1 / 47

Account Provisioning Using MIIS 2003

duman
Télécharger la présentation

Account Provisioning Using MIIS 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 Good morning! My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately. We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending. We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today. As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling. Good morning! My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately. We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending. We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today. As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling.

    2. 2 Design Elements Architecture Account Management Network Managed By Organizational Unit Structure Auto-Groups Password Management There are many pertinent design elements that went into the implementation of MIIS for UF. We list them in general here and we will explain them fully in the following slides. Note the two fellows on the left they bear no resemblance to Mike and I since they appear to know exactly what they are doing. As Mike constantly reminds me it would be a lot better if we just knew what we were doing. My response is always where's the fun in that. You decide.There are many pertinent design elements that went into the implementation of MIIS for UF. We list them in general here and we will explain them fully in the following slides. Note the two fellows on the left they bear no resemblance to Mike and I since they appear to know exactly what they are doing. As Mike constantly reminds me it would be a lot better if we just knew what we were doing. My response is always where's the fun in that. You decide.

    3. 3 46,000 undergrads 15,000 faculty / staff

    4. 4 Architecture Account provisioning design is based on Windows 2003 Native Mode configured for Single Forest and Single Domain User accounts and groups are provisioned using authoritative data sources (PeopleSoft, Campus Registry, and Registrar) Schema extensions for custom attributes and permissions were added to Active Directory and the MIIS Metaverse MS SQL 2000 provides a staging area for all data sources and single authoritative data source for MIIS MIIS performs the role of broker for all user accounts. Custom .NET applications are used to maintain Auto-Groups. Design Elements When I first arrived at UF I heard the term b broker and know I know what that means. We are very pleased with the flexibility we obtained by using SQL. The environment is very flexible.When I first arrived at UF I heard the term b broker and know I know what that means. We are very pleased with the flexibility we obtained by using SQL. The environment is very flexible.

    5. 5 Design Elements Account Management All faculty, staff and students are represented in Active Directory. Accounts are uniquely identified by their UFID (employeeID) All accounts are attributable to persons with the exception of authorized management and service accounts Accounts are Single credential for web, PeopleSoft and LAN Account objects are placed into Active Directory according to their Network Managed By attribute Source of account management data is Campus Registry (DB2). Types of account management transactions include create, delete, update, disable and enable Account transactions are processed every 15 minutes Account management is global, rights management is local

    6. 6 Design Elements Network Managed By Network Managed By attribute controls users Organizational Unit Initially Network Managed By is set to users Home department according to the HR data in PeopleSoft Enables a users account to be managed by a department other than their Home department Dual appointments (users in more than one differing departments) must be mitigated by unit administrators of those departments. The CIO has final authority in case of discrepancy Security Groups can be used as an alternative to Network Managed By for managing user objects Changes to the Network Managed By attribute are limited to Directory Coordinators Network managed by is a misnomer. It should be USER managed by but thats what you get when a committed starts naming stuff for you!Network managed by is a misnomer. It should be USER managed by but thats what you get when a committed starts naming stuff for you!

    7. 7 Design Elements

    8. 8 Design Elements Organizational Unit Structure Based on DepartmentID from HR tree-node data from PeopleSoft There are provisions for colleges/departments to customize the HR structure if necessary to conform to IT structure Edits to the HR structure must be approved at college level Types of edits are: Custom Names: Shorter names to make OUs more identifiable. Pruning Levels: Compress OU levels to facilitate administration. Custom OUs: Create a placeholder OU to hold other units. Custom Parents: Units not directly under parent unit structure. Redirect: Redirect users into a specified OU Story of the short names by HR. Story of the short names by HR.

    9. 9 Design Elements

    10. 10 Design Elements Auto-Groups Unit Auto-Groups Based on Organizational Unit membership Student Course Auto-Groups based on student course data Permissions Assigned according to FERPA requirements Members tab on course available to unit administrators and faculty only Member of tab on student object available to unit administrators and faculty only Read Group Membership security group created to secure these attributes Administrators and Faculty held to special trust agreement Updated once daily from Student Warehouse (MS SQL 2000) Custom .NET applications used to create and manage Auto-Groups.

    11. 11 Design Elements

    12. 12 Design Elements

    13. 13 Design Elements Securing Student Auto-Groups Changes to Built-in Groups: Remove Authenticated Users from Pre-Windows 2000 Compatible Access For OU containing Student Auto-Groups: Add a DENY for Domain Users for Read Member for Group objects Add Authenticated Users Read permissions for This object and all child objects *note advanced permissions will look like: Grant List Contents Grant Read All Properties Grant Read All Permissions For each group in the Student Course Auto-Groups OU Remove Read All Properties from Authenticated Users Remove Read All Properties From Self Add Read permissions for Read Group Members (users with delegated authority to read group membership) User OU permissions Add Read permissions for Read Group Members for This object and all child objects

