Presentation is loading. Please wait.

Presentation is loading. Please wait.

FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018

Published byFranz Zimmermann Modified over 6 years ago

Similar presentations

Presentation on theme: "FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018"— Presentation transcript:

1 FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018
Zeva Incorporated

2 About Me FIM MVP IAM Consultant at Zeva Incorporated
Masters in Information System from George Mason University 11/14/2018 Zeva Incorporated

3 BHOLD History Microsoft acquired BHOLD in September 2011
BHOLD is an Role Based Access Control (RBAC) solution BHOLD is an extension to FIM 11/14/2018 Zeva Incorporated

4 BHOLD Implementation Purposes
Automation Managing Access Rights Self-Service Auditing 11/14/2018 Zeva Incorporated

5 Is BHOLD widely implemented?
Is BHOLD widely adopted? Is it hard to implement and maintain? Does the problem/s it addresses can be implemented in an alternative easier way? Is it worth the effort of implementing it? Should we recommended it to our clients? 11/14/2018 Zeva Incorporated

6 BHOLD High-level Design & Integration
AD HR BHOLD Attestation MA MA BHOLD Analytics B1 database FIM Sync DB FIM Synchronization Access Management MA BHOLD Reporting FIM Service DB FIM Service BHOLD Integration BHOLD Core BHOLD Model Generator FIM Portal 11/14/2018 Zeva Incorporated

7 BHOLD planning More features More points of failure More maintenance
BHOLD provides 7 components BHOLD Core BHOLD Access Management BHOLD Reporting BHOLD Attestation BHOLD Analytics BHOLD Integration BHOLD Model Generator Does the features it add have value? What are the paybacks compared to the effort putting it all together? More features More points of failure More maintenance 11/14/2018 Zeva Incorporated

8 Implementation Steps Determine systems to integrate with
Install the components Create BHOLD MA Create OUs in BHOLD Create users in BHOLD Create permissions in BHOLD Set up your role model Set up your request approvals Configure reports Configure attestation campaigns 11/14/2018 Zeva Incorporated

9 Integration with other Systems/Applications
Needs to conduct sessions with application owners and stakeholders Integrates with Active Directory and other directories that support groups Doesn’t provide other means of access provisioning/revoking (Only group membership) Update an attribute Provision to a directory Others Needs to configure an RBAC system that integrate and adds value to the automation process 11/14/2018 Zeva Incorporated

10 Installing Components
Fairly straightforward Challenges with the BHOLD Integration Component Separate installers. Would be nice to see them integrated more with FIM Hotfixes require uninstalling and reinstalling the new files 11/14/2018 Zeva Incorporated

11 Root OU1 OU3 OU4 OU5 OU2 OU6 Permission1 Permission2 Permission3
Account Root OU1 OU3 OU4 OU5 OU2 OU6 User3 can get/request Role1 App1 App2 Role1 Role2 Role3 Permission1 Permission2 Permission3 11/14/2018 Zeva Incorporated

12 Schema Extension You can’t create additional object types
You can create attributes and bind them to existing objects 11/14/2018 Zeva Incorporated

13 Organizational Units (OUs) & Users
A hierarchal concept to define your structure Users need to belong to one or more OU OUs has types Default is root Create your own Define OUs supervisor roles Define OUs approvers (Line Managers) 11/14/2018 Zeva Incorporated

14 Root OU will first be created and all other OUs needs to be children
11/14/2018 Zeva Incorporated

15 Applications and Permissions
Permissions are your groups Each permission is part of an application 11/14/2018 Zeva Incorporated

16 Roles Collection of access rights and permissions
Few things to consider when configuring the role model Roles are assigned to OU and may be inherited Roles can be effective and proposed Roles can be approval roles Roles can be supervisor roles ABA roles 11/14/2018 Zeva Incorporated

17 Creating Objects in BHOLD Database
Another data store for objects to manage BHOLD Core BHOLD Model Generator FIM Sync & BHOLD MA Organization Unit Users Applications Permissions Roles 11/14/2018 Zeva Incorporated

18 BHOLD Core Component Pros Provide a definition for Roles
Add users to multiple groups using one definition Cons Limited to adding users to groups Requires additional provisioning logic Integration with other applications will require FIM Service/FIM Sync Maintains objects in another data store 11/14/2018 Zeva Incorporated

