Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced MIM Operations: “Safety Catch” Design

Published byWendy Martin Modified over 6 years ago

Similar presentations

Presentation on theme: "Advanced MIM Operations: “Safety Catch” Design"— Presentation transcript:

1 Advanced MIM Operations: “Safety Catch” Design
Subtitle: Whatever you do, sh!t is going to happen, so how are you going to deal with it? Advanced MIM Operations: “Safety Catch” Design

2 Agenda Dealing with Mass Change Unexpected/expected HR events
Unexpected AD events Unexpected IAM platform events FIM threshold testing The Windows Scheduler Solution The FIM Event Broker Solution Demonstration Discussion Grey Slide

3 Dealing with Mass Change - HR
Harnessing HR-driven changes Enabling/disabling AD user accounts Moving user accounts to new OUs Adding/removing group membership Other (e.g. revoking O365 licenses, archiving home drives, notifications) Unplanned activities (internal to HR) Bulk imports (e.g. CSV uploads) Bulk updates (e.g. re-classifications) Time-based (start/end dates) Just because your FIM solution does what is in its charter to do doesn’t mean that you’re going to win any moral victory when you fail to prevent a disaster.

4 HR Data Source Profiles
From API Full imports Polling Imports Changes are surfaced differently based on nature of source data “Foundation” (reference) data may change only daily or weekly Other data (such as personal, job and position details) may change every few minutes Changes made as part of “BAU” HR operations generally occur in a trickle Changes made as a result of HR admin processes generally occur en-masse in a very short timeframe (seconds) With a FIM/MIM connector such as the one provided by Identity Broker, these changes are combined and translated into deltas for import to FIM/MIM. This would be the same for any ECMA. To FIM/MIM Full imports Delta Imports

5 HR Data Source Sync HR-driven Change From HR BAU (trickle)
Maintenance (bulk) Desirable/Undesirable When bulk changes occur this can present challenges with “unwanted” or “unanticipated” change – particularly when the impact is severe and on a large user base. Bulk changes can be accommodated in FIM by setting threshold limits (import or export) – however the built-in run profile limits are of little use because they are “after the event” and will not prevent processing of either the current “batch” or any subsequent “batches”. Where FIM/MIM operations are scheduled, these changes are generally combined on an infrequent import basis (e.g. nightly), making bulk and BAU changes almost impossible to distinguish (even when bulk changes occur out-of-hours). With “follow the sun” FIM/MIM implementations, there is generally no (global) concept of “out-of-hours”, making it hard to separate BAU sync cycles from daily ones. Threshold limits can still be targeted, but the risk of “false positives” can be significant. Where FIM/MIM operations are event-driven (e.g. with FIM Event Broker) bulk changes are generally more distinguishable from BAU on account of the timeliness of execution (near real time sync) – making it possible to set threshold limits more effectively. A means of prevention of concurrent sync execution is absolutely necessary. Undesirable syncs can not always be distinguishable from desirable ones, but manual intervention can be enforced when there is any doubt.

6 Dealing with Mass Change - AD
AD Synchronisation Internal (e.g. Resource forest sync) External (e.g. DirSync/AADConnect) Other (e.g. O365 license management) Unplanned activities (AD Admin) OU deletions/moves/renames Bulk user updates/deletions (UI/scripted)

7 AD Data Source Sync From AD Batched (scheduled MIM)
Trickle (event-driven MIM) Desirable/Undesirable Again - when bulk changes occur this can present challenges with “unwanted” or “unanticipated” change – particularly when the impact is severe and on a large user base. For enterprises where AD admin rights are effectively contained, the risk of either accidental or malicious change in the source AD can be high. For source AD forests which are under the control of some form of automation/IAM, exposure to unwanted change can be high due to lack of awareness/coordination. Where FIM/MIM (or AADConnect) operations are scheduled, these changes are again combined on an infrequent import basis, making bulk and BAU changes almost impossible to distinguish. Where FIM/MIM (or AADConnect) operations are event-driven (e.g. with FIM Event Broker) bulk changes are generally more distinguishable from BAU on account of the timeliness of execution (near real time sync) – making it possible to set threshold limits more effectively. A means of prevention of concurrent sync execution is absolutely necessary. Undesirable syncs can not always be distinguishable from desirable ones, but manual intervention can be enforced when there is any doubt.

