Wednesday, October 30, 2019

MIM Portal Groups whose displayedOwner isn't among the Owners

In the MIM Portal it will create issues if you have a group whose displayedOwner isn't among the objects in the multivalued reference attribute Owner. Querying this through XPath is just about impossible so here is the SQL query to do it.

USE FIMService​

SELECT groupObjID = G.[objectID]
           , GroupDisplayName = GAOVS.ValueString
           , userDisplayName= UAOVS.ValueString
           , UserObjID =  U.[objectid]​
FROM [fim].[ObjectValueReference] GOVR​
JOIN [fim].[ObjectValueString] GAOVS​
        ON GOVR.ObjectKey = GAOVS.ObjectKey​
JOIN [fim].[Objects] G​
          ON G.ObjectKey = GOVR.ObjectKey​
JOIN [fim].[ObjectValueString] UAOVS​
           ON GOVR.ValueReference = UAOVS.ObjectKey​
JOIN [fim].[Objects] U​
          ON U.ObjectKey = GOVR.ValueReference​
WHERE GOVR.[AttributeKey] =65 -- DisplayedOwner​
     AND UAOVS.[AttributeKey] = 1 
    AND GAOVS.[AttributeKey] = 1 -- DisplayedName​
) DOwn​ --DisplayedOwners
SELECT groupObjID = G.[objectID]
              , GroupDisplayName  = GAOVS.ValueString
             , userDisplayName = UAOVS.ValueString
             , UserObjID =  U.[objectid]​
FROM [fim].[ObjectValueReference] GOVR​
JOIN [fim].[ObjectValueString] GAOVS​
        ON GOVR.ObjectKey = GAOVS.ObjectKey​
JOIN [fim].[Objects] G​
         ON G.ObjectKey = GOVR.ObjectKey​
JOIN [fim].[ObjectValueString] UAOVS​
          ON GOVR.ValueReference = UAOVS.ObjectKey​
JOIN [fim].[Objects] U​
          ON U.ObjectKey = GOVR.ValueReference​
WHERE   GOVR.[AttributeKey] =138 -- Owner​
        AND UAOVS.[AttributeKey] = 1 
        AND GAOVS.[AttributeKey] = 1 --DisplayedName​
) Own​ -- Owners
On Down.gObjID = Own.gObjID 
    AND Down.UObjID = Own.UObjID​
order by DOwn.GacctName

Wednesday, January 23, 2019

Latency vs the Cloud

"The cloud is so fast! We can spin up servers and services so quickly to extend our environment and then all the users across the globe can access these services, so why does it take so long for you to get our users into the cloud?"
(Latency) x (# of Round Trips)
Most CLoud Identity Management APIs are built so that consumers must retrieve the data one object at a time or load it one object at a time. This means one roundtrip per object. Naturally, a data set in the cloud tends to be farther away than between two servers in the same data center. So the one object at time paradigm that worked ok in the data center works fine in the cloud for very small sets of objects. Once you start loading even moderately sized data sets of objects the additional latency shows up quite harshly. More bandwidth won't solve the problem.

Let's try an analogy: bandwidth is like the number of lanes on a freeway, which means more traffic can pass through the same point at the same time, whereas latency is like the length of the freeway between your source and destination, the farther away you are from your destination the longer the trip will take. 

Building in a bulk mechanism for cloud APIs is a must! When moving across the country I want to load my stuff into a moving truck, not take one object at a time in my car! The same applies to the act of moving data, which I move across the country a whole lot more frequently than I do my family. Please, owners of Cloud APIs, don't force me to get/load one object a time, let me use a moving truck (bulk export and import)!

Monday, December 17, 2018

MIM Open Source Schedulers

Your MIM installation is in, the config is done, programming all set and now to automate the running of the Management Agents.

Options? Most people use Windows Task Scheduler with a PowerShell script or VBScript -- which works but can get cumbersome to maintain. With my SQL Server background, I often use SQL Server Agent Jobs because it has much better follow up and executing database commands.
  • Task Scheduler -- runs as a windows service
    • Can launch a job based on multiple triggers: 
      • scheduled
      • CPU idle  
      • an event in the event log
      • startup
      • user logon 
    • Step Types
      • Command line
    • What it lacks is follow up -- it doesn't write to the event log, it doesn't have email capability, it doesn't do a good job of storing the results.
  • SQL Agent -- also runs as a windows service
    • Schedule types:
      • Recurring -- recur every x hours, x min or x seconds
        • Daily
        • Weekly
        • Monthly
      • One time
      • SQL Agent Starts
      • CPU idle
    • Step Types
      • SQL
      • Command Line
      • PowerShell
      • SSIS
    • Follow up is pretty good -- 
      • Write to the event log
      • It automatically records the results of each step -- I find it much easier to troubleshoot a SQL Agent job as opposed to a Task Scheduler job.
        • You can control the level of detail recorded
      • Send an email on failure or success
      • Can even have a pager schedule
      • You can jump from one step to another on success or failure
A search of GitHub reveals a few Open Source options that provide features more specific to MIM.

