270 likes | 437 Views
FIM 2010 Release 2 (and SP 1). Agenda. What business problems are we trying to solve? How does FIM 2010 Release 2 help? Demonstration. What business problems are we trying to solve?. Data held in and/or required by many directories, databases and services.
E N D
Agenda • What business problems are we trying to solve? • How does FIM 2010 Release 2 help? • Demonstration
What business problems are we trying to solve? Data held in and/or required by many directories, databases and services • Personal attributes: names, telephone numbers, job title • Authentication: logons, passwords • Authorization: key attributes, role and group memberships Often not well co-ordinated • Unnecessary administration overhead • Security is compromised • Difficult to roll out new applications and services • Poor user experience can lead to low productivity • Proper governance can’t be shown (because it isn’t there) And also… • Password reset – helpdesk overload • Reporting requirements – who has/had access to what? • Whites pages • Etc.
Uses a metadirectory State-based, so that it is persistent Resilient against connectivity outages and other failures Minimum changes to target systems Extensible Can connect to (almost) any system Rules can leverage the entire .NET capability It’s a really great synchronization engine Ctroup Logon name Full Name DN Carolt Display name E-mail alias Phone # Carol Troup Logon name E-mail alias Cost center Employee # Directory Service E-mail Directory Metadirectory Troup, Carol Title Cost center Manager Carol Troup Title Employee # Salary ERP Database HR Database
Flows identity information (objects and attributes) between directories Implements established rules that determine the authoritative sources for identity information Any source can be authoritative for any attribute Extends to password management (but not in quite the same way) Carol Troup Carol Troup Carol Troup It’s a really great synchronization engine Carol Troup Title HR Database Title E-mail alias Logon name Carole Troup E-mail alias Metadirectory E-mail Directory Caro Troup Logon name Directory Service
Detects changes made to identity information Changes can be allowed, blocked or reversed Propagates changes to other directories according to the rules already established Carol Troup Title = Consultant HR Database Carol Troup Title = Consultant Metadirectory Carol Troup Title = Consultant ` Title = Sr. Consultant Title = Sr. Consultant Title = Sr. Consultant Title = Sr. Consultant E-mail Directory Carol Troup Title = Consultant Directory Service It’s a really great synchronization engine
Provisions directories and databases Resulting from changes in an authoritative directory (like a joiner or someone changing roles) Conforming to business rules Timely access to systems It’s a really great synchronization engine Tomas Koska Added manually Tomas Koska New Object in Metadirectory HR Database Metadirectory E-mail Directory Directory Tomas Koska Accounts/Objects Created
Deprovisions directories and databases Resulting from changes in an authoritative directory (like a leaver, or someone changing roles) Conforming to business rules Access stopped No loose ends It’s a really great synchronization engine Tomas Koska Modified Manually Tomas Koska Object in Metadirectory X HR Database Metadirectory X E-mail Directory X NOS Directory X Tomas Koska AD User
Evolution of ILM policy: from next to nothing (manual or a set of scripts)… to rule-basedbut diffuse… to an integrated set of statements that relate back to defined business requirements It’s a really great synchronization engine, plus… Solutions User Mgmt Credential Mgmt Group Mgmt Policy Mgmt Custom Reporting FIM Clients Custom Windows CM SSRS Portals Outlook FIM Platform Meta directory FIM Sync FIM Service Data Warehouse App DB CM DB Action Workflow Request Processor Delegation& Permissions AuthN Workflow AuthZ Workflow MAs Cert Mgmt SCSM Identity Stores Directories Applications Databases E-Mail Systems
What’s new in R2? • R2 Improvements • Performance improvements • Self-service password reset enhancements (demo) • New synchronization rule type (demo) • Reporting (demo) • Extensible Connectivity Management Agent 2 • BHOLD • R2 SP1 Improvements • More performance improvements • Version support for FIM itself (e.g. Windows Server 2012, SQL Server 2012) • Visual Studio 2010 for extensions • Other version support for WS2012 (AD MA), Office 2013 for client components, Windows 8 client support (e.g. SSPR) • SCSM 2012 reporting support
Demonstration • Synchronization of sources • Provisioning and deprovisioning– including new sync rule type • Users and groups • Self service – including password reset
What’s new in R2? • R2 Improvements • Performance improvements • Self-service password reset enhancements (demo) • New synchronization rule type (demo) • Reporting (demo) • Extensible Connectivity Management Agent 2 • BHOLD • R2 SP1 Improvements • More performance improvements • Version support for FIM itself (e.g. Windows Server 2012, SQL Server 2012) • Visual Studio 2010 for extensions • Other version support for WS2012 (AD MA), Office 2013 for client components, Windows 8 client support (e.g. SSPR) • SCSM 2012 reporting support
Reporting System Components • SQL Server Reporting Services • Provides Report platform • System Center Service Manager 2010 • Provides Data Warehouse • New FIM Resource Types • Configuration of reporting process
