Professional Documents
Culture Documents
Identity N Access Management
Identity N Access Management
Management
In a Dynamic IT environment, identity provisioning and access management is highly automated,
following required processes defined by the organization and any relevant compliance regulations.
Identity provisioning and access management is centrally managed, integrating with all applicationspecific identity management systems. This white paper describes the major steps and tasks an
organization can take to perform identity provisioning and access management at the Dynamic level in
the Core IO Model.
Capability: Identity and Security ServicesIdentity and Access
Applies to: Active Directory Domain Services (AD DS) in Windows Server 2008 R2, Active Directory
Lightweight Directory Services (AD LDS) in Windows Server 2008 R2, Forefront Identity Manager (FIM)
2010
Attributes: Security, Management
Author: Douglas Steen
Published: November 2010
Disclaimer
This document is provided as-is. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association
or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
2010 Microsoft. All rights reserved.
ii
Contents
Introduction .................................................................................................................................................. 1
Identity Provisioning and Access Management ........................................................................................ 1
Steps to a Dynamic Environment .............................................................................................................. 2
Plan Identity Provisioning and Access Management .................................................................................... 3
Plan AD DS................................................................................................................................................. 4
Plan AD LDS ............................................................................................................................................... 4
Plan FIM 2010 ........................................................................................................................................... 5
Deploy Identity Provisioning and Access Management................................................................................ 9
Deploy AD DS .......................................................................................................................................... 10
Deploy AD LDS......................................................................................................................................... 11
Deploy FIM 2010 ..................................................................................................................................... 11
Configure Management Policies ................................................................................................................. 12
Perform Synchronization ............................................................................................................................ 14
Conclusion ................................................................................................................................................... 17
iii
Introduction
Microsoft Infrastructure Optimization (IO) is based on three information technology (IT) models: Core
IO, Application Platform optimization, and Business Productivity IO. Each of these models contains four
levels of process maturity and capability classifications as logical groupings of requirements for each
level of maturity. Core IO focuses on the foundational elements of IT services and components. Maturity
levels in Core IO are Basic, Standardized, Rationalized, and Dynamic. This guide contains checklists to
help move from the Rationalized level to the Dynamic level for the Identity Provisioning and Access
Management sub-workload in the Core IO model. See Infrastructure Optimization at
http://www.microsoft.com/infrastructure/ for more information about Core IO.
Description
Basic
Standardized
Rationalized
Dynamic
Identity synchronization. This feature provisions, de-provisions, and manages identities in the
appropriate identity systems as required by business policies, such as provisioning identities in AD
DS, AD LDS, or application-specific identity systems.
Policy Management. This feature uses workflows to grant the appropriate access to applications
and services based on the roles for a user and the business policies that are associated with each
role.
Figure 1. Steps in performing identity provisioning and access management at the Dynamic IT level
Figure 1 illustrates the steps in the process that can help your organization move to the Dynamic IT level
of identity provisioning and access management through the use of AD DS, AD LDS, and FIM 2010. The
remainder of this document uses a checklist format to break each step into tasks.
Note FIM 2010 provides the automated identity management features previously provided by
Microsoft Identity Lifecycle Manager 2007 (ILM 2007), plus many additional features.
Category
Description
Outcomes
To plan identity provisioning and access management at the Dynamic IT level, you need to plan each of
the following components:
AD DS
AD LDS
FIM 2010
Plan AD DS
In identity provisioning and access management at the Dynamic IT level, AD DS contains and is used to
manage identities that are used by computers or applications that are able to integrate with AD DS. AD
DS is provided for applications that have access to the domain controllers on your private network and
for accounts that reside in your AD DS forest. Otherwise, AD LDS or an application specific identity
system is used.
Note In many instances an AD DS infrastructure will already exist, but may require remediation to
support identity provisioning and access management at the Dynamic IT level.
The planning for AD DS is discussed in the Plan AD DS section in the Mission Critical Directory Services
document in the Mission Critical document series. Please consult that section for the necessary tasks in
planning AD DS for identity provisioning and access management.
Plan AD LDS
In identity provisioning and access management at the Dynamic IT level, AD LDS contains and is used to
manage the identities that are used by computers or applications that are able to integrate with AD LDS.
AD LDS is provided for applications that do not have access to the domain controllers on your private
network and for accounts that do not reside in your AD DS forest. AD LDS is typically used to maintain
4
identities for applications and resources in extranets or the Internet. Otherwise, AD DS or an application
specific identity system is used.
Note In many instances an AD LDS infrastructure might exist, but may require remediation to provide
identity provisioning and access management at the Dynamic IT level.
