Forefront Identity Manager 2010 R2 (IdM)

Forefront Identity Manager 2010 (FIM 2010) is a follow-up of MIIS 2003 (Microsoft Identity Integration Server) and ILM 2007 (Identity Lifecycle Manager) product lines designed to manage identification information. Thus, in spite of number “2010” at the end of the product name FIM 2010 has a reputable more than ten-year history. While the names of new product versions were frequently changed, Microsoft did not change the word “identity”, and managing just this “identity” is the main function of FIM 2010.

The most correct translation of the word “identity”, in our opinion, is “identification information” or “identification data”. Identification data means not only logins and passwords of users. Within the current context this term combines any information about company employees which is stored in application and infrastructure systems, for instance:

  • Full name
  • Position held
  • Department
  • Manager
  • Birth date
  • Photo
  • Mail address
  • Phone numbers
  • Membership in role groups, access groups or mailing lists
  • Any other information that can be received from personnel databases, Active Directory, mail system, phone book, portal and other systems.

By using FIM 2010 information from data sources can be aggregated within virtual shared storage Metaverse and distributed among the systems according to a set of rules. Schematically this process can be presented as following:

ForeFront Identity Manager 2010 R2 base Architecture

Data integration between different sources allows:

  • Making data structure consistent among all systems.
  • Keeping all data updated in automatic mode (for instance, in case of surname change this information can be received from personnel service and distributed to Active Directory, address book, etc.).
  • Automating creating users in data sources, for instance in case of hiring new employees.

Furthermore one of the main distinctions between FIM 2010 and its predecessors is the capability to respond to status changes of objects being stored. This turns FIM from standard set of tools for synchronization, which is realized in the most companies as self-written scripts in one way or another, to the powerful system managing credentials life cycle from creating at the moment of hiring an employee till locking or deleting at the moment of dismissal of the employee.

It is important to note that FIM workflows initiated as a response to user data change are developed on the basis of Windows Workflow Foundation platform that allows implementing almost any scenario. For instance, on the dismissal of an employee the system can automatically do the following:

  • Lock the employee’s account in Active Directory;
  • Initialize approval process for deleting account from Active Directory;
  • Lock the employee’s account in all systems which are not integrated with Active Directory;
  • Send corresponding notifications to administrators;
  • And even publish vacancy for the position of the employee having left the company to the internet.

A pleasant supplement is a capability provided by self-service user portal which is a component of FIM 2010. By using the portal users can make modifications in their information (e.g. modify room number or phone number) and request membership in security or distribution groups. In this case modifications made to the portal by the user can be either saved at once or sent to approval according to specified workflow.

Furthermore self-service portal allows the user to reset forgotten password by using a component installed to the workstation. To do this the user having permission to use this functionality should register at the self-service portal and enter his answers to a set of questions configured by the administrator. When the user tries to reset his password by himself he is offered to answer a specified number of those questions again and according to the number of correct answers it will be decided to reset password or, for instance, send a message to security service.

To sum up, FIM 2010 allows achieving the following:

  • Data consistence among different systems;
  • Keeping user data updated (which is of the most importance, for instance, in case of implementing such technology as Dynamic Access Control);
  • Automating several routine operations, releasing in such away way IT-personnel from them.
  • Significant reduction of influence of human factor to the work with identification data.
  • Providing users with capability to keep themselves their data updated or notify administrators of the systems about that in time.
  • Implementing role model of access to resources based on data about employees.
  • Providing users with the capability to reset forgotten password by themselves.