The task of provisioning of new user accounts invariably falls upon system administrators. Administrators create logins across a variety of systems, such as Active Directory (AD), Exchange, and SQL Server, when a new employee starts at the company. The equally important process of de-provisioning accounts when employees leave for pastures new often highlights the disconnect between the HR and IT departments—a system administrator might hear from the grapevine that Bob in accounts left the company three months ago but still has system access.

Identity Lifecycle Manager (ILM) 2 empowers end users to perform tasks traditionally undertaken by IT, such as resetting passwords and creating or deleting groups and users. It provides a SharePoint-based workflow where users can carry out simple tasks based on management policy rules defined in ILM. A record of who did what, and when, is maintained for auditing purposes.

How does ILM work?


ILM 2 is a complex product consisting of four main components: ILM Synchronization Service (previously called Microsoft Identity and Integration Server), which is supported by SQL Server 2008; ILM Portal, which is a SharePoint-based web portal for user and administrator access; ILM Client Components for Outlook and Windows integration; and ILM Service, a web service that interacts between the Synchronization Service and ILM Portal.

Synchronization Service is central to ILM and its function is to synchronize objects between directory services, such as AD and Novell, into a central database called the metaverse. Objects are synchronized into ILM's metaverse via connector spaces, and objects can either be synchronized back to the source directory service, or to a different directory, once processed by ILM. For instance, ILM could be used to keep passwords for user objects in sync between AD and Novell directory services, helping to simplify the logon process for users (though having one password to access all systems is convenient, this may not be acceptable in high-security environments). ILM comes with connector spaces for AD, SAP, Novell, Lotus Notes, Microsoft Exchange Server, SQL Server, and Oracle databases, to name just a few.

The most important new feature in ILM 2 is the ILM Portal, which provides access to all the product's main features, such as self-service identity and group management tools, via a web interface for both system administrators and end users. You can provision users and groups using the ILM Portal, create workflows, and modify policies. All changes are submitted to the ILM Service, which then passes requests to the ILM Synchronization Service, where the metaverse is updated.

ILM's client components integrate with Microsoft Outlook to provide group management tools, including the ability to process offline group membership or approval requests. The ILM client also integrates with Windows logon, providing an authentication gateway should users want to reset a forgotten password. Administrators can change employee data using ILM's portal. This information is then passed on by the ILM service to the synchronization service, which updates connected directories. The synchronization service is responsible for detecting new and changed records, and making the appropriate directory updates.

Installing ILM and Client Components


The system requirements for each of ILM's server components are slightly different. To install all the components on one server requires Windows Server 2008 64-bit (standard or enterprise edition), SQL Server 2008 64-bit (standard or enterprise edition), Internet Information Services 7 (IIS), .NET Framework 3.0 and 3.5 SP1, and Windows SharePoint Services 3.0 SP1. The server must have at least 2GB of available disk space and 2GB of memory. The client-side components are supported on Windows XP Professional SP3 and Windows Vista Enterprise SP1, both 32-bit and 64-bit editions, and Outlook 2007. .NET Framework 3.5 SP1 is also required on clients.

ILM in Action - Self-Service Password Resets


A prominent new feature of ILM 2 is the ability for users to reset forgotten passwords at the Windows logon prompt. Administrators can configure one or more authentication gateways where users answer a series of pre-defined questions before being given the opportunity to reset their password, or proceed to the next gateway. Inserting a smartcard can also be set as a condition for passing a gateway. When users log on for the first time, they're asked to register with the self-service password reset system by answering questions set by an administrator.

You can categorize users so that those who have access to highly sensitive information on the network have to pass more authentication gateways before being allowed to reset their password. The ability to reset passwords at the logon prompt can be disabled, and you can enable that ability in a web interface.

Identity Management for Users


ILM Portal can be customized for different categories of users to access features, such as managing distribution list (DL) membership, telephone extensions, or office numbers, which Figure 1 illustrates. The ability to manage security groups and DLs via ILM Portal provides a natural extension to the SharePoint system, with which many users will already be familiar.

Figure 1: The ILM Home screen. Click to expand.

As well as providing self-service password reset capabilities, ILM's client components integrate into Outlook with a familiar interface for managing DL membership. Requesting membership of a DL is done using the Groups menu in the top-right corner of Outlook. Requests are managed using Outlook forms where users can search for groups using standard Outlook dialogs. Approvals can also be managed by group owners using email, with voting style accept/reject buttons, as illustrated in Figure 2.

Figure 2: An ILM pending approval email. Click to expand.

ILM for Sysadmins—Provisioning Users and Groups


User objects are provisioned to the connected directories using ILM Portal with a simple wizard that allows admins to set properties such as employee start and end date and to whom the employee reports. Users are automatically added to the appropriate groups in connected directories based on information you enter when creating a new user, such as the user's department or employee status. Let's look at how to provision a security group with dynamic membership. Log on to your ILM server as an administrator:

 

  1. Open the ILM Portal in Internet Explorer (http://<servername>/identitymanagement, replacing <servername> with the name of your ILM server).
  2. Click Security Groups on the navigation bar then New on the All Groups page.
  3. Give the group a Display Name and Account Name on the Basic Info tab. Select Calculated in the Selection of Members section and click Next.
  4. Click Object ID on the Members tab and select Department from the menu.
  5. Click to select a value and enter a department name, such as finance, as shown in Figure 3. Click Next to continue.

