Microsoft Identity Integration Server & Role Base Access Theo Kostelijk Consultant Microsoft BV

Agenda Microsoft Identity Integration Server Concepts & Architecture (MIIS) Authorization Manager (AzMan)

What is Microsoft Identity Integration Server? Directory Synchronization Password Management Provisioning and Workflow Identity Data LDAP SQL NOS Mainframe/Unix MIIS

Connectivity in MIIS 2003, Enterprise Edition Active Directory Active Directory Application Mode Active Directory Global Address List (GAL) Attribute-value pair text file Delimited text file Directory Service Markup Language (DSML) 2.0 Exchange Server 5.5 Exchange Server 5.5 (Bridgehead Server) Extensible Connectivity Fixed-width text file IBM DB2 Universal Database IBM Directory Server LDAP Data Interchange Format (LDIF) Lotus Notes Novell eDirectory and 8.7 Oracle Database 8i and 9i SQL Server 7.0 and 2000 Sun and Netscape Directory Servers Windows NT 4.0

Exchange 5.5 Directory Synchronization Synchronizes multiple repositories Management agents use “touchless” connection to other systems Provides attribute-level control Manage global address lists (GAL) Automate group and DL management Active Directory Notes SunOne SQL Oracle MIIS

Directory Synchronisation HRSystem MIIS LotusNotes ActiveDirectory API API LDAP LDAP DB DB

Attribute Flow

Password Management Initial password set when provisioning Centralized password control via a Web app & ctr-alt-del –Self-service password change –Helpdesk password reset Active Directory Sun One Web app & CTRL-ALT-DEL MIIS

Provisioning & Workflow Simple Provisioning & De-provisioning –Provision users as they appear in authoritative systems –Set initial values for attributes (including password) –Disable or delete accounts Complex Workflow –Initiate workflow or provisioning system –Integrate with BizTalk –Integrate with 3rd party provisioning systems

Provisioning Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory DB LDAP

De-Provisioning Scenario HRSystem MIIS iPlanetDirectory ActiveDirectory DB LDAP

MIIS Architecture HR App with SQL ActiveDirectory Lotus Notes Metaverse Connector Space Metaverse Object Connector Connector Space Object

Authorization Manager AzMan Advantages Centralized authorization policy for multiple applications The ability to create security groups outside of Active Directory and managed by the application administrator The ability to create groups based on the result of an LDAP query Relies on a Policy Store for one or more apps –Delegated Admin (AD & ADAM only) –XML Store – not recommended for Enterprise Apps –Authorized users “Must” have an actual account on the web server or user account in AD or ADAM Introduced in Windows Server 2003 – Also available for Windows Server 2000

Authorization Manager Advantages 3 Key Mechanisms for user Role Assignments: –Membership in AD or Local Server, or AzMan Groups –LDAP Query Groups –BizRules Centrally Managed across the organization without managing Web.config files or changing application code

Web Expense Application Role={Tasks}, Task={Operations} Database Operation Web Operation Directory Operation Payment System Operation AdministratorApproverSubmitter Change Approver Approve Deny Payment Approve Reject Report Submit Report Cancel Report Check Status

AzMan Groups

AzMan Operation Defenitions

AzMan Task Definitions

How to use AzMan in your code?

MIIS & AzMan (HRApp naar MIIS)

MIIS & AzMan (MIIS Naar AD)

MIIS & AzMan (AzMan & AD)