Microsoft's Identity Life Cycle Management Strategy And Roadmap Part 3: ILM "2"

Identity Lifecycle Manager “2” builds on Identity Lifecycle Manager 2007 to provide solutions for management of users, credentials, access, and policies that automate identity lifecycle tasks and balance the load between IT professionals, developers, and information workers. IT will be able to put controls in place that will enable them to securely delegate management of common user requests back to the end users. The end users will have self-service tools integrated in Office and Windows that will allow them to do things like reset their own passwords and manage membership to groups and distribution lists without calling the help desk.

The foundation of the ILM “2” solutions is the metadirectory and extensibility found in ILM 2007. ILM “2” takes this a step further by integrating workflow built on Workflow Foundation (WF), enabling delegation, approvals, notifications, and exceptions to be built into identity lifecycle processes. Furthermore, the extensibility in ILM 2003 is greatly enhanced through the addition of web services extensibility based on Windows Communication Foundation in ILM “2.”

Highlights of ILM “2” include:

- Self-service tools for group management, profile management, password reset integrated with Microsoft Office and Windows

- Customisable workflow designer that enables modelling of business processes around approvals, delegations, and escalations

- GUI-based solutions for IT and help desk to manage users, multiple credentials, access through groups and roles, and policy

- Report builder and SQL Server Reporting Services integration for identity life cycle notification and reporting

- Integration with Microsoft Systems Management Server for asset and software management, and Microsoft Operations Manager for health monitoring

- Rich platform and standards-based Web services extensibility using Visual Studio, Workflow Foundation (WF), and .NET Framework



ILM "2" Solution Areas

ILM “2” consists of four solution areas – user management, credential management, access management, and policy management.

User Management

ILM 2 will deliver GUI-based tools for user management and self-service across the enterprise without the need for custom coding of business rules or recoding of the target systems. These automated and centralized user management tools include:

- Provisioning override features to accommodate exceptions

- Broad range of connectors including Active Directory, Novell, Sun, IBM, RACF, Top Secret, ACF/2, Lotus Notes, Microsoft Exchange Server, Oracle databases, Microsoft SQL Server databases and SAP HR

- Workflow and exception request tracking and reporting for compliance

- Integrated white pages

- User profile self-service management

- Self-Service Credential Management

ILM 2 enables users to change and reset their own passwords and smart card PINs from the Windows desktop login, and enables the help desk to reset them from a single location. With self-service password reset integrated into the Windows logon, self-service will be the preferred alternative to calling the help desk.

Integrated Access Management

ILM 2 provides self-service group and distribution list management, integrated through Office to enable information workers to manage their access requests using the collaboration tools they are familiar, enhancing productivity and minimizing additional training. ILM 2 will also provide a framework that is flexible enough to be used for role based management of identities and access.

Policy Management

As part of the ILM 2 release, Microsoft will deliver an intuitive user interface that enables system architects, IT administrators and information workers to create rules governing users and groups using natural language descriptors and easy-to-use menu-driven controls.

The policy management tools will also enable business owners and IT to report on the events and business rules processed by ILM 2, and to act on that information in an automated manner. This provides a view into the state of compliance as well a mechanism to enforce business rules that support compliance.


ILM "2" Business Process Alignment

These next screenshots show some of the most powerful features of ILM "2"

This first one shows how self service will be integrated into Office and Windows. The first screen shot is of an email in progress where you can see the My Groups menu has been added to the Outlook 2007 ribbon. From the Office ribbon, you can do things like add and remove members, and view and manage groups you own or are a member of. In addition, you will be able to request and approve group membership through Outlook, including bulk approvals.


The second screen shot shows how the self-service password/PIN reset will be integrated into the Vista credential provider. When you logon or hit control, alt, delete, there will be an additional option to reset your password or PIN. There will also be tools for registering your secret questions and answers that will enable you to do self-service reset. We are also looking at additional self-service methods (or gates) beyond question and answer, such as using your smart card PIN to reset your password, as well as providing the extensibility to build additional self-service reset methods/gates.



This next screen shot shows the beginning of the creation of an approval process. ILM “2” will include the ability to use a wizard to create workflow processes. In this case you can see an approval is being created. You can select the approvers for a particular workflow based on group membership or other attributes. In this case, we will be seeking approval from the group IDM Governance. You can also set an expiration date on the approval and any escalation path required post-approval.

One very powerful feature of the customisable workflow designer in ILM “2” is the fact that you can reuse workflows for different processes. So you don’t have to recreate workflows every time you have a new approval process.



In order to ensure that you can customize ILM “2” to your organization’s needs, we are building in extensibility on a number of levels. Here you can see the beginning of a new workflow based on workflow foundation. You will be able to use Visual Studio to develop and customize as necessary




So as you can see ILM "2" will take Identity and Access Management to the next generation. I hope you enjoyed the series. Stay tuned for some exciting announcements regarding the ILM "2" beta program!