    Figure 3: Provisioning users based on department. Click to expand.



  6. Leave the Expiration Time box blank and click Next.
  7. Leave the group Owner set to administrator and click Next.
  8. Review the details on the Summary tab and click Submit to complete the process.

Groups can also have static membership, where join requests are managed and approved through the ILM Portal. De-provisioning is also carried out using the portal, and workflows can be created to de-provision user objects across multiple directories with a single click.

Understanding ILM Portal Components


Before exploiting the true power of ILM, you need a basic understanding of ILM Portal components and concepts. Sets are collections of objects that have been synchronized from a connected directory and can be dynamically created based on attribute information stored on objects in the metaverse. Figure 4 shows a Set called _Security Group Administrators that contains people whose department attribute is defined as Support.

Figure 4: The _Security Group Administrators Set. Click to expand.

Sets can also group together ILM Portal UI elements dynamically, based on keywords. Figure 5 shows a Set called All Basic Home Page Configurations for UI objects where the keyword is defined as BasicUI.

Figure 5: The All Basic Home Page Configurations Set. Click to expand.

Workflows are defined to either provide authentication capabilities such as authentication gateways; authorization by verifying group membership or requiring approval; or an action like providing email notifications or password resets. Wizards allow basic workflows to be created in ILM Portal and this is known as codeless provisioning.

Management Policies are used to trigger workflows and control permissions on who can do, and see what in the ILM Portal. For example, if a user attempts to create a new user through the ILM Portal, a management policy would trigger the appropriate workflow. A management policy might grant a Set called Administrators read permissions to another Set called All Objects.

Creating a Workflow to Provision a New User Object


You can use ILM's codeless-provisioning system to create basic workflows for managing identities in connected directories. In this walkthrough, I'll create a workflow that allows users with appropriate permissions in the ILM Portal to provision a user object. Because the ILM Portal comes pre-loaded with the necessary workflows and policies to provision users to AD, the following steps are intended for gaining a better understanding of how ILM works and how you might provision a user object to a non-Windows directory service. Log on to your ILM server as an administrator:

 

  1. Open the ILM Portal in Internet Explorer (http://<servername>/identitymanagement, replacing <servername> with the name of your ILM server).
  2. Click Workflows under Management Policies on the left navigation bar.
  3. Click New on the All Workflows page.
  4. On the Basic Information tab, call the workflow Create User and under Workflow Action select Action and click Next.
  5. Choose Password Reset Activity and click Select.
  6. Accept the default settings for the random password by clicking Save.
  7. Under Password Reset Activity, click Add Activity.
  8. Choose Synchronization Rule Activity from the Activity Picker and click Select.
  9. Select _AD Inbound Sync Rule for Users, leaving Action Selection set as Add, and click Save.
  10. Under Add the target resource to Synchronization Rule, click Add Activity. Choose Notification from the Activity Picker and click Select.
  11. In the Recipients box, type administrator. Click the Browse icon to the right of the Email Template box and select an appropriate template from the list. Click Save to continue.
  12. Now that you've finished defining activities for this workflow, click Next at the bottom of the Create Workflow page, which should resemble Figure 6.

    Figure 6: The Create Workflow page. Click to expand.



  13. On the Summary tab, click Submit to finalize the workflow.

Once the workflow has been created, you should define a management policy to trigger the workflow:

 

  1. Click Management Policies in the navigation bar on ILM's homepage.
  2. Click New on the Management Policies page.
  3. Give the policy a name on the General Information tab and click Next.
  4. Type Administrators in the Specific Set of Requestors box and click the Check Names icon to the right. Select Administrators from the drop-down menu to confirm your choice, and the text should be underlined.
  5. Select Create resource in the Operation section and click Next.
  6. In the Specific Set of Objects box, type All People and click the Check Names icon to the right. Click Next to continue.
  7. Scroll down to Action on the Policy Workflows tab and check Create User. You may need to scroll through several pages to find the correct policy. The Create User workflow should appear under Selected Objects. Click Next to continue.
  8. Check the details on the Summary tab and click Submit.

Now that a management policy and workflow have been created, when new user objects are created using ILM Portal, they should be provisioned in the metaverse and synchronized to the directory specified in step 9.

Do the Benefits of ILM Outweigh the Complexity?


ILM 2 improves on ILM 2007 with its integrated web portal and self-service password reset integration with Windows logon. While the codeless-provisioning system provided by the portal is a welcome addition, it doesn't offer enough functionality to create workflows for Exchange or SQL Server—two mainstays of most Windows shops—rendering it a little academic. It's not even possible to modify the built-in workflow for provisioning AD user objects because of the lack of support for Exchange in the codeless-provisioning system. This all leads to the fact that to do anything mildly useful with ILM 2, you'll still have to write VB.NET or C#.NET code, as was required in previous versions of ILM.

Another product, the Identity and Integration Feature Pack (IIFP), is a free download from Microsoft and provides a subset of MIIS functionality specifically for synchronizing objects between AD forests to facilitate Exchange migrations. If that's all you need, it can be a much simpler alternative to ILM.

While the basic workflows ILM provides out of the box are likely to be useful, to employ ILM in your organization and achieve an acceptable return on investment, you'll need people who have a deep understanding of the connected directories and ILM server components. Furthermore, ILM adds a level of complexity to your environment that may outweigh the benefits if you don't have the right staff on hand and complex problems to solve.

Related Reading: