Friday, March 31, 2017

Open Source: Review of MIMTools

JefTek created a niche hybrid tool that tackles a few pieces of the sync and service puzzle in a way that none of the others do.

One noteable one for sync:
Get and Export MIM Deltas to CSV (based on a drop file either stop and drop or the audit log dropped during the export

It is great for setting up SharePoint and the Kerberos authentication to it.

While it doesn't do all that IS4U-FIM-PowerShell (see my review), does or Lithnext resourcemanagement-powershell or Lithnet-miis-powershell (see my review), or even the he  FIM PowerShell Module (see my review), it fills a small niche that none of the rest of them do. This is a solid contribution!


Open Source: Review of FIM 2010 PowerShell Cmdlets

Gil Kirkpatrick (a great guy, fellow MVP, who has taught me a lot over the years) created one of the very first, if not the first, PowerShell commandlets libraries to manage FIM/MIM service. It hasn't had any activity in years, but it served as a great example to get others going.

If you like this simple approach you could check out Adam Weigert's PowerShell for FIM 2010 (see my review).

I recommend  IS4U-FIM-PowerShell (see my review), this is what I use. But I also recommend  Lithnext resourcemanagement-powershell (see my review).

Open Source: Review of IS4U-FIM-PowerShell

Wim Beck's IS4U-FIM-PowerShell is a great example of open source, in that he has built on top of the  FIM PowerShell Module (see my review). This is what Open Source is about, building upon each other's contributions to make great stuff!

When I looked at it in Dec 2016 I almost dismissed it since it lacked a wiki, but since then Wim has added a lot of pages. They still lack examples, I plan on pitching in to help out with that by adding some examples to my fork and then asking Wim to pull it in.

Some of the commandlets don't do a good job of robust validation of parameters. Another area that could use some community involvement.

For me the approach of having commandlets focused around different object types allows for a natural and better validation of the data you need to create, update and delete objects in the FIM/MIM service.

One great example of building on things is the New-ObjectTypeConfiguration commandlet which (creates object type in the schema, the attributes, the bindings, an MPR for permissions, a search scope, a navbar element, and updates the sync filter). Awesome!

I also love the RCDC commandlets. Test-RCDCConfiguration just does a simple test against the XSD which you can setup Visual Studio to do for you, but this allows you to test it programatically after make programatic changes to an RCDC object before you upload it. I did feel the need to extend this and added a function to backup the RCDC and another to backup all of the RCDC's. I will add those to my fork when I get the chance.

I use this module and it saves me a lot of time. I am glad to see Wim continuing to work on it, smoothing out the rough edges.

I can see how some might prefer the config file approach of Ryan Newington's Lithnextresourcemanagement-powershell (see my review), which I also recommend.

Open Source: Review of Lithnet

Ryan Newington's Lithnet consists of several items:

  1. miis-powershell
  2. resourcemanagement-powershell
  3. resourcemanagement-webservice
  4. googleapps-managementagent
  5. acma
    1. "Codeless business rules engine for FIM/MIM"
  6. umare
    1. "Codeless data transform engine for FIM/MIM"

I will only review the items I know

Managing Sync
miis-powershell is amazing it can almost everything you can do through the UI. For example, Clear-FullSyncWarning and it has a great wiki. Gotta have it!

It wraps WMI calls, existing PowerShell modules, executables and sync client UI to interact with FIM/MIM Sync.

My WishList
Turn on and off Sync Rule Provisioning

Export Sync Server Config

Managing Service

I know many people love Ryan's approach with Lithnextresourcemanagement-powershell as it enables you to interact with the FIM/MIM Service in great ways. My big downside is that you just about have to learn a new language, the Config Management XML to use this most effectively. But when you do you can have every piece of FIM/MIM Service under source code control. Ike Ugochuku (recent MVP -- congrats!) has a nice video intro 

So while I use Wim Beck's IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell) I can wholeheartedly concur with other's recommendations that this is worthwhile!

Simplifying the Service
The Resourcemanagement-WebService is not something I have used but as one of the first beta users of the SOAP/WCF endpoint back in ILM 2 Beta 2 days I can really appreciate the notion of a simplified, Restful interface that returns JSON instead of bloated XML. Good work!

The other pieces will have to wait for another time.