19 Would I recommend BHOLD Core
Medium size and large deployments that have large number of security groups Trying to integrate with other system 11/14/2018 Zeva Incorporated

20 Suggestion for deploying BHOLD
Not to include it as part of the initial FIM deployment Use a phased approach: Not to try to integrate and automate every single application Maintain a role mapping criteria matrix Which role belongs to which OU? 11/14/2018 Zeva Incorporated

21 Organizational Units Roles Root Employees Finance Information Systems
Marketing Contractors Creative Designs Role1 Assigned/Effective Inherited/Effective Role2 N/A Role3 Assigned/Proposed Inherited/Proposed Role4 Role5 Role6 Role7 Role8 Role9 Role10 11/14/2018 Zeva Incorporated

22 BHOLD Access Management MA
It’s easy to create and configure Fairly stable in terms of runs Limited and locked in terms of object types OU Permissions Users Few challenges with provisioning bholdFirstName and bholdLastName attributes through exported changes not reimported warning OUs needs to be reference Unlike FIM MA, you can write your own code 11/14/2018 Zeva Incorporated

23 BHOLD Attestation It’s one of the missing feature of FIM
It’s not attesting BHOLD roles. It’s attesting that accounts should have those permissions If access is denied User will still have the role Their account for that application will be inactive Campaigns allow you to attest accounts or permissions Campaigns have owners and stewards Can be configured using BHOLD Core Different ways to define Stewards OU Application User Upload a file 11/14/2018 Zeva Incorporated

24 BHOLD Integration An extension to the FIM Portal
A rigid User Interface based on SilverLight No customization Users can submit requests to activate proposed roles assigned to their OU Limitation in the Out Of The Box (OOB) approval process Delegation button doesn’t work (even after applying latest hotfixes) The downsides of the integration components are a lot. Getting a lot of feedback that it’s not user appropriate and users are not adopting it. 11/14/2018 Zeva Incorporated

25 BHOLD Reporting Run reports on BHOLD object only
Get several Build-in reports that you can run and modify Create your own Report types: Controls—Reports in this category give you access to basic statistics about your role model as well as top-10 listings of permissions for roles, users, and users by department (organizational unit). Inward Access Control—The report in this category show the supervisor roles for each role in the model. Logging—This category contains reports that list the history of recent activities affecting the role model, including activity specifically affecting organizational units (orgunits), roles, and users. Model—The reports in this category provide a breakdown of information about various object classes in the BHOLD role model, including accounts, applications, users, roles, and permissions. Statistics—The report in this category lets you select a parent orgunit and view the number of users in each child orgunit. 11/14/2018 Zeva Incorporated

26 Problems BHOLD Addressing
Attestation: a missing component from FIM, however you need BHOLD core to use it BHOLD core adds users to groups Alternatively, dynamic groups can be used If concerned about the performance of FIM Service when having large number of dynamic groups, then implementing BHOLD core is a good option Privileged accounts: we will soon have PAM Self-service: the BHOLD Integration user interface is rigid and not extensible 11/14/2018 Zeva Incorporated

27 Open discussion 11/14/2018 Zeva Incorporated

Download ppt "FIM User Group BHOLD Eihab Isaac (FIM MVP) 11/14/2018"

Similar presentations

Click to edit Master title style ManageEngine ADManager Plus 6 What's New? ADManager Plus offers: AD Automation | AD Management | AD Reporting | AD Delegation.

Click to edit Master title style ManageEngine ADManager Plus 6 What's New? ADManager Plus offers: AD Automation | AD Management | AD Reporting | AD Delegation.
Module 14: Implementing an Active Directory Infrastructure.

Module 14: Implementing an Active Directory Infrastructure.
Futures – Alpha Cloud Deployment and Application Management.

Futures – Alpha Cloud Deployment and Application Management.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.

Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.
SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since 1991 10 years.

SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Internet, 16 July 2014 Predica bag of (FIM)tricks Tomasz Onyszko

Internet, 16 July 2014 Predica bag of (FIM)tricks Tomasz Onyszko
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
United Nations Development Program India Coordination & Decision Support System (CDSS) on External Assistance Department of Economic Affairs Ministry of.

United Nations Development Program India Coordination & Decision Support System (CDSS) on External Assistance Department of Economic Affairs Ministry of.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google