oversight and exception handling only. IT still retains responsibility for the automated systems, but is able to easily delegate some of the operational tasks.
Before I jump into Forefront, it’s important that you understand some prerequisites that must be in place before you jump into identity management in your organization:
- You must have a rock solid understanding of the workflow that is involved in creating accounts in your organization, right down to the field level. You can’t automate what you don’t understand.
- You must understand what triggers various activities in the identity lifecycle. For example, what action initiates the creation of a new credential in a particular system? What actions deactivate a particular access level or credential?
- You must have a complete systems inventory and an understanding of the authentication mechanisms for each.
- Your “authoritative systems” must be clean. For example, if you intend to use the Human Resources system as the source repository for employee identity, you must ensure that the data in the system is valid and complete. For example, are you capturing the name of a new employee’s manager? If not, you’re eliminating FIM’s ability to automatically email new user credentials to an new hire’s supervisor.
Once you understand your organization’s existing landscape, you can start doing some terraforming with Forefront Identity Manager.
Feature set
Forefront Identity Manager 2010 R2 brings to IT a host of features that can ease the identity management burden. I won’t say that getting to a fully realized identity management system is an easy undertaking; it isn’t. However, once an organization commits to and see it through, the product feature show a clear benefit.
Self-service portal
An identity management system isn’t complete unless a user can perform some self-service functions on his own. Again, this helps IT focus on what’s important rather than on the mundane. FIM 2010 R2 brings such a portal, which is based on SharePoint. Included in the portal is the ability to:
- Manage personal information.
- Manage group memberships.
- Manage password, including self-service password reset.
FIM’s self-service password reset capability is quite good. It works by requiring that a user first register with the password reset service. Just like you do with your bank, you’re asked a series of personal questions and your answers are stored in a database. If you happen to forget your password, you can browse to a web site to reset it or, if you’re not able to log in to your machine, you can take advantage of FIM’s ability to integrate with the Windows login screen, as shown below. When you click the Reset Password link, you’re provided just enough of a computing environment to reset your password after which you can log in as normal.
Figure 1: FIM integrates with the Windows login screen
Some help desks spend more than ½ of their time managing user password issues. What if that particular class of call went away or, at the very least, was reduced to a trickle? That can mean vast savings for the IT department and the ability to redirect staff resources at higher priority projects.
With FIM, you can grant users as many or as few of the rights that I’ve described above using FIM’s built in capability to granularly manage roles and role assignments.
Codeless user management
For relatively straightforward deployments, FIM 2010 includes the ability to prevision and deprovision users without having to write a bunch of code. Of course, this isn’t supported in every scenario, but is supported for such items as Active Directory and can make the product a bit easier to deploy.
Ongoing data synchronization
Organizations are not static creations. They change every day. People change, departments change and even whole companies change. With FIM, if you make a change to authoritative data, you can configure the product to automatically reflect that change across all systems. For example, if you change the name of a department, any users in that department can have their Active Directory accounts updated to reflect the change.
Workflow
While automation is wonderful, sometimes a human has to be involved for approvals. For example, if a user makes an attempt to use the self-service portal to change their nickname, HR can create a policy that forbids that change without HR’s approval.
Summary
This article provided you with a foundation on which to understand the importance of identity management and began to introduce you to FIM 2010 R2 SP1. In the next part of this series, we will continue exploring the product.
If you would like to read the next part of this article series please go to Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1 (Part 2).
