I’ve thought about it a bit more since, and I’ve decided that “speaks-without-thinking Carol” was onto something. A better place to start mapping processes and planning the groundwork for identity automation is the other end of the lifecycle. That is, start by looking at the processes for account termination, permission deactivation, group deletion or resource archiving, and figure out what you’d need to have in place to be able to automate that.

I can already imagine myself trying to explain this to anyone who isn’t a veteran of identity automation – the blank looks, the irritation, the immediate assumption that I’m trying to “over complicate” what is surely a “quick win”.

I’d argue that a focus on deprovisioning forces us to look at the whole data set. Creating a new account, however convoluted your business processes, is the easy part. The real work is in identifying all the existing digital identities of interest, linking them to their managed source record, and tidying up processes so we can easily know when they’re no longer needed. If you were to start your identity automation project with deprovisioning, you’d have a lot more ground work to do, but you would end with a much cleaner data set, better incorporated processes, and a more “fit for purpose” solution that can be extended to other use cases. If, instead, your classic Phase One plan is to “create new accounts for new people, and figure out the rest later”, all you’ve got is the orchestration of that one task.

My main concern is that a tight focus on provisioning can, and does, lead to bad decisions. Sure, your tool or script or bright idea to orchestrate using the service ticketing system can create a user account. As I’ve already said, that’s the easy part. The hard work is in properly managing these digital objects – when to update them, when and how to change what they have access to, and when to switch them off. In IT, we’ve probably all seen the results of automation that was set up to create but never delete. The worst systems are the ones that generate crazy numbers of groups, shared resources and service accounts, or bulk-create accounts for external users that will never use them. All of these digital objects, so easily created, come with a maintenance cost that gets particularly onerous at times of migration, merger and large-scale systems change. They also increase the cyber attack surface, so we all know they should be purged, but the level of forensics needed to determine which ones are still needed is as tedious as it is onerous, so always ends up on the “do later” pile. How different would things be if, every time we created something, we also had to plan for it’s eventual deletion?

I know that no one would really do an identity management project that starts at the end and ignores the beginning of the digital identity lifecycle, but we can at least argue for doing both. Automation that adds to the pile without also clearing away is only creating more headaches for the future.

We talked about women in IT and some of my own experiences, including how I first discovered MIIS and identity management, and of course my memoir IT Grrrl.

You can listen here, or search Women Count on your favourite podcast platform.

I don’t have a publisher yet – that’s the next step. In the meantime, I am trying to get an idea of the level of interest in a memoir written by a woman who’s been in IT since PCs were getting networked for the first time, and the internet wasn’t yet a thing. And, of course, along the way, discovering MIIS!

I decided not to call the book Miss MIIS, though I did consider “Identity Bytes”. In the end I’ve gone for “IT Grrrrl” because a) nineties, and b) you should have seen me in the nineties.

I have set up a site for the book where you can read the first chapter. If you think you might buy my book once published, would you mind filling in a short survey?

The Experts Conference

Quest’s TEC was a two day, fully virtual conference, in USA EST timezone, and free to attend. I attempted to join in live, despite the appalling time frame for me (11:30pm to 5:30am). I made it to 3:30am the first night, and then kept falling asleep the second night.

It was conducted entirely through MS Teams, and I thought the TEC organisers had come up with a good approach – each session was pre-recorded and run in one meeting in presentation mode, with a second open meeting immediately following for Q&A. It meant we had both a session that ran exactly to time, and also some interactivity, where you could ask questions to the speaker, as well as seeing and responding to other people’s comments.

European Cloud Identity Summit

Kuppinger-Cole’s EIC ran over four days in a hybrid mode with both on-site and remote presenters and attendees. It was held in Germany and, in my time, started at 10pm the first day, and 5pm on the other days. It was hosted through a dedicated website and app and my virtual ticket cost about 10% of an in-person ticket.

The EIC interface was pretty fancy, so much so that we were instructed to watch a how-to video before the conference. Much effort had been put into trying to virtually recreate conference experiences such as the exhibition hall, and mingling during breaks. It all looked impressive but I was not remotely tempted to try any of it out – I’m not interested in watching vendor ads, or trying awkward meetups in virtual bubbles in the middle of my night. I wonder how many of the virtual attendees used these facilities, unless perhaps to say hi to someone they already knew.

The sessions were watched through live streams and it was a long time (well over 24 hours) before the recordings became available. This was frustrating as I was experiencing some glitching and skipping in the live stream, and even without that, I was planning on watching most of the sessions in my morning. By the time I was able to watch the first day’s recordings the conference was pretty much over.

