Identity Management

The transformation of a clients legacy IT Infrastructure is something that is one of the greatest challenges both the Client and a Technology Organisation has, the objective is normally to consolidate multiple Domains, Systems and Business Groups into one unified Resource infrastructure; Delivered through the implementation of Large SAN’s, Clusters and robust Active Directory Domain(s) in central data centres. During that process exchange servers, sql servers, application servers and file servers have been consolidated into central infrastructure or P2V’d into the data centre. The Clients staff can log into any pc in any part of their business and get all their email etc… In pre consolidation times, large amounts of project management for PC moves and IT time for PC reimaging for a PC image for that domain etc.. would make the business less adaptive to market or regulatory changes.

IT Processes should be self serving


j0411730 The problem which exists after the consolidation of all these infrastructure means there has probably been some IT Organisation changes to go with that; That guy you handed a form to in order to get your NT account created no longer has that privilege and wait times for Logon creation expand as they may have to go through a Service Desk. The same is true of Group, PDL or share creation. Business’s in the times we are in need to be agile.

This creates several problems, the biggest is the user aspect. When a user starts with a company they should be able to start their job that day, not wait several days for ID’s, Email etc to be setup, when they need a PDL they should be using it within the hour.

What happens if the business takes over another business and needs to provision 1k+ NT, Web Portal accounts etc. ? That’s a lot of IT resources and overtime.

The other problem that is created is Standards Compliance by IT Staff, if a groups to be created it should be in a certain format how do you ensure that you have 100% compliance with this rule ? (Answer: You cant without Management Tools). This can be seen clearly in user accounts where details are missing, so when you look that person up in the Gal what are you searching ? Is it Lastname, Firstname ? Firstname Lastname ? or Lastname Firstname?


In large organisations you have the problem of people with the same names, users need to  be able to input details that reflect who they are in the organisation e.g O’Brien, Michael (IT), this can be done however its a task for the Service desk which means tickets and more time.

The bottom line is IT Services whereby the user cannot be self sufficient puts more pressure on what is probably already an overworked IT Staff to provide services faster and for more and more users as businesses change. This makes the Business’s IT Horridly inefficient and opens it to human error.


Empower the User

The way to get around these problems is to use an Identity Management Solution, there are several companies that provide IDM solutions (Oracle, CA, Microsoft and HP) but as an all around product Microsoft Forefront Identity Manager 2010 is the one i would highly recommend as for bang for buck it’s the easiest to implement and gives you the least end user hassle.

So lets have a look!


That’s a pretty slick interface, my account in this case is a standard user + FIM Admin Group added on, this is why there is an administration widget over on the right.

FIM takes all the good things from ILM 2007 that has been a backbone of Synchronisation between many different types of systems; Added Windows Sharepoint Services 3.0 and given the user a simple web portal for Group and PDL creation.

It also gives administrators or managers a clear interface for approving and configuring workflows for certain types of actions. Most Business’s will run a MS Best practice approach of doing a Domain Local and Global group, users in the global and the domain local group on the resource; In FIM 2010 its simple to do this by editing the New group workflow and adding rules to create a new group type; You can even do tasks like add prefixes to groups to tie in with legacy groups that were created in your AD console.



There are of course certain benefits to running a FIM infrastructure as oppose to one from other vendors, the first is always that the environment that you will be controlling your identity on will be normally a Microsoft based environment and system, in times of trouble this could make a notable difference when seeking support. Multivendor support cases can get tricky to maintain during an incident and could also bring forward a figure pointing scenario between two or more vendors.

While the likes of Oracle, Novell and CA provide portals for End users to do their activities they can be hard to customise to a point where its User Friendly.

Configuring FIM is relatively straight forward, there are many sources and destinations can be used.

Cost from Microsoft can be cheaper depending on your OA or EA with Microsoft.



While FIM is easy to configure for direct Source – Metaverse – FIM type scenarios technical documentation at this stage can be limited at times, especially if doing sync’s other than AD to FIM and or SQL to FIM and reverse.

Capability of FIM to do Edge infrastructure is not as good as the likes of Oracle, Novell or SUN in this respect, can be done but relies on other Microsoft technologies.