Data Flows in Reporting • FIM reporting PowerShell scripts, push data into the System Center Service Manager database • Initial: Used the first time data is extracted • Initial Partial: Used after a configuration change (e.g. schema extension) • Incremental: Used in regular operation to extract the changes since the last incremental extraction • Reporting Job objects – specify the type of Job which is to be executed; new Reporting Job object for each Extraction • The Extract, Transform and Load (ETL) process controls the flow of data from the System Center Service Manager database to the ultimate reporting database (the DataMart) • Extract: from the System Center Service Manager database to the Staging tables • Transform and stored in Data Repository • Loaded into the Data Mart
Comparing Data Structures DW and FIM • FIM Schema: Resource Type and Attributes (with Reference Attributes) • DW: Classes, Derived Classes, Properties (with Relationships) • Mapping is required to indicate the representations of: • Resource Type in FIM as which class in DW • Attribute in FIM as which Property in DW • Reference Attribute in FIM as Relationship in DW • Mappings are stored as XML on objects in FIM • These mapping objects do not extend the DW schema • DW Schema defined in Management Packs
Classes and Class Hierarchy • DW uses a class/property model with inheritance • Child classes contain all parent properties as well as their own • e.g. FIMDisplayName is in FIMEntity and FIMPerson • Prevents need for excessive joins • A single FIM Object has entries in each class table according to its class type • e.g. FIMPerson has entries in FIMPerson, FIMEntity and Entity • If you wish to include new attributes, you create a new child class with those attributes, and inheriting the existing attributes
Dimensions and Facts • Dimensions: base data, one row per object, many properties, latest value held (Group Scope, or Person AccountName, JobTitle or Department) • Facts: history to be tracked, e.g. Group ComputedMember • In the case of FIM, we also have history stored in Requests, so history of any property is available • Each data class has a dimension table, e.g. FIMEntityDim, FIMPersonDim, FIMGroupDim, FIMSetDim • Each fact has a (series of) tables: • FIMGroupHasExplicitMembersFact_2012_April • FIMGroupHasExplicitMembersFact_2012_May • Automatically-extended views collect the split Fact tables (UNION) • e.g. FIMGroupHasExplicitMembersFactvw • Always report against the views! • Fact entries join to Dimension entries, e.g. GroupHasMemberFact FIMEntityDim (not FIMPersonDim because many resource types can be members) • Outriggers
Demonstration • Reporting
ECMA2 Enhancements over ECMA • Full export • Call-based import • Batch export and import • LDAP support (and “generic” renaming) • Export types (object, attribute replace, attribute update) • Programmatic schema, partition and hierarchy discovery… • Passwords and references can be exported on first pass or second pass • Normalization (not yet implemented) • No export delete confirmation (on delta import) • Different object types can have different anchors • Parameters for run profiles (e.g. additional files, extra credentials) • Always merges pending exports into export in progress
ECMA2 Enhancements over ECMA • Full export • Call-based import • Batch export and import • LDAP support (and “generic” renaming) • Export types (object, attribute replace, attribute update) • Programmatic schema, partition and hierarchy discovery… • Passwords and references can be exported on first pass or second pass • Normalization (not yet implemented) • No export delete confirmation (on delta import) • Different object types can have different anchors • Parameters for run profiles (e.g. additional files, extra credentials) • Always merges pending exports into export in progress
ECMA2 Enhancements over ECMA • Full export • Call-based import • Batch export and import • LDAP support (and “generic” renaming) • Export types (object, attribute replace, attribute update) • Programmatic schema, partition and hierarchy discovery… • Passwords and references can be exported on first pass or second pass • Normalization (not yet implemented) • No export delete confirmation (on delta import) • Different object types can have different anchors • Parameters for run profiles (e.g. additional files, extra credentials) • Always merges pending exports into export in progress
ECMA2 Enhancements over ECMA • Full export • Call-based import • Batch export and import • LDAP support (and “generic” renaming) • Export types (object, attribute replace, attribute update) • Programmatic schema, partition and hierarchy discovery… • Passwords and references can be exported on first pass or second pass • Normalization (not yet implemented) • No export delete confirmation (on delta import) • Different object types can have different anchors • Parameters for run profiles (e.g. additional files, extra credentials) • Always merges pending exports into export in progress
ECMA2 Enhancements over ECMA • Full export • Call-based import • Batch export and import • LDAP support (and “generic” renaming) • Export types (object, attribute replace, attribute update) • Programmatic schema, partition and hierarchy discovery… • Passwords and references can be exported on first pass or second pass • Normalization (not yet implemented) • No export delete confirmation (on delta import) • Different object types can have different anchors • Parameters for run profiles (e.g. additional files, extra credentials) • Always merges pending exports into export in progress