This article is based on a prerelease version of Microsoft Identity Lifecycle Manager "2." All information is subject to change.
An Introduction to Identity Lifecycle Manager 2
At a Glance:
- The new portal experience
- Self-service tools
- Business process management
- Codeless provisioning
For the Standard User
For Group Management
Self-Service Password Management
Business Process Management
The new release of Microsoft Identity Lifecycle Manager "2" (or ILM "2"), which is in beta 3 at the time of writing this article, builds upon the identity management capabilities found in Microsoft Identity Integration Server 2003 (MIIS 2003) and ILM 2007. It offers many new features and enhancements—you can cut costs with self-service tools, increase security compliance with business process modeling, and reduce development time with intuitive development tools.
In this article, I want to showcase key new features and enhancements and discuss the benefits ILM "2" can bring to your organization. In particular, I will discuss the ILM "2" portal experience in managing user profiles and groups, self-service password management, business process and workflow design, integration with Microsoft Office, and the ability to develop synchronization rules without using code (known as codeless provisioning). Last, but not least, I will cover the software, hardware, and tentative licensing requirements for implementing ILM "2."
The Web portal is one of the most notable features added to ILM "2" as this is the first time Microsoft has included a UI for end users to perform self-service functions. The Web interface provides an entry point for authorized users and administrators to manage users and groups, define business rules, and even allow development of codeless provisioning to provision accounts.
ILM "2" makes use of Windows Integrated Authentication with Active Directory so organizations can use existing users and groups already defined in Active Directory to provide authentication and authorization to new users. Those with administrative privileges can perform administrative functions, such as defining workflows for processes and configuring synchronization rules, as well as the tasks that end users can perform.
If you log into the portal and you have administrative privileges, you'll have access to more features than standard users (see Figure 1). You can view and update existing records, as well as request accounts for new employees in the connected directory.
Figure 1 The ILM “2” portal
When setting up a new user with the portal, you can submit such user details as name, display name, e-mail address, start date, end date, and the like. And the fields on the page can be configured as necessary. Using object visualizations, you can extend the schema of the portal to request most any kind of data, such as the employee's shoe size.
The synchronization engine detects new records and changes made from the portal and provisions user information in the connected directory accordingly. The process of provisioning accounts in connected directories using the synchronization engine follows the same process as in ILM 2007. The key change here is that administrators can enter and update employee information via the portal, and the portal then feeds the synchronization engine, offering a more flexible way to gather and update user information in connected directories.
Human resources databases often do not contain contractors and temporary workers, such as student interns, making it difficult to manage these accounts. And these accounts are often created manually in various applications, making it easy to forget to then manually delete the accounts when necessary. This creates a potential for security holes, where accounts remain active after a user has left the organization.
One approach is to use the ILM "2" portal to provision and track profiles for temporary workers. The HR database remains the authoritative source for employee and contractor records, while the portal simply complements the HR database as another way to enter and update profiles.
For the Standard User
The portal also puts some of the power in the hands of standard users. Users can update a subset of their information and the information is then pushed out to connected directories, again using the ILM "2" synchronization engine. You, the administrator, can configure which attributes users can update and you can validate the format of the information that users enter into the fields. This approach can help to keep data more current in various data sources.
This is in stark contrast to the ungainly methods used today. In order to allow users to update their own information, many organizations rely on third-party phone book solutions or build their own solutions internally. Other organizations require users to actually call the help desk or submit paperwork to update information.
There are some serious disadvantages to both of these approaches. Third-party applications and custom in-house solutions can be very expensive and difficult to maintain. And the updated information contained in one of these solutions generally doesn't use a synchronization engine to then update other connected directories. Meanwhile, having users call the help desk to update information can greatly increase IT support costs and tie up support personnel with relatively trivial tasks.
For Group Management
Administrators can now provision security groups and distribution lists with memberships in connected directories by defining queries to classify memberships based on user attributes values or by name. All operations can be done using the simple Web-based UI. Provisioning groups by explicitly adding users is straightforward, but more complex scenarios are supported.
You can provision groups with calculated memberships, creating groups that are based on reporting relationship and specific attributes. This is done by defining a workflow action. For instance, the administrator can define a query to group all users within the marketing department, assigning a value of "marketing" in the group name (All Users in Marketing). The ILM "2" synchronization engine imports the group according to the definition and provisions groups in the connected directory. Complex queries can be developed quite easily using Boolean logic to look up multiple attributes.
End users can also create a distribution list and add or remove themselves from the list through the portal. The approval logic of the workflow can be incorporated so that only approved distribution lists or authorized users can join the list.
Previous versions of ILM let you manage groups through the Web interface, but this required a separate download—it was included as a part of the provisioning and workflow section of the Microsoft Identity and Access Management Series. That solution was only for administrators and did not allow end users to join and leave assigned groups.