Open Source options:
  • Aseand's RunScript is a PowerShell script. How does that help? It has all kinds of pre-built functions that are commonly needed in your own PowerShell script -- so this isn't really a scheduler as you still need to use Task Scheduler, but not a bad place to start your own PowerShell script.
    • AnyInProgress Ma's
    • Clearrunhistory
    • MSSQLExecute
    • export-count
    • import-count
    • stage-count
    • start-agent -- runs an Agent asynchronously
    • Runagent -- runs an Agent and waits -- looks to have some great error handling
    • getRunHistory
    • getRunHistoryOld
    • WriteXmlToScreen -- for printing out the CSEntry data
    • SaveChangeCS -- get the pending CS changes
    • Aseand also created a PowerShell script that does some pretty nice Sync engine documentation by querying the Sync engine database
  • Fellow MVP Ryan Newington (lithnet)'s miis-autosync -- runs as a windows service 
    •  Schedule
      • Recurring schedules 
      • events such as changes to AD, HR etc
    • The other key feature is it can be set up to only run if there is work to be done. It can also run as many profiles in parallel as possible. This is one of the best ways to cut a sync cycle as short as possible. 
    • Send emails when job fails
    • Clear Run History
  • Wim Beck's FIM Scheduler -- uses XML config files, can run linear sequences and parallel sequences. It also runs as a Windows Service
  • Former MVP Soren Granfeldt's MA Run Scheduler -- was built as a replacement for the MASequencer from the MIIS Toolkit. 
  • Traxion Solutions also has an MIIS Sequencer to replace the MA Sequencer

Wednesday, November 21, 2018

How to Be an MVP in Life -- Launching Nov 27th

We are launching my new book, “How to Be an MVP in Life: Lessons in Living and Leadership from Sports & Tech MVPs” on November 27th. It is available now for Pre-order at Amazon.
Featuring an interview with the 2016 World Series MVP, Ben Zobrist, stories about 2-time Pro-Sports MVPs: Steve Nash, Dale Murphy, Steve Young and Sid the Kid Crosby, as well as interviews with 18 Microsoft MVPs.

Monday, October 8, 2018

Missing the old Directory Experts Conference? Try HIP!

On Monday, Nov 5th, and Tuesday the 6th I will be attending and speaking at the Hybrid Identity Protection (HIP) Conference in NYC. On Monday at 4 PM I will be giving an updated version of Top Lessons Learned from Disasters in Identity Management as well as a sneak peek of my new book, How to be an MVP in Life.

I am very excited to attend this conference. Thanks to Darren Mar-Elia and Micky Bresman at Semperis for putting it all together. This should be a lot like the old DEC -- Directory Experts Conference since it looks like DEC co-founder Gil Kirkpatrick is heavily involved.

I would recommend going to Sean Deuby's talk on Azure AD Protection but he and I are speaking at the same time.

I do highly recommend Brian Desmond's talk about 10 quick Identity Wins with Azure AD, and the Conditional Access Deep Dive with Joe Kaplan.

Wednesday, July 4, 2018

12 time MVP writes book on MVPs

Soon I will be adding the 2018-2019 ring onto this trophy. This makes 12 times starting back in 2007.

The MVP program means a lot to me. So I have written a book about MVPs in both tech and sports. It will be coming out soon. I could use your help with the title.


Thursday, May 17, 2018

European Identity Conference 2018 - Wednesday

Jet lag and other issues caught up with me the next day (Tuesday) and I didn't attend any sessions :(

One thing I love is that most presentations including keynotes are only 20 min long so even when we get a terrible one -- we know it will be over soon. But most of the sessions were good and some were great!

My first Wednesday session was listening to Sebastian Goodrick of SUVA and Dr. Jacek Jonczy discussing how agile methodologies did and didn't work well with replacing their existing Identity Management system with another one. Hire an agile coach! Recognize that replacing an existing system is often big bang and so you won't really be pushing out to production, but you can still do sprints.

Martin Kuppinger covered whether it is best to buy best of breed or a suite. The answer -- it depends! But Martin laid out a good model to help us evaluate the suites.

Matthias Reinwarth covered Privilege Management and Access Governance and how they can work together. Although one snag I see is that for access governance you need to have mature policies about who can access what and many organizations are still in adolescence or infancy. Still, it was really interesting to remember that integrating them is a good idea so that when people no longer need to be privileged we remove their privilege.

My favorite of the day was by Joseph Carson who talked about how a light bulb almost allowed pirates to ruin Christmas, in his talk "The Anatomy of a Privileged Account Hack."

Then we had a 20 min panel on How to Establish governance. Some interesting tidbits. Matthias determined that 20 min panels are hard to run but I don't mind it because it forces the panel to be prepared with two or three prepared responses to questions.

After the break, we returned with three sessions on lessons learned, starting with mine on Top Lessons from Disasters in Identity Management. Martin Kuppinger introduced me and wanted to know why I ended up doing the Top 13 lessons instead of Top 10 like I proposed. I told him that 13 is luckier than 10. The reality of it was just based on my stories. As I told my war stories I got some good laughs and lots of great comments. After, three people including Martin shared their stories. Another attendee even emailed me his story.

Following my presentation, Nishant opened our eyes to the importance of user experience. Finally, Andrea revealed something that in hindsight should be obvious that Separation of duties needs to be applied based on the effective permissions rather than roles. Because it is too easy for us to later modify roles in ways that could violate SOD but if our SOD check is merely to ensure that someone isn't in the two roles.

Then we had the evening Keynotes. Of the three, Ian Glazer's merits mentioning. It was very insightful as he presented how to evaluate our skills on competence and reputation. I really enjoyed it.