1. Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314

8. Roles have members Users that are automatically linked through Orgunit memberships or attribute values Manually linked through Self Service Requests Directly linked by the Administrator Roles have content Active Directory groups, modeled as Permissions Access rights in other applications, modeled as Permissions Other Roles Roles can be inherited throughout the Orgunit structure When a User gets a Role, the contents of the Role are linked to the User This triggers provisioning instructions through FIM2010 into the target applications

9. Roles group Access Rights – AD Groups, other apps Roles are created… Automatically, based on HR data Manually Roles are linked to Users… Automatically, based on HR data Manually, through… Self Service Request and Approval Direct link in BHOLD Portal Roles trigger provisioning to targets – AD, other apps

11. New Employee data coming from HR flows into BHOLD through FIM2010 BHOLD automatically links the new employee to Roles based on HR information – Department, Job Title,… BHOLD calculates group memberships based on roles Group memberships are provisioned into AD through FIM2010 Changes in Employee data automatically trigger recalculation of group memberships in BHOLD

12. MV Source HR Active Directory CS FIM Sync Svc BHOLD Components and data flow FIM Components and data flow HR MA BHOLD MA MV Extn Employees, OU’s, Accounts & Groups Group Memberships AD MA RBAC Groups and Accounts Employees and HR OU’s Group Memberships

19. Active Directory BHOLD Model Generator HR System Excel or.CSV files AD Accounts, Groups and Group Memberships Employee, Manager and Orgunit Info Membership Roles Attribute Roles Optional Roles Personal Roles Role Mining

24. MV Object set Source HR Active Directory CS Users, OU’s Accounts, Prov. FIM Sync Svc BHOLD Components and responsible data flow FIM Components and data flow MA BHOLD MA MV Extn MA BHOLD Attestation Website Email Server BHOLD Attestation Service Which Employee is in which department? Who is managing? Which Users are in which AD Groups? Can you please go to the Attestation Website and fill out the form? Employee data flows into MV User Group memberships flows into MV User, Groups and Employee data flows into BHOLD A new Campaign is created Emails are sent to Stewards Steward fills out the form Corrections are sent to BHOLD Corrections are de- provisioned in AD

29. MV Active Directory CS FIM Sync Svc BHOLD MV Extn BHOLD Self Service Manager makes a Request FIM Portal Request becomes a Workflow FIM2010 sends out Approval messages Manager opens Self Service Portal “Can this User get this Role?” “Yes, he can!” Role Owner approves request Available Roles and Employees Request is Approved Role is assigned to User Groups are linked to Accounts in AD AD MA BHOLD MA Groups are linked to Accounts What can this Manager Request?

38. Talk to our Experts at the TLC #TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver Hands-On Labs DOWNLOAD Windows Azure Windowsazure.com/ teched

39. Connect. Share. Discuss. http://northamerica.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

40. Required Slide Complete an evaluation on CommNet and enter to win!