The planning for AD LDS is discussed in the Plan AD LDS section in the Mission Critical Application
Directory Services document. Please consult that section for the necessary tasks in planning AD LDS for
identity provisioning and access management.
Reference
Identify the
identity
systems to be
included in
identity
management.
Identify the
source for each
Task
Description
Reference
identity.
Identify the
source for each
identity
attribute.
Determine the
user load.
Determine fault
tolerance
requirements.
Determine the
server roles to
include.
Determine the
Task
Description
Reference
number of FIM
Synchronization
Service
instances
required.
Determine the
FIM
Synchronization
Service
database
storage
requirements.
Determine the
fault-tolerance
requirements
for the FIM
Synchronization
Service instance
and
corresponding
database.
Determine the
FIM
Synchronization
Service server
placement.
Determine the
number of FIM
Service servers
Task
Description
Reference
required.
Determine the
number of FIM
Portal servers
required.
Determine the
FIM Service
database
storage
requirements.
Determine the
fault-tolerance
requirements
for the FIM
Service instance
and
corresponding
database.
Determine the
FIM Service
components
placement.
Determine the
The FIM components can be run in
configuration of physical and virtualized environments.
Task
Description
Reference
Description
Inputs
Category
Description
Outcomes
To deploy identity provisioning and access management at the Dynamic IT level, you need to deploy and
configure each of the following components:
AD DS
AD LDS
FIM 2010
Deploy AD DS
In identity provisioning and access management at the Dynamic IT level, AD DS is a requirement. Ensure
that the AD DS is deployed and any necessary remediation is performed.
The deployment of AD DS is discussed in the Deploy AD DS section in the Mission Critical Directory
Services document. Please consult that section to learn how to deploy AD DS.
10
Deploy AD LDS
In identity provisioning and access management at the Dynamic IT level, deployment and use of AD LDS
is optional, depending on application requirements. If your solution requires AD LDS, ensure that AD LDS
is deployed and any necessary remediation is performed.
The deployment of AD LDS is discussed in the Deploy AD LDS section in the Mission Critical Directory
Services document. Please consult that section to learn how to deploy AD LDS.
Description
Reference
Prepare servers
for FIM 2010
deployment.
Prepare
environment
for FIM 2010
Synchronization
Service
instance
deployment.
Install the
appropriate
FIM 2010
server
components.
Perform post-
11
Task
Description
Reference
installation and
configuration
tasks for FIM
2010.
Guide
Extend FIM
2010 schema
for custom
resources and
attributes.
Configure FIM
2010 for cross
forest
management.
12
Description
Inputs
Outcomes
Table 7 will help you configure the management policies in FIM 2010. Upon completion of this step, you
will have completed the FIM 2010 deployment.
Table 7. Configure Management Policies
Task
Create the FIM
2010 sets for
management
13
Description
Reference
Task
Description
policies.
Reference
management
policies.
Create the
management
policies.
Perform Synchronization
Description
Inputs
14
Category
Description
Outcomes
Table 9 will help you synchronize the identities between AD DS forests, AD LDS instances, and
application-specific identity systems that support applications in your intranet, your extranet, and the
Internet. Upon completion of this step, the appropriate identities are provisioned and the identities
have the appropriate attributes.
Table 9. Perform Synchronization
Task
Configure
identity
synchronization
from the AD DS
forests to FIM
2010.
Description
Reference
15
Task
Description
Reference
Rules
Introduction to Inbound Synchronization
Configure
identity
synchronization
from FIM 2010
to the AD DS
forests.
Configure
provisioning of
user and group
accounts from
FIM 2010 into
AD DS.
Configure
synchronization
of user and
group accounts
from AD DS to
FIM 2010.
16
Upon completion of this step, the ongoing management policy and synchronization management is
performed through iterative configuration of the AD DS forests, the AD LDS instances, the management
policies, and synchronized, by:
1. Starting with the Deploy Identity Provisioning and Access Management step.
2. Performing all intermediary steps.
3. Ending with this step.
This process continues as AD DS forests, AD LDS instances, new applications, or business policies are
included as part of the solution.
Conclusion
Identity provisioning and access management at the Dynamic IT level helps reduce the complexity and
effort of managing identities and access to applications. You can manage and maintain the application
directory service using AD DS, AD LDS, and FIM 2010. These technologies help ensure all applications
have access to the appropriate identities and that users are able to access these applications using the
same credentials. These highly automated processes dramatically reduce the effort required for
managing your identity provisioning and access management, which helps reduce ongoing operating
costs and improve overall user satisfaction.
For more information, see the following resources:
17
18