the fim team user group proudly sponsored by november 2014
TRANSCRIPT
![Page 1: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/1.jpg)
The FIM Team User Group
Proudly sponsored by
November 2014
![Page 2: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/2.jpg)
Housekeeping
• I am speaking now – check your audio settings if you can’t hear
• Keep your mic muted unless speaking
• If you speak, identify yourself first
• Make sure you can see the chat window and feel free to use it
![Page 3: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/3.jpg)
The NEWS
• MIM CTP preview available - see http://blogs.technet.com/b/ad/archive/2014/11/18/microsoft-identity-manager-preview-release-1-is-now-available.aspx
If you have news for next month drop an email to [email protected] with the subject “News”.
![Page 4: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/4.jpg)
It’s all about the data
![Page 5: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/5.jpg)
Agenda
Data analysis Joins Solution implementation Maintaining data quality
![Page 6: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/6.jpg)
Typical Data questions
Estimating join effort Estimating data correctness What will change when we switch this
on? Generating group criteria, roles etc Can I have an updated copy of that
report.
![Page 7: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/7.jpg)
Join Effort
Percent Effort0
20
40
60
80
100
120
Join Effort for manually managed accounts
Easy Hard Very Hard
5-10%
10-15%
80-85%
Very Hard (ask-around identification)
Hard (spellings, accented characters, nicknames)
Easy
![Page 8: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/8.jpg)
Join Rules
http://www.wapshere.com/missmiis/phase-one-joins-and-data-matching
Complex join rules are a means to an end – not the end itself. Breadcrumbing is essential for automation. When matching on weak rules (eg., surname only) then verify the match
another way. You can’t do it all in ILM. CSV, Excel and fuzzy lookup algorithms will also
help, but an element of by-hand matching is inevitable. Get the matching and breadcrumbing sorted out before you start flowing
and provisioning. This will make for a happier project, stake holders, users and YOU!
![Page 9: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/9.jpg)
Really, really difficult joining
Use ResolveJoinSearch method of classic MAExtension to dump all possible matches to a CSV file for manual matching.
Add a probability score: +1 for details the same, eg., location, department +1 for name similar:
Remove all punctuation characters Remove Diacritcs One name contained in the other – eg., Liz, Elizabeth Levenshtein distance, Soundex
Matching done by hand. Import identifiers from CSV, either to source or through a CSV MA.
![Page 10: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/10.jpg)
Data Analysis – how clean is my data?
Useful SQL to know: bulk insert having count inner and outer joins isnull(column,’’)
Side-by-side import to Metaverse: HR:department department AD:department department_AD
IdFix?
![Page 11: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/11.jpg)
Data Analysis - Groups
Groups are a good candidate for management if: All members are FIM-managed Are not nested and contain no member groups Can be replaced by criteria
Script: Analyse-ADGroups.ps1https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/Groups
![Page 12: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/12.jpg)
Implementation
AD Backup and restore – see Søren’s scripts at:http://blog.goverco.com/2014/11/securing-your-active-directory-data.html
Export all attributes as there may be unexpected knock-on changes from a first export.
![Page 13: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/13.jpg)
Data Load
Don’t reverse flows – use a script to insert data directly in the FIM Portal See ConvertTo-FIMManagedGroup.ps1https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/Groups
Disable all WF MPRs during bulk load Selectively run WF using Transition-In MPRs OR – update data with scripts. Slower but can
be stopped.
![Page 14: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/14.jpg)
Maintaining Data Quality
Sync Service enforces data state – FIM Service does not.
Workflows can fail for unexpected reasons – data left in inconsistent state.
Bob’s Housekeeping Policy designed to re-run certain workflows: https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/Designing+and+scheduling+Housekeeping+policy+entirely+within+the+FIM+Portal
![Page 15: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/15.jpg)
Maintaining Data Quality - Scripted
Lighter – can run more frequently Add new data checks easily Find and fix problems Use XPath to find anomalous objects
Example check: Department string value matches DisplayName of linked Unit object.
XPath can’t do this:Objects where Department != Unit/DisplayName
It can do this:Objects where Unit = GUID and Department != “Health and Safety”
![Page 16: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/16.jpg)
Data Quality Script
Download from https://unifysolutions.jira.com/wiki/display/FIMTEAMCOM/Data+Quality+Script
![Page 17: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/17.jpg)
Documenting Data Rules
Attribute Source Scope Validation / Limitations
Impact if Incorrect Remediation
First Name
HR Employees Medium: Name attributes wrong in AD. Also effects Account Name and Email address generation.
Fix source data
Student Register Students
FIM Portal Contractors, Externals
Account Name
FIM Provisioning rule
All AD users Unique in AD Low: Will always match value in AD.
May be changed in AD after provisioning.
Status FIM Workflow sets based on Employee Status, Start Date, End Date.
All People Active | Inactive High: Affects enabling/disabling of linked user accounts.
Data Quality process checks the Status is correct based on the contributing attribute values.
![Page 18: The FIM Team User Group Proudly sponsored by November 2014](https://reader035.vdocuments.us/reader035/viewer/2022070409/56649ea15503460f94ba40ce/html5/thumbnails/18.jpg)
• No December meeting
• Bob will present a session on FIM Event Broker in January
• Please get in touch if you want to present, or have an idea for a discussion topic
Next year…