Expertise in Identity & Access Management

www.oxfordcomputergroup.com

AD, AuthZ and FIM(Oh my!)

Laura E. Hunter

Identity Architect

www.oxfordcomputergroup.com

Active Directory

• Authentication, Authorization and Auditing– LDAP-based– Low barrier to entry

•No separate licensing – you own a Windows server license, you can deploy AD

– High levels of penetration in corporate and EDU environments

www.oxfordcomputergroup.com

AD for Role Management?

• Which of the following is my phone number?– +1 (215) 380-4476– 215.380.4476– (215) 380-4476– 215-380-4476

• Now…which of those will AD allow me to enter?– Good at replication and publication– Bad at enforcing business rules

www.oxfordcomputergroup.com

So What Else Is There?

• Identity Lifecycle Manager– Specifically ILM “2”, a.k.a. FIM 2010

• (It’ll ship someday, I swear)

– Enforces business rules before writing data to a connected directory• “All of Joe Smith’s direct reports will be in a

security group called ‘JSDR’”

– SQL store provides a single location for “role mining” and historical queries

• Additional cost/CAL considerations!

www.oxfordcomputergroup.com

Is There a Middle Ground?

• Sure. It’s a “build vs. buy” decision• Anything that can write to LDAP can

write to AD– Constrained proxy apps (usually web-

based) or scripts

• …but the native tools still won’t enforce logic!

Expertise in Identity & Access Management

www.oxfordcomputergroup.com

Thank You!