Before we start to use our MIM implementation to manage identities, we need to decide where the information about the identities will come from, and where that information will go. It is best that we start off with the essential connections, and add more as we verify that the basics are working.
A very typical scenario is the one we have—The Financial Company has an HR (human resource) system that will, for the most part, work as the source of identity information. Then it has Active Directory, which is the primary system to receive the identity information.
The basic flow will be: HR -> MIM -> AD.
But that is only the basic flow. As you will see later in this book, there will be other sources of information and additional targets.
Most MIM implementations have at least one Management Agent connected to Active Directory.
There are a few things to consider before creating this Management Agent. First, you should have already sat down with business partners and technology teams, and determined which systems you will be connecting to, which objects, which attributes, and how an attribute should flow through MIM to other systems. These identity discovery and processing mapping discussions are extremely useful, because you will effectively be configuring MIM to coincide with those business processes. Secondly, keep things as simple as possible, and don't try to do everything at once.
If, for example, your plan is to have MIM manage both users and groups in AD, start off by implementing the management of users, and then add groups when the user part is working.
Are we interested in the whole AD or only its parts?
Some businesses specifically exclude parts of Active Directory from MIM. There's nothing wrong with excluding parts, but keep in mind that this decision may impact other requirements. For example, if a collection of users is excluded from MIM, those people will then also be excluded in MIM group management. If Active Directory has group nesting, excluding a collection of groups could have serious repercussions.
Do I need a test environment?
Yes! You should always develop and verify your MIM configuration in a testing environment before applying the configuration to your production environment. What is the worst that can happen? A lot! Depending on what you've configured in MIM and the permissions your service accounts have, you could overwrite or clear data, mistakenly create new accounts, or inadvertently delete accounts. The authors have worked in support long enough to tell you that this is one lesson you do not want to learn the hard way.
The Management Agent (MA) will use a service account to talk to Active Directory. The Financial Company is using the approach to have as few MA accounts as possible rather than having one account for each connected system.
In the case of The Financial Company, the SVC-ADMA
account will be the account that we will use to connect to Active Directory. What we need to do is to give this account the permissions needed to manage relevant objects in AD.
You should always apply a least-privileged approach to all your accounts, especially service accounts such as the ones we will be using with our MIM Management Agents.
To keep things simple, our environment has user accounts in an OU named TFC Users. We then need to give MIM the required permissions to manage the objects. Right-click on the OU, and run the delegate control wizard. Give the AD MA account, SVC-ADMA
, and management permissions on user (and maybe group) objects. In some cases, the aforementioned wizard might give the AD MA account more permissions than needed. If, for example, MIM should only be able to create and manage the objects but not delete them, we need to adjust the permissions in order to use the least-privilege approach.
When importing (reading) information from AD, it is possible to use what is called delta. Delta means we only get the changes since the last time we checked. In order for the MIM Active Directory Management Agent to read only the changes (the delta information in AD), it needs a special permission called Replicating Directory Changes at the domain level. If you do not perform this step, you will receive the error "Replication access was denied" when you attempt to read the AD object data. You can read more about this at http://support.microsoft.com/kb/303972.
ad.company.com
for example).SVC-ADMA
account(s). You need to check the Allow option for the Replicating Directory Changes permission, as shown in the following screenshot:Alternatively, the least-privilege way is to go into the registry, create a DWORD value named ADMAUseACLSecurity
, and set it to 1
. This will tell the AD Management Agent to use the AD ACL permissions rather than requiring the DIRSYNC permissions. You will need to create the value in SYSTEMCurrentControlSetServicesFIMSynchronizationServiceParameters
.
If you are implementing password synchronization and/or the Self-service Password Reset feature, you will need to assign permissions for that; details about this are given in Chapter 9, Password Management.
In this segment, we will walk you through the steps for creating the Active Directory Management Agent. We will slowly work through some of the new terms, but trying to discuss every term is a sure way for beginners to get lost in the product. Some of these terms will be explained later on in this book as we start to use more advanced features.
