Brian Phul, Microsoft IT.
This is the smallest room I have been in so far. I don't think you could get more than eighty people in here before it is standing room only, and it is mostly full. I am hoping that everyone else has got it wrong, and that listening to Microsoft IT talk about how they do Identity Management will hopefully prove informative. I am also hoping that, as a smaller more focused session, I am less likely to hear the phrase "industry megatrends"—a phrase that grates even when I type it in (partly because it doesn't get green underlined by MS Word—let alone red underlined. The dictionary thinks that megatrend is a word!)
Core principle: "Active Directory should not be authoritative for anything". (Otherwise there is nothing against which to compare it to ensure it is correct). All the important stuff, MIIS synchronizes to AD from other systems. Group management is self-service, through a portal; synchronized by MIIS. SLA for account provisioning is now four hours, and actual time is usually much lower.
"Deprovisioning" an account does not mean deleting it. Account is disabled and moved to an OU that cannot be accessed by anyone but the Identity Management team.
Active Directory is the publishing mechanism for various other directories—telephone numbers (for example) are owned by "Real Estate and Facilities" and offer the identity management team the up-to-date data from a SQL database, to be published to Active Directory via MIIS.
They don't support roles based access—they leave it to individuals to decide (for example) what security groups they want and who they want to put in them. Unfortunately, that doesn't help us—I can't imagine us telling an academic to use a portal to create a security group to lock down some work space on the university network…
Employee ID is the unique key for all employees and they are never recycled—huh. I will forever be 43658 J
It would be interesting for us, in UIM, to determine what our principles ought to be. I wonder if their "principles" are published anywhere…? Apparently not, but he did point me at: www.Microsoft.com/itshowcase so there may be something there to help us to develop our own principles…
No comments:
Post a Comment