2. Making Entitlements in AD Understandable to the Business Rob de Jong Senior Program Manager Microsoft Corporation SIA314

9. Roles have members Users that are automatically linked through Orgunit memberships or attribute values Manually linked through Self Service Requests Directly linked by the Administrator Roles have content Active Directory groups, modeled as Permissions Access rights in other applications, modeled as Permissions Other Roles Roles can be inherited throughout the Orgunit structure When a User gets a Role, the contents of the Role are linked to the User This triggers provisioning instructions through FIM2010 into the target applications

10. Roles group Access Rights – AD Groups, other apps Roles are created… Automatically, based on HR data Manually Roles are linked to Users… Automatically, based on HR data Manually, through… Self Service Request and Approval Direct link in BHOLD Portal Roles trigger provisioning to targets – AD, other apps

12. New Employee data coming from HR flows into BHOLD through FIM2010 BHOLD automatically links the new employee to Roles based on HR information – Department, Job Title,… BHOLD calculates group memberships based on roles Group memberships are provisioned into AD through FIM2010 Changes in Employee data automatically trigger recalculation of group memberships in BHOLD

13. demo Automatic Provisioning with Roles

14. MV Source HR Active Directory CS FIM Sync Svc BHOLD Components and data flow FIM Components and data flow HR MA BHOLD MA MV Extn Employees, OU’s, Accounts & Groups Group Memberships AD MA RBAC Groups and Accounts Employees and HR OU’s Group Memberships

21. EmployeesOrganization Group Memberships Employees Organization

22. Active Directory BHOLD Model Generator HR System Excel or.CSV files AD Accounts, Groups and Group Memberships Employee, Manager and Orgunit Info Membership Roles Attribute Roles Optional Roles Personal Roles Role Mining

23. Users linked to the role, based on their OrgUnit membership Permissions linked to the role, based on the % of users in the Orgunit that share these permission New Membership role created for the OrgUnit

28. MV Object set Source HR Active Directory CS Users, OU’s Accounts, Prov. FIM Sync Svc BHOLD Components and responsible data flow FIM Components and data flow MA BHOLD MA MV Extn MA BHOLD Attestation Website Email Server BHOLD Attestation Service Which Employee is in which department? Who is managing? Which Users are in which AD Groups? Can you please go to the Attestation Website and fill out the form? Employee data flows into MV User Group memberships flows into MV User, Groups and Employee data flows into BHOLD A new Campaign is created Emails are sent to Stewards Steward fills out the form Corrections are sent to BHOLD Corrections are de- provisioned in AD

33. demo Self Service

34. MV Active Directory CS FIM Sync Svc BHOLD MV Extn BHOLD Self Service Manager makes a Request FIM Portal Request becomes a Workflow FIM2010 sends out Approval messages Manager opens Self Service Portal “Can this User get this Role?” “Yes, he can!” Role Owner approves request Available Roles and Employees Request is Approved Role is assigned to User Groups are linked to Accounts in AD AD MA BHOLD MA Groups are linked to Accounts What can this Manager Request?

43. DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver #TE(sessioncode) DOWNLOAD Microsoft System Center 2012 Evaluation microsoft.com/systemcenter Hands-On Labs Talk to our Experts at the TLC

44. Connect. Share. Discuss. http://europe.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

45. Evaluations http://europe.msteched.com/sessions Submit your evals online