    14. 14 Design Elements Securing Student Auto-Groups

    15. 15 Design Elements Securing Student Auto-Groups

    16. 16 Design Elements Securing Student Auto-Groups

    17. 17 Design Elements Securing Student Auto-Groups

    18. 18 Design Elements Securing Student Auto-Groups

    19. 19 Design Elements Password management policy Password management policy includes five security roles and is enforced using Single Domain Schema extension (GLPwdExpired) for password management Password Expiration notification script Passwords are managed by UF Bridges according to the UF password policy Password changes are accomplished using LDAPS from middleware maintained currently by Academic Technologies. This system will be replaced in Q4 of this year with a web-services component we will maintain

    20. 20 MIIS is a State-Based system. State-Based systems do not expect to be specifically notified when their source data changes. Instead, they rely on knowledge of the state of data before and after the change, in order to infer that a change has taken place. MIIS Components

    21. 21 MIIS makes use of Holograms. MIIS achieves its knowledge of data changes by the storage of a hologram which represents the current view of the data stored in the Connected Directory (CD). During a subsequent check of the data in the connected directory, the data in the CD is read, and compared with the hologram. If any differences are detected between the two (for example, the values for the Job Title attribute do not match), a change is inferred, and the change is passed to the MIIS 2003 Sync Engine to be propagated into the Metaverse and to other connected directories. MIIS Components

    22. 22 MIIS Components State-Based Versus Transaction Based Systems State-based systems expend more resources in the reading of data from the CD than do event-based systems, but benefit from the absence of a requirement for laborious management of change messages. In addition, they simply require the ability to read from (and perhaps write to) the connected systems no agents are required at the CD systems to send and receive the change messages.

    23. 23 MIIS Components Metaverse The metaverse (MV) is a set of tables within MIIS 2003 that contain the integrated (joined) identity information from multiple connected sources. All identity information about a specific person or object, which is stored in multiple connected sources, is synthesized into a single entry in the metaverse. Connector Space The connector space is a storage area, or staging are, that is used by management agents to move data into and out of a connected data source. Each connected data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is essentially a mirror of the related connected data source, with each object in the connected data source having a corresponding entry in the connector space. The connector space does not contain the connected directory object itself, but a subset of the objects attributes, as defined by the management agent. Connected Data Sources A connected data source is a directory, database, or, other data repository tat contains identity data to be integrated with the Metadirectory. Connected data sources can be enterprise directories, HR Databases, or data in flat files, such as LDIF, XML or delimited text. Management Agents A management agent links a specific connected data source to the metadirectory. The management agent is responsible for moving data from the connected data source and the metadirectory. When data in the Metadirectory is modified (including object addition and deletions), the management agent can also export the changes out to the connected data source to keep the connected data source synchronized with the Metadirectory. Generally, there is at least one management agent for each connected directory.Metaverse The metaverse (MV) is a set of tables within MIIS 2003 that contain the integrated (joined) identity information from multiple connected sources. All identity information about a specific person or object, which is stored in multiple connected sources, is synthesized into a single entry in the metaverse. Connector Space The connector space is a storage area, or staging are, that is used by management agents to move data into and out of a connected data source. Each connected data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is essentially a mirror of the related connected data source, with each object in the connected data source having a corresponding entry in the connector space. The connector space does not contain the connected directory object itself, but a subset of the objects attributes, as defined by the management agent. Connected Data Sources A connected data source is a directory, database, or, other data repository tat contains identity data to be integrated with the Metadirectory. Connected data sources can be enterprise directories, HR Databases, or data in flat files, such as LDIF, XML or delimited text. Management Agents A management agent links a specific connected data source to the metadirectory. The management agent is responsible for moving data from the connected data source and the metadirectory. When data in the Metadirectory is modified (including object addition and deletions), the management agent can also export the changes out to the connected data source to keep the connected data source synchronized with the Metadirectory. Generally, there is at least one management agent for each connected directory.

    24. 24 Data Flow

    25. 25 SQL DTS packages (Data Transformation Services) Harvest Fetch Backups Clean MIIS Logs Auto-Groups Student Groups

    26. 26

    27. 27

    28. 28 MIIS Components MIIS Event Schedule Deltas for user and group updates occur every 15 minutes. Full Import and Synchronization performed each evening as basic maintenance before backups.

    29. 29 Microsoft Identity Integration Server 2003 Resource Tool Kit 2.0 A set of command line and UI-based tools for remote administration and configuration of a server running Microsoft Identity Integration Server 2003. Requires .Net 1.1 Framework. Some of the tools we find most useful: AttributeFlowViewer All Metaverse attribute information exported to an HTML file for ease of viewing. MASequencer Used to automate the order in which management agents are run. It can also perform stop, resume, or pause operations interactively on the management agents. MASequencer uses input from an XML file, which contains information about the management agents to be sequenced. MASequenceConfiguration Generates an XML file used as an input for MASequencer. You can also use MASequenceConfiguration to start the sequence of management agent run profiles instead of masequencer. MIIS Service Monitor Polls an MIIS 2003 server at regular intervals and returns system statistics Complete description in Online Help or through URL listed here: http://www.microsoft.com/windowsserversystem/miis2003/default.mspx Other Tools: Clearmiisrunhist.vbs A VBS script we created that clears MIIS run history through WMI and keeps X number of days before current date. MIIS Document Generator Documenter takes the output XML files created by MIIS 2003 and produces a word report which represents documentation of your systems. It achieves this be producing a text file which is imported into a MIIS report template by a Microsoft Word macro and this is converted into the report. The final report can be customized using a control file and further enhanced using additional Microsoft Word documents, specifically you can: Insert other Microsoft Word documents into the report Insert the contents of text files into the report Insert comments from the control file to explain the use of management agents, attributes and flow rules. About $300. Talk about importance of clearing MIIS activity log.Talk about importance of clearing MIIS activity log.

