In the previous post we started our look at how Microsoft Forefront Identity Manager 2010 (FIM), a component of Microsoft’s Identity & Access Management solution, enables IT Administrators to centrally manage identity and access. The post specifically covered how FIM allows the IT Administrator to automate the creation of identity information based on a workflow process. The example used was one where the HR department added an employee to their system, signalling FIM to automate the process of creating all the necessary accounts and certificates that employee needs when they start.
In this post we will look at another side of FIM, self-service management, in particular two main areas; password reset and group management.
Those of us who have worked on any help desk find that we soon build up a set of regular “customers”, and of course one of the more common calls we get is related passwords. For instance, the caller has been away from the office on holiday and forgot their password, or they just changed it on a Friday and by Monday they’ve forgotten it. All of the possible reasons for these calls are too numerous to list, but the end result is that we have to reset the password and get the password back to the caller. That is a challenge in itself. Who hasn’t reset a password and had a temporary one that looks like: “Ku#98uO(p4”? What are the chances of that being entered right the first time? What if we could help make those helpdesk calls history? One of the capabilities in FIM 2010 is to do exactly that. If someone forgets their password, they can go through a self-service password reset from the Windows logon screen.
How does this work? Initially the IT Administrator uses the FIM portal to configure user access rights to use self-service password reset. When the user next logs on, they are presented with a FIM password reset registration screen where they are asked to enter answers to some questions. The number of questions and what these questions are can be determined by the IT Administrator. This is process is similar to how you may use online banking, for example, they ask questions like “Mothers maiden name”, first school, favourite team etc. Through these questions you can identify yourself when you have forgotten your password. When you go through the reset process, you get asked a couple of questions, FIM verifies the answers, and then allows you to reset your password. FIM then checks that password with the directory service to ensure it meets the security requirements and then resets it. Job done! No help desk call needed. The user then is returned to the logon screen and can log on. As I mentioned above, we’ve had self-service password reset for online services such as banking for a while now, so why not apply the same principle for the enterprise? Now we do.
FIM also allows us to take this self-service concept further. If you think about it , a password is really just another attribute about a user. Could we use FIM to delegate control of other attributes to the user? There is potentially lots of information not stored in an HR system that is useful in say a Global Address List. Think about how hard is it to change your phone details or your address for that matter in your current organization. How many systems need to know about the change and how many forms do you think you need to fill in and send to make sure it’s all accurate? In the first post on FIM we discussed its ability to sync information across systems based on rules and workflow. This functionality forms the backend that allows us to do the same with user attributes like address, phone number, building location. FIM offers the ability to delegate the updating of attributes to user; the delegation includes workflows to ensure that the correct people approve the updates. You probably don’t want people trying to update their manager or job title without some form of control, but a mobile phone number is something that is relatively safe and requires no oversight for most organizations. If we can make these changes relatively painless to users, they are more likely to maintain their own information. The more accurate the identity information is, the better the solutions that can be built on it.
Another area where the help desk can get lots of calls is around group management. From my early days of training on NT 4.0 it was drummed in that using groups was the most efficient way to allocate access to resources. A lesson that has served me well over the years, but we’ve probably all questioned the value of groups when you keep getting a constant trickle of change requests. It’s an old story, when the group was first created, you had to add some number of users, but it was largely a case of one touch, and it was done. Then every other day, you get a request to add or remove a user. There has to be a better way. FIM provides a better way through group management.
You can create Security Groups as well as Distribution Groups and even delegate out creation and management of these to end users.
So what does all that mean? Membership via criteria is the way that FIM allows you to set a criteria for group members; for example “Employee type = contractor” would populate a group with all employees that are flagged as contractors. You can create criteria based on combination of attributes as well. If you add “Department = Sales” to my last example, you would get all of the contractors in the Sales department in one group. These attributes can be derived from the HR System, so when attributes change there, the group membership automatically changes. In the background FIM notices changes to the HR system and makes updates to users attributes. Manager-based membership means the group is made up of all those people who report to a given manager.
Finally, the one capability that, in addition to automatic group membership’s helps stop helpdesk calls, is the approval version. A group can be set up where a person is responsible for approving membership. To join the group a person either has to respond to an email sent out to join a group, or requests to join it. Either way, an email is sent to the approvers who can then action the request.
How’s this done? Through Outlook - FIM integrates with Outlook.
When you receive an email to join a group, you can use the “Join” button in the ribbon to join the group. If you do this via the email, Outlook will pre-populate the FIM form with all the groups on the email. If you do this outside an email, you still get the form but can select any group from the address list. Your request is then routed to the approver, who themselves gets an email. From within that email they can manage the requests. They can do this offline too. If they have synchronized their inbox before disconnecting, they are able to process any request emails without having to connect. Next time they connect to the network, these requests are sent off. In cases where a company is not using Exchange Server or Outlook 2007, the capabilities are also available through the FIM management portal.
In summary, what all this does is help take away the load and responsibility for group management from the help desk and delegates it to the end users. Often deciding who can and cannot have access to a resource is best handled by the resource owner. With products like SharePoint becoming more and more prevalent in organizations, group management can become more time consuming. The features within FIM 2010 are aimed at helping to reduce associated identity management costs.
In next part I’ll round off the Identity & Access Management story by looking at how you can federate identity across different organizations to enable secure collaboration.
Videos / Webcasts
Datasheets and downloads