MIM

Terminology Comparison: MIM vs SailPoint IDN

So I’ve been learning SailPoint IdentityNow (IDN) and I am rattling my brains trying to match what I know about MIM and make sense in my brain and relate to the terms and how they are the same/similar but have different names in each product.

I have done up a little comparison table showing the most common things I have understood till date and tried to put it in words the way they are termed differently in MIM and IDN.

I am not an expert in either and not saying they are essentially correct or which product is better than other (btw there is no right answer to that – each have clear pros and cons depending on what you want in a product) but just trying to bridge the gap on understanding what they are in each.

MIMSailPoint IDN
Data TypeHas various like integer, string etc.Everything is defined as string essentially.
ConnectionDirect via MA which has config parameters.Done via a VA (Virtual Appliance) which is a lightweight custom Linux VM deployed at customer side (think of it as a secure tunnel from cloud IDN to your network).
Management Agents (MA)Individual connectors connected to sources.Called a Source - Downstream or upstream.
Connector Space (CS)Staging area for data in a connector.Shows up in the Accounts tab in the Source.
DisconnectorsObjects which had not connected to MV.Called "Uncorrelated Accounts" under the import data tab of the source.
Metaverse (MV)Where all the identities are connected to each MA and the fullest form of it in essence.Identity List which has links to all the sources.
Projection & ProvisioningEach MA has the rules and mappings to project a CS into MV and to the external source as well.Each Identity Profile has a mapping against a source and also provisioning rules. Sources which have an Identity Profile are also called Authoritative Source and ones which't don't are called Non-Authoritative.
Join RulesRules which join CS objects to MV based on defined criteria.Called "Correlation" in the Source where we define those criteria.
GroupsAD or MIM GroupsCalled Entitlements. It doesn't show groups as MIM does i.e. Group Management is not a thing. You do User Management with entitlements i.e. group membership.
ImportImporting objects from a connector to CS.Called "Account Aggregation" or "Entitlement Aggregation" which brings in the data.
AD Password Sync from DCDone via PCNSDone via PWI (Password Interceptor)
AD WriteDirect via ADMANeeds a domain joined computer with IQService installed.
Automation of logicSets / MPR and Workflows in MIM Portal.Does it via Access Profiles , Roles and Identity Profiles in IDN Portal.
Advance RulesDone via Workflows and other advanced methods like MIMWAL etc.Called Rules written in JAVA/BeanShell wrapped with XML.
Under the hood configLot of config is exported and modified in XML.Extensive API access mainly giving JSON outputs with few XML as well.

Feel free to correct me where I am wrong and / or if you want me to add something else or explain something more in details, do reach out.

Hopefully it made sense to someone!!!

By Piyush Khandelwal, ago

MIMWAL Boolean Comparison: Did I do it wrong?

So I had to do some complex workflows for a client. And you know MIMWAL is best for that.

Now I was going to use the Eq() built in function to do a comparison to see if the attribute is coming back is true. The attribute I was comparing to was a boolean. So in the workflow I used an update resource type and had an activity execution condition that if the attribute is true then run the update. 

Naturally I tried this to being with

Umm, didn’t work. Should have matched and executed the WF. Tried various other ways

On doing some debugging I saw that WAL was doing a string comparison to a Int64 type and coming back as a False match even on a (‘True’,’True’) condition.

Then tried something different

Voila!! That worked. Well I don’t know if I did something or if this is the only way to do a boolean comparison in the Eq() function but hey it worked for me.. 

Mental note!!!

Edit: So as per comment below did some more testing and the following execution condition code worked 🙂 even with false value it looked for true. 

See.. I told you I did something wrong 🙂 

By Piyush Khandelwal, ago

Batch Process an Array via Powershell for FIMService write back (Or any PS scenario)

So,

A long time ago I wrote a post showing how you can do Composite write-back to FIMService via Powershell. That used “Search-ResourcePaged” command from the Lithnet Module. But it’s not helpful in the scenario where you already have a list of users (say an exported CSV or a text file) you want to perform some action on. In that scenario, XPath is not needed (and might not help if there is no pattern to search) as you already have your objects to work on.

So say, for example, I have a list of 10000 objectID from FIM and want to delete them.

Simple way will be

Pretty simple but will take about 1/sec and take 10000 seconds to do it.

Yeah I am not going to wait that long…

Did some RnD (and Google) and found some different ways of going about it..

One way was doing ForEach -Parallels flag. I tried it but actually had a reverse affect for me… I did it wrong obviously.. It worked but took long/er for some reason (Even with -throttlelimit set)… Moved on… Went above my head for the limited time I had to do the job.

Then found a pretty simple way to do it online and made some modification to suit my scenario

 

Voila!!! it’s done in seconds. It will send batch of 1000 objects at a time to FIMService as a composite request and do them quickly. I did like 10000 in 10-15 seconds or so. You can also import a csv/txt file and create an array as well.

I am not a powershell expert and it may not be perfect or most elegant way of doing it but gets the job done quickly.

You can use the logic for virtually anything and not just to write back to FIMService. But yeah helped me to do large modifications / deletes pretty quickly.

Till the next time…

By Piyush Khandelwal, ago

Powershell Tip: FIM/MIM Explicit Disconnectors be gone… quickly!!!

Happy New Year!!! Hope everyone had a great 2017 and hopefully an even better 2018

If you know disconnectors then you definitely know how irritating the FIM/MIM GUI can be to convert a disconnector from explicit to normal or vice versa when you have potentially 10’s or 100’s of them… Joiner tab isn’t really friendly to select multiple disconnectors and “batch” convert them.

Thanks to Lithnet MIIS Powershell you can do the conversion of 100’s of them in 1 line and in couple of seconds

If you have a MA with 100’s of explicit disconnectors just run the following command (replacing the <MA NAME> with the ….. MA Name )

Done… Simples… You can ofcourse do the opposite as well if you wish i.e. Normal disconnectors -> Explicit Disconnectors.

By Piyush Khandelwal, ago

MIM AD Sync Error: Unable to update the password – Another POV

So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.

Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.

cd-error

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Although the password policy is the same between the two domains.

After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.

Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script

 

After this, the sync engine fixed the user up automatically.

By Piyush Khandelwal, ago