If you are curious to know about some terms right away, you can click on the Help button available on all the pages in the wizard.
To begin, you need to log in to your MIM Synchronization server using an account that is a member of the MIMSyncAdmins
group:
SVC-ADMA
account. The Options… button allows you to change the default LDAP connection options. It is recommended that you leave the default Sign and Encrypt LDAP Traffic option as it is:Provision Hierarchy means MIM can automatically create a missing OU if needed during provisioning. In our example, if we had configured MIM to provision Active Directory accounts to an OU named TFC User Accounts, which does not exist, it would throw an error. Enabling Provision Hierarchy would mean MIM would create the missing OU. Note that MIM will only create an OU if one is needed for provisioning, and it does not delete OUs.
Please read Carol Wapshere's article explaining deprovisioning options at http://aka.ms/FIMDeprovisioning before you start using the options.
If you are doing a non-declarative (classic) synchronization using only Synchronization Engine, and if you are using code to solve some problems, this is where you will configure which DLL contains your code. This is also where you will select the version of Exchange that you will use if MIM is to provision users for Exchange. For now, we will leave this as No provisioning.
The most popular MIM connection is Active Directory, and the second most common connector is SQL Server. For those organizations that do not have identity data in SQL, there are occasions when creating a few SQL tables will assist in your identity management solution.
At The Financial Company, the HR system uses SQL Server as a database, and we will interact with HR using a typical SQL MA. As with Active Directory, we should implement the least-privilege approach when assigning permissions to the account that MIM is using to connect to SQL.
As the HR database (at present) is not supposed to receive any data, just send the data to MIM; we can assign the db_datareader
permissions to the SVC-HRMA
account:
At The Financial Company, the HR data is in a database named HR.
If you want to filter what information is made available to MIM in SQL, you can easily do that by creating an SQL view and configuring MIM to read from that view. Just remember that when MIM uses an SQL view to talk to SQL, updates become a little trickier. If you create a complex view for MIM to read, and later on realize that MIM should also be able to update a column in a table, it may not be possible without redesigning the view.
Before we can configure our MA, we need to understand the data source we are connecting to. So, let's take a quick look at how the HR database is built up.
In the HR table (named HRData), there is information about our users and organizational units. In the table that follows, note the relation that we have between the column manager, which references the object ID column.
If the SQL data has this kind of reference information, we will be able to use this to synchronize these to attributes in other CDSs, which also use reference attributes. For example, as the manager column in our HR data is a reference value, MIM can easily populate the manager attribute in AD, and also reference an attribute pointing to another object in the AD:
In this section, we will walk you through the process of creating the SQL MA for the HR system:
Select the SQL Server option in the Management agent for: drop-down menu, and give the MA a descriptive name such as HR, as seen in the following screenshot:
SVC-HRMA
account.In our example, the anchor attribute consists of a single column in the database that contains an unchanging unique value of each object. By definition, an anchor can be a unique combination of one or more attributes that do not change. Which attribute is to be used as an anchor attribute in each of the CDSs is an important decision to make. The anchor attribute value should never change for a specific object; the value should remain the same for the entire life cycle of the object. If the anchor attribute changes, it will be detected as a delete of the old object and an addition of a new object by MIM when importing information from the CDS.
This is a good time to talk about attribute names. Often, people new to identity management will get caught up on connector space attribute names not matching with the same attribute names in the Metaverse. For example, the attribute HRType does not exist in the Metaverse. Should you change your HR system, or create a new Metaverse attribute? Ultimately, it is your decision, but there is no reason to re-architect your source and target systems simply because attribute names do not match. In this case, something like employeeType effectively has the same function; therefore, it can be used. Non-matching attributes are expected in the identity world, because the systems are disparate. Our advice? Get over it.
HRExtension.DLL
. You could change the name if you want, but we will keep the default for the purpose of this example. This DLL that we will create will contain the coded displayName and accountName that we want to generate. Click on the Finish button to complete the creation of the HR Management Agent. You should now see two Management Agents in the Service Manager console: AD and HR, as shown in the following screenshot:18.118.171.20