In the previous chapters, we have shown you how to configure a Management Agent for SQL, Active Directory, and MIM Portal. We wrote a simple rules extension for the SQL (HR) Management Agent to generate a unique account name, and generated the display name by concatenating two attributes, the first name and last name. A Metaverse rules extension was created to provision objects to the Active Directory connector space. Run profiles were used to copy the data from the HR system to its connector space, into the Metaverse (called a projection), out to the Active Directory connector space (referred to as a provision), and then out to Active Directory.

As we have it now, the Active Directory objects have minimal information: sAMAccountName, userPrincipalName, and a password. The Active Directory accounts are enabled by setting the userAccountControl attribute, and the pwdLastSet attribute is set to 0. Look back at Chapter 3, MIM Sync Configuration, and you will...

There are many MPRs in MIM Service that control how user objects can be modified by self-service, administrators, or the synchronization engine.

In many cases, we need to modify the existing MPRs and/or create new ones. Whether we use the existing MPRs or decide to create new ones is something you can decide as you wish. In this book, we will reuse many of the built-in MPRs, and add new ones when needed.

Before we can start our user management, it is a good idea to look at the existing MPRs and try to understand what they do. If we go into MIM Portal, select Management Policy Rules, click on Advanced Search, and search for Display Name contains user, we will get around 26 MPRs (many are regarding group management) in our default setup. Take a quick look at the first page of results in the following screenshot, and you will notice that many are disabled by default:

One that is enabled by default is Synchronization: Synchronization account controls users it synchronizes...

Organizing objects in MIM Service is done using a set; all MPRs use a set to work.

It is common to have different employee types managed differently. In order to manage them differently, we would first group them into different sets.

If we look at all the sets that we get out of the box, you will find that many of them have a Display Name that you can relate to, and you can choose to reuse them or create your own. There are some predefined sets that we can use, such as All Contractors or All Full Time Employees. Take a look at the All Full Time Employees set, and notice that the criteria specifies a Full Time Employee. In our scenario, Employee Type, as defined by the HR system, is not Full Time Employee but the Employee value. Sure, we could change the data directly in the HR system...

One of the first things we need to do in order to manage users is get some users into MIM Synchronization Service and MIM Service. We can create them using MIM Portal or some other interface, but usually there are existing users in some system that we would like to import. In our example, the HR system is our primary source of users.

Importing will require us to create what is called an inbound synchronization rule. For one external system, such as the HR system, we might have multiple inbound synchronization rules. One reason for that could be that we have multiple object types in one CDS (Connected Data Source), and we can only synchronize one resource type (object) in each rule.

So first of all, we create a synchronization rule to import users from the HR system. Follow these steps:

As you can see, inbound synchronization rules are associated with the connector space MA that we like to import information from. Outbound synchronization is very different! Because of the differences, many people choose not to have Inbound and Outbound Data Flow Direction in the same synchronization rule.

Outbound synchronization rules are associated with each object type (or resource to be consistent with MIM Portal naming conventions). There are two ways to apply an outbound synchronization rule: using an Outbound Synchronization Policy or by using an Outbound System Scoping Filter:

In some scenarios, you will find that it is useful to have multiple outbound synchronization rules for one external system. In those cases, you might mix the two different ways of associating the rule to the object. You...

Recall that provisioning is when we create new objects in a connector space, using the Metaverse as the source. We enable synchronization rule provisioning in the synchronization engine by running Synchronization Service Manager and selecting Tools | Options:

A phone system could be a simple SQL table. The basic idea is that all employees should be in the phone system, and MIM is responsible for creating them. We discuss this simple example to show you how to add additional data from a secondary system to an identity created by a system configured for Metaverse projection.

Once the users are created in the phone system, the system is responsible for entering phone and office location data, which is then imported back into MIM.

To manage the users in this SQL-based phone system, we need to create the MA. Since we have walked through the steps on how to do this for our HR system, we will point out some basics:

One of the most common external systems we have in MIM is Active Directory. Managing users in Active Directory involves understanding how Active Directory works. A functional MIM design has to adhere to the restrictions of the systems it interfaces with, and Active Directory is no exception.

There are some attributes in Active Directory that require special treatment and knowledge, such as the userAccountControl attribute.

In many situations when we manage users, we are working with time-dependent actions.

For example, we might state that a user should be disabled in Active Directory the day his/her employment ends, but should be deleted from AD 30 days after the end of their employment. How do we do that in MIM?

First of all, we need to get the employment dates into MIM. Usually, we get them from the HR system. It is a bit tricky to work with date/time attributes, since localization and formatting can require us to do some troubleshooting before we get it right. You will very likely end up using the built-in DateTimeFormat function when importing date/time data from HR or some other source, and converting it to the yyyy-MM-ddTHH:mm:ss.000 format used in MIM.

We then create what is called a temporal set. This is just a normal set, but we use a criterion that is time-dependent:

We can then use this set to trigger an MPR that modifies an attribute, such as the active attribute I used in my previous...

For users to be able to log in to the MIM portal and authenticate to MIM Service, we need three attributes populated for the user: AccountName, Domain, and ObjectSID.

But even if we have populated these attributes in MIM Service, and a standard user tries to log in to the portal (https://MIMPortal/IdentityManagement), the person will get the message shown in the following screenshot:

Why? Well, because there is no MPR enabled by default to allow users to access MIM Portal and/or MIM Service. The MPRs required to allow access to users are disabled by default. We just need to enable them in order for users to have access.

The MPRs we need to enable are as follows:

Moreover, if you look back, you might recall that we had some options during installation talking about user access as well. There was a checkbox that said Grant Authenticated Users...

When managing users, we usually also find that we need to manage e-mail settings, or even e-mail systems. Microsoft Exchange is a common on-premises enterprise e-mail system.

In order for MIM to also manage Exchange, there are some configuration settings and permissions required. Microsoft documentation recommends you to add your AD MA service account to the Recipient Administrators role group. However, you can eliminate unnecessary privileges by being more granular. Please see http://bit.ly/MIMExchangeRecipient for more information. There are no drawbacks, so please consider granting your service accounts the least privileges they need.

In order for us to manage the attributes used and required by Exchange, we will need some knowledge about Exchange. There are, for example, multiple types of recipients to deal with.

At The Financial Company, they have decided that all employees should have a mailbox (recipient type: UserMailbox) but contractors should be mail-enabled users...

It would be pretentious to think that anyone knows the right identity management approach for your organization without fully understanding the challenges and goals associated with your business processes and your technology. For some organizations, user management is defined as periodically updating a few attributes, while other organizations have a more evolved identity solution, and one or more actions will trigger multiple accounts to be provisioned, updated, or deprovisioned. Generally speaking, the authors agree that user management should strive to aggregate, manage, provision, deprovision, and synchronize changes.

MIM aggregates information into unique objects in the Metaverse. Thus, a user can have a single object representation for all their identities throughout the organization. In other words, the system that is authoritative for each piece of identity information builds a representation that we call a Metaverse object.

MIM is designed to interact with systems...

In this chapter, we have seen how the power of MIM allows you to manage identities out of the box, although some things require customization. We suggest building the basic, easier pieces first, and work on more advanced pieces in phases.

Before touching the MIM product, you will need to decide where the required unique attributes, such as AccountName, first-time password, and possibly things like e-mail address, are to be created.

We have also seen how easy it is to implement basic self-service using MIM Portal, which allows you to delegate some administration to the users themselves.

In the next chapter, we will extend this to groups, and look at how MIM can be used to enhance your group management.