8 Dealing with Mass Change - Platform
Synchronisation “Corruption” Temporary loss of connection (HR, AD, Virtual directory) Temp. platform loss (e.g. SQL reboot) Corruption of source or staged data Memory corruption IAM system reboots (e.g. Win. Updates) Accidental (e.g. delete connector space) There is always a possibility of unplanned events which can impact on any IAM server environment – with some more likely (network failure) than others (malicious interference). Such scenarios are more likely in complex enterprise environments where multiple parties are responsible for the maintenance of various components. Good solution design should ensure solution resilience when it comes to network connectivity failure. Some IAM components don’t always recover from the temporary loss of SQL (e.g. FIM/MIM sync MAs can fail with a “stopped-server” status if run profiles were executing at the time, requiring either a restart of the sync service and/or a full “re-baseline” synchronisation of all MAs) When Synchronisation activity is allowed to proceed after such an event, unexpected results are possible.

9 FIM threshold testing Threshold limits can be set in:
MA run profiles (generally ineffective) Operational scripts Threshold limits can be tested against counters extracted from: WMI (where specific object classes or attributes not required) Audit drop files (delta import, export) CSExport files (full import) Generally built-in FIM MA run profile limits are problematic (as discussed) and therefore of little or no value. Operational scripts are the most effective (and only) way of testing threshold limits before proceeding. WMI calls ( sometimes do not give you the granularity you need. However they do provide a base set of counters to work with. Audit drop files are best for delta imports – counts can be made of pending import adds/updates/deletes Audit drop files are best for exports – counts can be made of pending export adds/updates/deletes Audit drop files alone are not enough for full imports – counts are only possible of the total number of objects (all “adds”) A file generated by CSExport.exe after the import step is best full imports – counts can be made of pending import updates/deletes. WMI is required to check for adds for full imports (have not found a way to do this for a specific object and/or attribute set from full imports)

10 Sample FIM threshold limits
In a system with < 20K users … Delta imports or exports 100 adds (for user CS object class) 100 deletes 1000 updates Full imports 0 adds (e.g. no users in an LDAP MA!) 1000 adds (across all CS object classes via WMI) When counting objects, “typed” adds are important when distinguishing between multiple object classes in the same MA. Checking for adds can sometimes identify unwanted delete/add scenarios where the adds come through before the deletes.

11 FIM threshold triggered actions
Windows Scheduled Operations Halt execution Log/ event Create temporary file to halt future execution (delete when OK) Disable job scheduler Stop Scheduler service (last resort?) From

12 FIM threshold triggered actions
Event-driven Operations Halt execution Log/ event Disable Operation list(s) Disable scheduler Stop Event Broker service (last resort)

13 Demonstration HR Event Import Threshold Triggered
Export Threshold Triggered HR scenarios with FIM Event Broker

14 Discussion Questions? Other ideas? What works? What doesn’t?

15 More information FIM Event Broker Advanced MIM Scheduling MIM WMI
Advanced MIM Scheduling MIM WMI PowerShell Advanced Functions

Download ppt "Advanced MIM Operations: “Safety Catch” Design"

Similar presentations

Version 2.0 © Copyright 2008 ANB Software Ltd. ActivMan 2.0 Scenarios Basic Features Templates Mass Manipulation Importing Auto Importing Extracting from.

Version 2.0 © Copyright 2008 ANB Software Ltd. ActivMan 2.0 Scenarios Basic Features Templates Mass Manipulation Importing Auto Importing Extracting from.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.

Whether you like it or not! Importance increases significantly with SharePoint 2013 Pretty much every investment area relies on Profiles for core.
Virtual techdays INDIA │ 28-30 September 2011 Integrating SSIS with external applications Nauzad Kapadia

Virtual techdays INDIA │ September 2011 Integrating SSIS with external applications Nauzad Kapadia
DataBase Administration Scheduling jobs Backing up and restoring Performing basic defragmentation and index rebuilding Using alerts Archiving.

DataBase Administration Scheduling jobs Backing up and restoring Performing basic defragmentation and index rebuilding Using alerts Archiving.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal
Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.

Setting Up a Sandbox Presented by: Kevin Brunson Chief Technology Officer.
ManageEngine ADAudit Plus A detailed walkthrough.

ManageEngine ADAudit Plus A detailed walkthrough.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.

Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
It is one of the techniques to create a stand by server. Introduced in SQL 2000,enhanced in 2005. It is a High Availability as well as Disaster recovery.

It is one of the techniques to create a stand by server. Introduced in SQL 2000,enhanced in It is a High Availability as well as Disaster recovery.
Chapter 18: Windows Server 2008 R2 and Active Directory Backup and Maintenance BAI617.

Chapter 18: Windows Server 2008 R2 and Active Directory Backup and Maintenance BAI617.

Similar presentations

Ads by Google