Open Source: Review of PowerShell for FIM 2010

PowerShell for FIM 2010 by Adam Weigert consists of three parts but I further break the last into two:

  1. Management Agent(MA)  and MetaVerse (MV) Extensions that let you run PowerShell scripts as your extensions
  2. A Workflow Activity
  3. A PowerShell module
    1. Managing Sync
    2. Managing Service

Management Agent(MA)  and MetaVerse (MV) Extensions
The work done to enable you to write PowerShell scripts to be MA and MV extensions is crazy brilliant. However, I suspect (I haven't tested) that large installations should shy away from this as compiled C# and VB.NET code tends to run orders of magnitude faster than PowerShell scripts. Perhaps someone else knows a way to make it more comparable in performance. I can see some smaller shops taking advantage of this as they don't need to worry about performance in the Sync Engine

Workflow Activity
The workflow activity (see my review of a bunch of open source Workflow activities) was good in its time but like most has been surpassed by the excellent MIMWAL.

Managing Sync
Similar to the FIM PowerShell Module you can Get an MA's status, start it, and get the run history. It does go beyond that by allowing you to Clear the RunHistory, and Stop an MA. However all of these features are covered in  Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet). This library is good but I recommend using the FIM PowerShell Module and Lithnet-Miis-PowerShell 

Managing Service
This library has a nice simple model for creating, updating and deleting FIM/MIM resources. It is easier to use than FIM 2010 PowerShell Cmdlets. However, the simple model doesn't add lots of intelligence to help you with creating and managing the various resource types.

This may indeed be the approach you want.

I prefer  IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell). 

I can see how others would prefer Lithnext resourcemanagement-powershell (see my review).

Here is an incomplete example from my notes:
New-FIMResource -ObjectType 'ManagementPolicyRule' -Set @{
  DisplayName
= 'Users Can Edit Preferred Names with Approval';
Description ='Users can edit preferred names with their managers approval which are then used to calculate their new displayname';
PrincipalSetID = $Principalset; GrantRight= $True; ManagementPolicyRuleType= ''; AuthwfID= $AuthWFID; ActionWfID $ActionWfID; Disabled $false;
} -Add @{
ActionParameter= @('PreferredLastName', 'PreferredFirstName')
; ActionType = @('','')} | Set-FIMResource

Open Source: Review of FIM PowerShell Module

The FIM PowerShell Module (started by Craig Martin and now updated most frequently by Brian Desmond) is a great set of commandlets that help you to automate Interactions with FIM Service and FIM Sync Service.

Managing Sync
This library is great for automating tests. This library and Ryan Newington's Lithnet-Miis-PowerShell (see my review on LithNet) are very complimentary. You can retrieve CS Objects, Run History, start an MA.
I found that the most interesting Sync related Cmdlets are the
  • Assert-CSAttribute, which you use to do automated test checking and
  • Create-ImportfileFromCSEntry which you can use to take a CSEntry and make a drop file as a way to fake connections to the connected system. So you can run an export and then confirming import

Other CmdLet's not covered by LithNet
  • Get-FimRegistryKey
  • Get-FimSyncPath

  • Get-ImportAttributeFlow
  • Get-ExportAttributeFlow
  • Join-ImportToExportAttributeFlow
  • Get-MetaverseSchema

For documenation purposes the Get- AttributeFlow commandlets are amazing. I can't believe I ever implemented FIM or MIM without them. You can use them to generate a view of the end to end flow of attributes.

I felt cool when I got to apply some code from Joe Zamora and a couple fixes of my own to solve these issues:


Brian Desmond was kind enough to perform the commits. 

Managing MIM Service
These PowerShell commandlets tend be very robust with lots of great error checking. They are great for creating objects in the FIM/MIM Service. They do lack commandlets for updating and deleting specific objects but that can still be handled with the New-FIMImportObject and New-FIMImportChange commandlets.

I also found that while many commandlets have a $uri parameter that should allow you to call the cmdlets and affect a remote installation some of the underlying commandlets don't implement this consistently and expect a local instance of the Service.

This library provides a great foundation upon which Wim Beck built IS4U-FIM-PowerShell (Check out my review of IS4U-FIM-PowerShell). I recommend that library (plus this one) or Ryan Newington's Lithnextresourcemanagement-powershell (see my review).

Wednesday, March 29, 2017

Speaking at Cloud Identity Summit 2017

I am excited to announce that I will be speaking at the  Cloud Identity Summit 2017 in Chicago in June.

I will discuss How Identity Management (Employee and Consumer) affects the bottom line.


Is MIM dead? Not yet!

From time to time I hear people wonder if MIM is dead.

Why do people ask?

  • They don't feel like they have heard a good road map recently
  • They aren't seeing the improvements they hoped for
  • They aren't paying attention to the actions of the product group
Why do I say it isn't dead yet?
It is possible that BHOLD components of MIM are dying or at least of lesser import. Biggest evidence for this is Microsoft's partnership with SailPoint coupled with the fact that there are no BHOLD fixes in the latest hotfix.

Update: I have been reassured by the product group that BHOLD will continue to get development for fixes and new features.