FIM2010 Newbie, How to provision users from Resource Forest to Account Forests without FIM Portal
Hi
I'm a total newbie to FIM2010 and just setup FIM in a lab environment. The basic setup works and I find the Portal good but it is probably overkill in our environment. I would like to keep FIM as basic as possible.
Is it possible to only have FIM2010 do user provisioning and permission synchronization in a Resource Forest Topology WITHOUT the portal?
1 Resource Forest (Exchange2010, SQL, SharedFolders) and 2 Account Forests?
So e.g.
I create a new user in ADUC in the Resource Forest and FIM will provision:
-Deactivated User account in Resource Forest
-corresponding mailbox in Exchange2010 in the Resource Forest
-Activated Account in one of the Account Forests
-keep user permissioning synchronised so there will be no problem if resources are accessed in Forest or Account Forest.
Does this require any coding and if so, could someone lead me to any help on this?
Thanks in advance
October 22nd, 2010 8:09pm
Hi There,
If you're planning on deploying the portal to manage normal users then the only way around these special accounts would be to create another objectclass in the metaverse (clone the "person" object into the "resourcePerson" object for example).
So long as you never set a mapping between resourcePerson and an object in FIM, these users should never be pushed into the portal environment.
Be mindful however that you'll have to make sure your regular user MA which does use the portal component is set up to properly scope the users it is going to process versus the users it is not going to process.
For example, you have both regular and resource domain users synchronizing to the same OU. If you're using declarative rules, make sure you've flowed something to the connected directory so you can properly scope the objects so that only the non resource
domain users are being processed by the MA and projected into the person object in the MV. (Personally, in addition to this, I would not have my declarative rules creating the resource in FIM but rather use a more robust classic projection rule that would
project the objects as required. Sometimes the declarative scopes can be a bit tricky and a mistake will cause a lot of objects to be created needlessly and then later need to be cleaned up).
Anyway, long answer short, yes, you can do it. You just have to be careful about how you manage the data so the the proper users get pushed into the proper data type. The easiest way for this would be to create two MA's to the AD forest with your users and
keep the resource domain users in one subtree managed by one MA and the regular user MA working within the organization unit where those types of objects exist. (Just keeps away from having to deal with all the scoping and such later on).
Thanks.
B
Free Windows Admin Tool Kit Click here and download it now
October 23rd, 2010 12:09am
This line of questioning is coming up quite a bit ... e.g. how do I manage 100s of 1000s of "external identities" in say ADLDS, and manage just my 10s of 1000s of employees in the FIM Portal? What Brian is saying will work OK because ILM and MIIS before
it have been using the FIM sync engine to do this sort of thing for some time ... what throws it into question is the existence of the FIM portal and the new way of driving the sync engine (through sync rules etc.) that can be defined in there.
There are a number of threads which touch on this subject (e.g.
this one), and the debate rages on ... but what I am hearing from the MS guys is that it's very clear that the "best practice" for deploying the FIM portal is for the FIM objects (person and group to start with) are synchronized 1-1 in order to mirror
the corresponding objects in the metaverse. If you choose not to provision a specific class (like resourcePerson) to the FIM Portal, you have to understand that none of the FIM Portal functionality which relies on that connection being in place (e.g.
group management, workflow, self service) can be used. Of these you say you want to do "permission synchronization", and so you're going to have to synchronize say resourceGroups and resourceUsers. Where it is going to get messy is where you have
group membership that spans the 2 MA idea, and includes users/nested groups managed in the portal.
Technically the only question I would have is if it's possible to define a FIM Portal style sync rule in terms of resourcePerson if you never bring that object class into the portal ... perhaps someone from MS or elsewhere who's actually tried doing this
could step in?
So in theory you can partition your metaverse (and MAs if you wish) in the way suggested by Brian in order to "hide" certain objects from the FIM portal, but beware of the limitations of this decision when it comes to things like group management ... basically
(ONLY) if your requirements can be met the way you would do in an MIIS/ILM solution, and this is highly unlikely to ever change, then you should be OK to build your solution in this way.
The question really comes back to this ... why do you think "it is probably overkill in our environment"? Perhaps if you think of the portal as more a policy and workflow definition store rather than just a user/group store, you'll come around
to the idea that perhaps it's not overkill after all? Oh, and if avoiding CALs is the issue, then make sure you get a difinitive answer from MS from this perspective before you get too far down the design path ...Bob Bradley, www.unifysolutions.net (FIMBob?)
October 25th, 2010 1:36pm
Thanks for your answers guys.
I might have to rephrase a little bit. I don't want to avoid the functionality of the FIM Portal as UNIFYBob described (policy and workflow definition store). I would like to avoid the FIM Portal as the only authoritive way to create user accounts and manage
group memberships.
The only reason we will be using FIM is because we decided to go for a Resource Forest design so FIM will only be the "provisioning process".The reason why I would like to avoid the FIM portal is that the administrators of each Account Forest
can handle their own users and group memberships in ADUC. They don't need access to the FIM Portal and no access to the Sync Engine.
I'm trying to setup a basic and robust sync engine. I'm happy to configure the rules and workflows with the portal but the actual user accounts should be created in ADUC.
We are planning a US and a EU Forest which includes all the users. Additionally a resource forest with Exchange2010, SQL cluster, Shareddrives and roaming profiles.
All resources will be in the resource forest and therefore group memberships need to be synchronized. Still, I'd like to keep this managed in ADUC of the relevant Account Forest by the Account Forest Administrator.
Please let me know if the following is the correct approach:
For example we have a new user in US. Useraccount will be created in US account forest's ADUC, from there it will be synchronized to the FIM database. From there the provisioning process will kick in and create a disabled account in a OU created for
the US users. Additionally a mailbox (linked mailbox???) will be created on the Exchange2010.
Thanks
Dan
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 5:36pm
Any of your external systems can be authoritative for for users and attributes.
FIM is in charge of applying your business policies to your objects.
See
Designing Business Policy Rules for more details on this.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
December 14th, 2010 7:11pm