Advanced MIM Operations: “Safety Catch” Design

Slides:



Advertisements
Similar presentations
Version 2.0 © Copyright 2008 ANB Software Ltd. ActivMan 2.0 Scenarios Basic Features Templates Mass Manipulation Importing Auto Importing Extracting from.
Advertisements

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.
Virtual techdays INDIA │ September 2011 Integrating SSIS with external applications Nauzad Kapadia
DataBase Administration Scheduling jobs Backing up and restoring Performing basic defragmentation and index rebuilding Using alerts Archiving.
Chapter 9 Auditing Database Activities
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal
Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.
ManageEngine ADAudit Plus A detailed walkthrough.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
It is one of the techniques to create a stand by server. Introduced in SQL 2000,enhanced in It is a High Availability as well as Disaster recovery.
Chapter 18: Windows Server 2008 R2 and Active Directory Backup and Maintenance BAI617.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
The FIM Team User Group Proudly sponsored by November 2014.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Module 9 Planning a Disaster Recovery Solution. Module Overview Planning for Disaster Mitigation Planning Exchange Server Backup Planning Exchange Server.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Riva Managed Identity Integration for Active Directory and Novell ® GroupWise ® Aldo Zanoni CEO, Managing Director Omni Technology Solutions
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Module 15 Monitoring SQL Server 2008 R2 with Alerts and Notifications.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
Interactions & Automations
PART1 Data collection methodology and NM paradigms 1.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Planning, Implementing and Supporting Office 365
Recording Brief EMS Partner Bootcamp Variables Values Module Title
SQL Database Management
MIS Integration Set out expectations – overview of concepts. This isn’t a technical how-to guide – is too platform specific. Will be looking at the concepts.
Gravity Control™: Is the simplest system for complex data search and management Introduces a new generation graphic user interface Handles large amounts.
Review of IT General Controls
Integrating ArcSight with Enterprise Ticketing Systems
Integrating ArcSight with Enterprise Ticketing Systems
Project Management: Messages
Configuring ALSMS Remote Navigation
Cleveland SQL Saturday Catch-All or Sometimes Queries
Maintaining Windows Server 2008 File Services
Archiving and Document Transfer Utilities
Shared Services with Spotfire
Speaker’s Name/Department (delete if not needed) Month 00, 2017
Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro.
Chapter 2: System Structures
Maximum Availability Architecture Enterprise Technology Centre.
Active Directory Administration
Exam in just 24 hours!!! Pass your exam in first attempt by the help of our latest braindumps
Software Testing With Testopia
O365 & AD Integration January 2017.
Auditing in SQL Server 2008 DBA-364-M
PSJA AUTOMATION WORKFLOW AND LESSONS LEARNED
Group Based Licensing Steve Scholz
FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018
Local AD, Azure AD, & Google Suite User Management
M7: New Features for Office 365 Identity Management
Training course Part 2: Administration tasks
Technical Capabilities
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Chapter 3: Processes.
BACHELOR’S THESIS DEFENSE
Governing Your Enterprise with Policy-Based Management
Health & Consumers DG SANCO Unit A.4 Information systems
Presentation transcript:

Advanced MIM Operations: “Safety Catch” Design Subtitle: Whatever you do, sh!t is going to happen, so how are you going to deal with it? Advanced MIM Operations: “Safety Catch” Design www.unifysolutions.net

Agenda Dealing with Mass Change Unexpected/expected HR events Unexpected AD events Unexpected IAM platform events FIM threshold testing The Windows Scheduler Solution The FIM Event Broker Solution Demonstration Discussion Grey Slide

Dealing with Mass Change - HR Harnessing HR-driven changes Enabling/disabling AD user accounts Moving user accounts to new OUs Adding/removing group membership Other (e.g. revoking O365 licenses, archiving home drives, notifications) Unplanned activities (internal to HR) Bulk imports (e.g. CSV uploads) Bulk updates (e.g. re-classifications) Time-based (start/end dates) Just because your FIM solution does what is in its charter to do doesn’t mean that you’re going to win any moral victory when you fail to prevent a disaster.

HR Data Source Profiles From API Full imports Polling Imports Changes are surfaced differently based on nature of source data “Foundation” (reference) data may change only daily or weekly Other data (such as personal, job and position details) may change every few minutes Changes made as part of “BAU” HR operations generally occur in a trickle Changes made as a result of HR admin processes generally occur en-masse in a very short timeframe (seconds) With a FIM/MIM connector such as the one provided by Identity Broker, these changes are combined and translated into deltas for import to FIM/MIM. This would be the same for any ECMA. To FIM/MIM Full imports Delta Imports

HR Data Source Sync HR-driven Change From HR BAU (trickle) Maintenance (bulk) Desirable/Undesirable When bulk changes occur this can present challenges with “unwanted” or “unanticipated” change – particularly when the impact is severe and on a large user base. Bulk changes can be accommodated in FIM by setting threshold limits (import or export) – however the built-in run profile limits are of little use because they are “after the event” and will not prevent processing of either the current “batch” or any subsequent “batches”. Where FIM/MIM operations are scheduled, these changes are generally combined on an infrequent import basis (e.g. nightly), making bulk and BAU changes almost impossible to distinguish (even when bulk changes occur out-of-hours). With “follow the sun” FIM/MIM implementations, there is generally no (global) concept of “out-of-hours”, making it hard to separate BAU sync cycles from daily ones. Threshold limits can still be targeted, but the risk of “false positives” can be significant. Where FIM/MIM operations are event-driven (e.g. with FIM Event Broker) bulk changes are generally more distinguishable from BAU on account of the timeliness of execution (near real time sync) – making it possible to set threshold limits more effectively. A means of prevention of concurrent sync execution is absolutely necessary. Undesirable syncs can not always be distinguishable from desirable ones, but manual intervention can be enforced when there is any doubt.

