Forefront Identity Manager 2010 R2 Overview

  • Article

FIM is a service that runs on Windows Server® 2008 operating system. With FIM, you can store and coordinate identity information from multiple connected data sources within an organization. FIM enables you to combine that information into a single logical view that represents all of the identity information for a given user or resource.

FIM Synchronization Service and Identity Management

With FIM, you can manage identity information by centralizing identity information, synchronizing identity information, managing ownership of identity information, creating new objects, and synchronizing passwords across different connected data sources.

Centralizing identity information

In most organizations, identity information exists in many different connected data sources, which can result in the duplication of information, incompatible data formats, and administrative overhead, and also requires administrators to have access to multiple connected data sources.

To solve the problems that result from identity data residing in multiple data sources, FIM can combine all of the data pertaining to a specific person or resource in the metadirectory, thereby creating a single object that contains some or all of the identity information from each connected data source.

The following illustration shows how FIM combines data from different data sources into a single object.

Data sync

Synchronizing identity information

Typically, an organization stores identity information in different connected data sources. When a user makes a change to data in one data source, that change is not automatically made in the other data sources. To reflect the change throughout the organization, typically administrators have to manually update each separate data source. Unmanaged identity information can become unorganized, which results in identity information that is inconsistent throughout the organization.

To resolve problems that result from unsynchronized identity information, you can use FIM to do the following:

  • Detect any change to identity information in different connected data sources, regardless of where the change originates.

  • Automatically propagate changes to identity information, including additions and deletions, to all connected data sources.

In the following illustration, the user modifies the Title attribute in DataSource1, which is then modified in the metadirectory. The new value for Title is then synchronized with the other data sources.

Data modification

Managing ownership of identity information

Different directories often contain conflicting identity information about the same person or resource. In addition, the department or Information Technology (IT) group that owns and manages the data in a specific connected data source typically believes that their data is authoritative when compared to similar data that resides in a different connected data source. In these cases, data owners are often reluctant to relinquish control of their identity information.

To resolve problems that result from conflicting identity information, you can use FIM to do the following:

  • Determine the specific identity information from each connected data source that you want to import into the metadirectory.

  • Establish rules to determine which connected data source contains the authoritative value (that is, attribute flow precedence) for a specific attribute of an object and have the metadirectory update the other connected data sources with that authoritative value.

In the following illustration, the Phone attribute from DataSource1 has precedence. When DataSource2 attempts to update the Phone attribute, it fails.

Attribute precedence

Creating new objects

When a new user is added to an organization, an account is created in the primary human resources data source. To synchronize this new account data with other data sources in the enterprise, new accounts must also be added to the other data sources.

To resolve the problem of creating multiple new accounts, FIM uses provisioning to propagate the new user data to the other data sources, which can then create the new accounts.

In the following illustration, the User object from DataSource1 is created in the metaverse and then provisioned to DataSource2 and DataSource3.

Provisioning

Synchronizing passwords

In an enterprise environment with multiple data sources, users might have multiple accounts. This can result in the user having to remember different passwords for each account, and the administrator having to individually set or change passwords on multiple data sources.

To resolve the problem of managing passwords, you can use FIM password management applications to do the following:

  • Reduce the number of different passwords users have to remember.

  • Allow users to reset their own passwords.

  • Simultaneously set or change passwords in multiple accounts to the same password.

FIM Synchronization Service Components

The overall metadirectory environment encompasses data sources, data and configuration storage areas, and processing rules. This section describes the primary components of the metadirectory environment and their relationships to each other.

The following illustration shows how the components work together to flow data from one data source to multiple data sources.

Components

SQL Server 2008 database

FIM uses SQL Server for its primary data store. SQL Server can be indexed for faster searches, and it has its own set of monitoring and maintenance tools. SQL Server uses the SQL Server database to store all of the critical data that you need to restore your metadirectory environment in the event of a system failure. For more information about SQL Server, see The Role of Microsoft SQL Server.

Metadirectory

The FIM metadirectory consists of the following two components:

  • Metaverse—The metaverse is a set of tables within the FIM database that contain the integrated identity information from multiple connected data sources. All identity information about a specific person that is stored in multiple connected data sources is synthesized into a single object in the metaverse.

  • Connector space—The connector space is a storage area, or staging area, that management agents use to move data into and out of a connected data source. Each connected data source has its own logical area, or partition, in the connector space. The connector space is a representation of the related connected data source, where each object in the connected data source has a corresponding entry in the connector space. Data in the connector space is synchronized with data in the metaverse.

For more information about the connector space and the metaverse, see The Metaverse and the Connector Space.

Connected data sources

A connected data source is a directory, database, or other data repository that contains data that you want to integrate in the metaverse. Connected data sources can be enterprise directories, mail directories, human resources databases, or data in flat files, such as LDIF or delimited text files.

Management agents

A management agent connects a specific connected data source to the metadirectory. It is responsible for moving data from the connected data source to the connector space, and then determining what data in the connector space is synchronized with the metaverse. When data in the metadirectory is modified, the management agent can export the data out to the connected data sources to keep the connected data source synchronized with the metaverse. For more information about connected data sources and management agents, see Connected Data Sources and Management Agents.

Rules

Management agents use a set of rules to determine if and how objects in the connector space are synchronized with the metaverse. These rules determine how metaverse objects are created or linked to, how connector space objects are handled after a deletion, and how attributes of a connector space object are synchronized with a metaverse object. For more information about management agent rules, see Understanding Management Agent Rules. The metaverse also uses a set of rules to determine how changes to metaverse objects are pushed out to the connector space, and how metaverse objects are handled after they are deleted. For more information about metaverse rules, see Understanding Metaverse Rules.

Synchronization Service Manager

Synchronization Service Manager is the administrative interface for FIM. In Synchronization Service Manager, you can create and run management agents, view server status and statistics, configure the metaverse, import and export configurations, and perform other administrative tasks. For more information, see Synchronization Service Manager.