There are also administrative functions that you can perform on the Web portal. Some of the notable administrative capabilities include:
- Prioritizing the type of objects being provisioned to a connected directory. (This allows you to ensure that certain objects do not have to wait the entire synchronization cycle to get provisioned.)
- Modifying the schema of the user profiles page. (The schema of the page for collecting user information can be extended to incorporate fields that are specific to your organization's requirements.)
- Updating user account status.
- Modifying how the site looks and functions. (This allows you to customize the portal to accommodate your organization's standards.)
Self-Service Password Management
Another key feature that is new in ILM "2" is the self-service password management solution. The two password management solutions available in ILM 2007 (a Web-based solution and the Password Change Notification Service) offer limited self-service capabilities. Both require that the user input his old password to reset his password; thus they are quite useless when it comes to a forgotten password—in that situation, the user would need to call the help desk.
ILM "2" addresses this by allowing users to reset their passwords using challenge-response questions, which can be accessed from the Windows logon UI. This, obviously, can help reduce help desk costs.
Once the password management application is deployed and a user logs on for the first time, a screen will pop up, requesting that the user answer a set of questions (what was your first car, in what city were you born, and the like). The password rest dialog is shown in Figure 2.
Figure 2 The password reset screen
The administrator can specify the type and number of questions to be used. He can also specify the number of gates (each gate contains a set of questions). In addition, the administrator can configure the number of questions that the user must be able to answer to be able to reset the password or move on to the next gate.
To provide the appropriate level of security, you can tie the number of gates and questions the user must correctly answer to Active Directory security groups. For instance, users in the executive security group may need to go through three gates and must answer all questions at each gate correctly. Users in the marketing security group, on the other hand, may only need to go through one gate and answer two out of three questions. And if you do not want to give users the ability to reset passwords from the Windows logon, there is an option to provide a Web UI for resetting passwords.
ILM "2" office integration allows users to manage group membership from within Microsoft Office Outlook, as shown in Figure 3. This provides a familiar way to access common tasks, such as joining and leaving distribution lists, as well as adding and removing other users from the group (this requires Outlook 2007 or later).
Figure 3 Integration with Outlook
A user can select Join group, browse the global address list, select the groups she wants to join, or remove herself from group membership, and then just send the request. The owner of the distribution list receives the request via e-mail and can approve or deny that request from within Outlook. If the group owner approves the request, the ILM synchronization engine is triggered to complete the process.
Business Process Management
Business process and workflow management are fundamental to all key scenarios in ILM "2." Happily, business process and workflow logic can be tailored to your particular organization's requirements. For example, you can specify to have certain events in the system trigger a series of automated steps, known as processes (see Figure 4).
Figure 4 Configuring workflow processes
An administrator can associate an event with one of the three process types: Authentication, Authorization, and Action. For example, selecting the Authorization process type will allow the owner to approve all requests to join or leave the group. When selecting the Authorization workflow, you can also define the names of approvers, the number of approvers, and the number of days for which the approval is valid.
Complex workflows can be defined so that all delete operations performed to groups must be approved by administrators and require users to authenticate against a challenge-and-response authentication process. All users, including administrators, must go through the authentication process by answering questions that they have registered during the initial registration period to validate their identity.
Once the authentication process is done, the request for the group deletion is sent to the approver for authorization. The authorization process confirms the user's permission to request the operation. Finally, the approver approves the request and ILM carries out the delete operation.
The ability to design a complex workflow using the built-in tool is a significant addition to ILM; previously, a solution like this required the Single-Step Provisioning Workflow in the MIIS resource tool kit or a third-party solution. Today, Web service APIs are also available so you can go a step further to customize your own workflows and integrate them with ILM "2."
Codeless provisioning allows IT professionals to perform most of the tasks that previously required code development. ILM 2007 required you to use Microsoft Visual Studio to develop rule extensions and provisioning code to transform attributes and objects in the connected directory.
From the Web UI, you can define the type of objects, filter rules, provisioning condition, object relationships between the metaverse and connector space, deletion rule, and data flow. All the data flow mapping that is defined in the management agent designer is displayed, allowing you to edit the mapping to concatenate and format the attribute flow in both inbound and outbound flows. And if you prefer coding, you can still develop functions by developing extension and provisioning rules for ILM "2."
ILM "2" offers a range of new features that can help simplify management and reduce help desk costs. From a new portal and self-service features that are greatly needed additions to codeless provisioning, both administrators and end users will benefit from new features that simplify tasks and help users to be more productive. And there are other compelling improvements, such as the enhanced Certificate LifeCycle Management feature plus the extended connectivity and extensibility enabled by increased management agents.
ILM "2" is scheduled to be available in the first half of 2009. You can find more information at Microsoft's Identity Lifecycle Manager "2" website.
Aung Oo is an identity management subject matter expert within Microsoft Consulting Services. Aung has been designing, developing, and deploying enterprise directory and identity management solutions for both commercial and government customers since the first release of Microsoft Identity Management.