Dealing with Mass Change - AD AD Synchronisation Internal (e.g. Resource forest sync) External (e.g. DirSync/AADConnect) Other (e.g. O365 license management) Unplanned activities (AD Admin) OU deletions/moves/renames Bulk user updates/deletions (UI/scripted)

AD Data Source Sync From AD Batched (scheduled MIM) Trickle (event-driven MIM) Desirable/Undesirable Again - when bulk changes occur this can present challenges with “unwanted” or “unanticipated” change – particularly when the impact is severe and on a large user base. For enterprises where AD admin rights are effectively contained, the risk of either accidental or malicious change in the source AD can be high. For source AD forests which are under the control of some form of automation/IAM, exposure to unwanted change can be high due to lack of awareness/coordination. Where FIM/MIM (or AADConnect) operations are scheduled, these changes are again combined on an infrequent import basis, making bulk and BAU changes almost impossible to distinguish. Where FIM/MIM (or AADConnect) operations are event-driven (e.g. with FIM Event Broker) bulk changes are generally more distinguishable from BAU on account of the timeliness of execution (near real time sync) – making it possible to set threshold limits more effectively. A means of prevention of concurrent sync execution is absolutely necessary. Undesirable syncs can not always be distinguishable from desirable ones, but manual intervention can be enforced when there is any doubt.

Dealing with Mass Change - Platform Synchronisation “Corruption” Temporary loss of connection (HR, AD, Virtual directory) Temp. platform loss (e.g. SQL reboot) Corruption of source or staged data Memory corruption IAM system reboots (e.g. Win. Updates) Accidental (e.g. delete connector space) There is always a possibility of unplanned events which can impact on any IAM server environment – with some more likely (network failure) than others (malicious interference). Such scenarios are more likely in complex enterprise environments where multiple parties are responsible for the maintenance of various components. Good solution design should ensure solution resilience when it comes to network connectivity failure. Some IAM components don’t always recover from the temporary loss of SQL (e.g. FIM/MIM sync MAs can fail with a “stopped-server” status if run profiles were executing at the time, requiring either a restart of the sync service and/or a full “re-baseline” synchronisation of all MAs) When Synchronisation activity is allowed to proceed after such an event, unexpected results are possible.

FIM threshold testing Threshold limits can be set in: MA run profiles (generally ineffective) Operational scripts Threshold limits can be tested against counters extracted from: WMI (where specific object classes or attributes not required) Audit drop files (delta import, export) CSExport files (full import) Generally built-in FIM MA run profile limits are problematic (as discussed) and therefore of little or no value. Operational scripts are the most effective (and only) way of testing threshold limits before proceeding. WMI calls (https://msdn.microsoft.com/en-us/library/ms697764(v=vs.85).aspx) sometimes do not give you the granularity you need. However they do provide a base set of counters to work with. Audit drop files are best for delta imports – counts can be made of pending import adds/updates/deletes Audit drop files are best for exports – counts can be made of pending export adds/updates/deletes Audit drop files alone are not enough for full imports – counts are only possible of the total number of objects (all “adds”) A file generated by CSExport.exe after the import step is best full imports – counts can be made of pending import updates/deletes. WMI is required to check for adds for full imports (have not found a way to do this for a specific object and/or attribute set from full imports)

Sample FIM threshold limits In a system with < 20K users … Delta imports or exports 100 adds (for user CS object class) 100 deletes 1000 updates Full imports 0 adds (e.g. no users in an LDAP MA!) 1000 adds (across all CS object classes via WMI) When counting objects, “typed” adds are important when distinguishing between multiple object classes in the same MA. Checking for adds can sometimes identify unwanted delete/add scenarios where the adds come through before the deletes.

FIM threshold triggered actions Windows Scheduled Operations Halt execution Log/email event Create temporary file to halt future execution (delete when OK) Disable job scheduler Stop Scheduler service (last resort?) From http://konab.com/scheduling-mim-advanced-options/

FIM threshold triggered actions Event-driven Operations Halt execution Log/email event Disable Operation list(s) Disable scheduler Stop Event Broker service (last resort)

Demonstration HR Event Import Threshold Triggered Export Threshold Triggered HR scenarios with FIM Event Broker

Discussion Questions? Other ideas? What works? What doesn’t?

More information FIM Event Broker Advanced MIM Scheduling MIM WMI http://www.mimeventbroker.com/ Advanced MIM Scheduling http://konab.com/scheduling-mim-advanced-options/ MIM WMI https://msdn.microsoft.com/en-us/library/ms697764(v=vs.85).aspx PowerShell Advanced Functions https://technet.microsoft.com/en-us/magazine/hh360993.aspx