Making Entitlements in AD Understandable to the Business Rob de Jong Senior Program Manager Microsoft Corporation SIA314

Roles have members Users that are automatically linked through Orgunit memberships or attribute values Manually linked through Self Service Requests Directly linked by the Administrator Roles have content Active Directory groups, modeled as Permissions Access rights in other applications, modeled as Permissions Other Roles Roles can be inherited throughout the Orgunit structure When a User gets a Role, the contents of the Role are linked to the User This triggers provisioning instructions through FIM2010 into the target applications

Roles group Access Rights – AD Groups, other apps Roles are created… Automatically, based on HR data Manually Roles are linked to Users… Automatically, based on HR data Manually, through… Self Service Request and Approval Direct link in BHOLD Portal Roles trigger provisioning to targets – AD, other apps

New Employee data coming from HR flows into BHOLD through FIM2010 BHOLD automatically links the new employee to Roles based on HR information – Department, Job Title,… BHOLD calculates group memberships based on roles Group memberships are provisioned into AD through FIM2010 Changes in Employee data automatically trigger recalculation of group memberships in BHOLD

demo Automatic Provisioning with Roles

MV Source HR Active Directory CS FIM Sync Svc BHOLD Components and data flow FIM Components and data flow HR MA BHOLD MA MV Extn Employees, OU’s, Accounts & Groups Group Memberships AD MA RBAC Groups and Accounts Employees and HR OU’s Group Memberships

EmployeesOrganization Group Memberships Employees Organization

Active Directory BHOLD Model Generator HR System Excel or.CSV files AD Accounts, Groups and Group Memberships Employee, Manager and Orgunit Info Membership Roles Attribute Roles Optional Roles Personal Roles Role Mining

Users linked to the role, based on their OrgUnit membership Permissions linked to the role, based on the % of users in the Orgunit that share these permission New Membership role created for the OrgUnit

MV Object set Source HR Active Directory CS Users, OU’s Accounts, Prov. FIM Sync Svc BHOLD Components and responsible data flow FIM Components and data flow MA BHOLD MA MV Extn MA BHOLD Attestation Website Server BHOLD Attestation Service Which Employee is in which department? Who is managing? Which Users are in which AD Groups? Can you please go to the Attestation Website and fill out the form? Employee data flows into MV User Group memberships flows into MV User, Groups and Employee data flows into BHOLD A new Campaign is created s are sent to Stewards Steward fills out the form Corrections are sent to BHOLD Corrections are de- provisioned in AD

demo Self Service

MV Active Directory CS FIM Sync Svc BHOLD MV Extn BHOLD Self Service Manager makes a Request FIM Portal Request becomes a Workflow FIM2010 sends out Approval messages Manager opens Self Service Portal “Can this User get this Role?” “Yes, he can!” Role Owner approves request Available Roles and Employees Request is Approved Role is assigned to User Groups are linked to Accounts in AD AD MA BHOLD MA Groups are linked to Accounts What can this Manager Request?

DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver #TE(sessioncode) DOWNLOAD Microsoft System Center 2012 Evaluation microsoft.com/systemcenter Hands-On Labs Talk to our Experts at the TLC

Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

Evaluations Submit your evals online