    30. 30 MIIS Advantages / Disadvantages Advantages: Built-in reporting. Tight Integration with Visual Studio for debugging and troubleshooting. Expands easily to accommodate new Connected Directories. Managements Agents that port to a wide spectrum of platforms plus provisions for writing your own custom MAs. Out-of-the-box connectivity to most network operating systems (NOS), e-mail, database, directory, application, and even flat-file access. Saves a lot of tedious code writing. WMI integration allows MIIS 2003 to be interfaced to management consoles like Microsoft Operations Manager (MOM), HP OpenView, Tivoli, and other third-party consoles. Can also provide password management across multiple platforms. Disadvantages: Cost about $8,000 per processor Requires Enterprise SQL. This can be offset by purchasing per CAL for SQL. Requires provisioning code. More advanced features require more code. Multi-valued Fields in SQL 2000 not supported currently. Can be overcome by custom code.

    31. 31 Microsoft Identity Integration Server 2003 Resources: Whitepapers: http://www.microsoft.com/windowsserversystem/miis2003/default.mspx NETPRO Directory Experts Conference: http://www.netpro.com/events/dec2005/agenda.cfm Microsoft Identity Integration Server Users Group: MSUG@yahoogroups.com MMSUG-subscribe@yahoogroups.com MIIS 2003, Enterprise Edition Training http://www.sqlsoft.com/Public/Promos/MIIS2003/?Ref=MIIS MIIS Alliance http://www.miis-alliance.com/news/050314.html NetPro's - Mission Control for managing MIIS http://www.miis-alliance.com/resources/NetPro_MissionControl_for_MIIS_datasheet.pdf Future Projects: GAL SYNCH with Shands Teaching Hospital Campus Wide LDAP with ADAM

    32. 32 Additional Info See the UFAD web site at www.ad.ufl.edu Contact George Bryan (grbryan@ufl.edu) or Mike Kanofsky (mikekano@ufl.edu)

    33. 33

    34. 34 Multiple Password Policies User Security Roles Implemented in PeopleSoft Enforced in UFAD Schema extension GLPwdExpired GLPwdExpired comes from Portal when password is set. Backend process on SQL server resets user passwords to random value if they have not reset their password by the expiration time Eliminates need for multiple domains

    35. 35 Password Expiration Notification Messages

    36. 36 Password Notification Script

    37. 37 GatorLink Password Policy The GatorLink username and password is the University standard username and password for authentication for all new information systems. The University uses a role-based approach for providing access to these systems. Each person affiliated with UF has one or more security roles. Each security role has an associated password policy. If an individual has several roles, with conflicting password policies, the strongest policy applies. This policy is guided by the following principles: Five levels of password policy are necessary, each with a different set of requirements for password creation and reset. (See Attachment A). The assignment of a password policy is based on an individuals security role(s) and is not an automatic result of an affiliation or staff position. Passwords must include three of the following four elementsupper case letters, lower case letters, digits and punctuation. Passwords may not contain words found in a dictionary. Passwords will expire during UF Help Desk business hours. GatorLink passwords and security rolesand the resulting association of password policy to a userare held in the PeopleSoft Enterprise Portal system (myUFL) and managed by UF Bridges

    38. 38 UFs Password Roles

    39. 39

    40. 40 Exchange 2003 Implementation Challenges Multiple Administrative Groups Multiple Routing Groups Routing Group connectors Multiple Recipient Policies Multiple Address Book Views Many now based on Auto-Groups Display Names pulled from Campus Registry Intelligent Message Filter

    41. 41 Exchange Administrative Groups and Routing

    42. 42 Exchange 2003 Front-end Design Centralized Front-ends available to all departments AEP SSL Accelerator cards used to enhance performance Additions from MessageWare Enhanced Address Book Spell Checker in Basic web client Design to be enhanced with ISA Server 2004 and Rainfinity Rainwall Rainwall provides High Availability Load Balancing for ISA Server

    43. 43 Exchange 2003 Front-end Design

    44. 44 Exchange Theme Customization

    45. 45 OWA Customization

    46. 46 MessageWare PlusPack Adds Spellchecker to basic client Enhanced Address Book Viewer

    47. 47 Thanks, any questions, ridicule, taunts? My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately. We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending. We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today. As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling. Thanks, any questions, ridicule, taunts? My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately. We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending. We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today. As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling.

More Related