Why I go to conferences

Like everyone I haven’t been to a conference in a long time, actually years. I used to go to TEC every year, and would speak at my regional TechEds or TechDays. I’ve been to Identiverse once and had planned to go again in 2020. I’m not a fan of the travel, or the jetlag, but it’s always worth it for learning from experts and peers, meeting up with old friends, late nights in the bar (the jetlag being quite helpful there). It works because it’s an immersive experience – everyone is there for the same reason, we’re away from distractions of work and home, and can have a good laugh with people who get the weirdness of our particular profession.

How much, if any, of this experience is available to a virtual attendee?

Bored and distracted

Here’s something I’d like presenters to think about – it’s harder to keep people interested when they’re not trapped in the room with you and it would be rude to get up and leave. Add to that the fact they are watching from work or home (or, for many of us these days, both simultaneously).

Conference sessions are always a mixed bag, but anything that is boring, poorly prepared, robotically read out, straight-out wrongly pitched for this conference, or (worst of all) does not seem to be in any way about what the title and synopsis indicated, is that much worse when consumed through a recording or a glitching live stream. Click. Away.

Will someone please think of the timezones??

A big appeal to conference organisers for going virtual or hybrid must surely be the international reach, and it’s also appealing to those of us who are a very long way away from Nth America or Europe, and have no way of getting there right now anyway. BUT with an international audience comes international timezones, and I didn’t see any consideration of that from either conference.

Something really simple: don’t wish your virtual attendees “good morning”, or suggest it’s time for them to get a coffee. On a more practical level, I would have appreciated being able to view the agenda in my own timezone – that shouldn’t be too hard, surely?

What I really want however is a second run, 12 hours later, of all keynotes and selected sessions. I’m not saying a live run, a recording is fine, but at a scheduled time and with a live chat for those of us who needed to be sleeping at 4am when session actually happened. With vendor presentations they could probably even organise for a regional rep to jump on the chat during the re-run. Would that be so hard? Those of us who are timezone-challenged could still feel like we were part of the conference, get some interaction with each other, and a vendor might even make a new connection.

So would I do it again?

If it were an exact repeat of the experiences I’ve just had, the answer would be no. However, I’m pretty sure that the virtual or hybrid conference is here to stay and this was a first run for both of these particular conferences, and the fact they went ahead at all is much appreciated. I’m sure changes will be made and I’ll consider again based on that.

The first step is parsing the XML. In my old version I did a lot of looping through the XML nodes, but this time I’m taking a different approach – by first converting the XML to CSV I have a lot of good info in a format that is much easier to work with.

I’ve just uploaded my script which converts the schema.xml and policy.xml files to CSV – you can find them here. You will need both

• ConvertToCSV-PortalConfig.ps1 and
• MIMServiceToCSV.xslt

The script parses the pending exports XML file produced by csexport.exe and produces single- and multi-value CSV files that you can import into Excel (split on the semi-colon).

I’ve been tinkering with this script for years. This one now includes all current attribute values for objects with changes, instead of just the values being changed.

I always liked how Event Broker allowed me to integrate PowerShell scripts with run profiles, and often used a “post-export script” to perform extra tasks that weren’t really worth a full PowerShell MA integration. With AutoSync the script trigger is provided to check the target system to see if an import should be run, perhaps also staging the import data first. However there’s no reason why I can’t also make some other changes, I just have to switch my thinking from a “post-export script” to a “pre-import script”.

NOTE: Ryan has now pointed out the Execution Controller Script functionality which I’m keen to have a play with next!

The trigger script goes in much the same way I’ve always written post-export scripts:

• Do an LDAP search to find users that need something doing,
• Do the thing,
• (If necessary) Update the user so it no longer satisfies the query.

Now with AutoSync I add an extra step:

• If any changes were made, run a Delta Import.

Here’s my basic trigger script for AD:

Import-Module ActiveDirectory
. D:\Scripts\lib\Set-LocalVariables.ps1
. D:\Scripts\lib\TargetFunctions.ps1

function Get-RunProfileToExecute 
{
    $changes = 0

    $changes = AD-CreateHomeFolder -changes $changes 
    $changes = AD-CreateMailbox -changes $changes -TargetDomainName $DomainName -SearchBase $StdUserOU
    $changes = AD-HideFromGAL -changes $changes -TargetDomainName $DomainName -ActiveOU $StdUserOU -TerminatedOU $TermUserOU
    $changes = AD-MailEnableDL -changes $changes -TargetDomainName $DomainName -SearchBase $GroupOU

    if ($changes -gt 0)
    {
        $p = New-Object Lithnet.Miiserver.Autosync.ExecutionParameters
        $p.RunProfileType = "DeltaImport"
        write-output $p
    }
}

I won’t post the code for all those functions, they’re just standard Exchange and home folder scripts, so just for an example, the AD-CreateMailbox function which mailbox-enables users looking like they need it:

<#
    AD-CreateMailbox

    Triggers mailbox creation for managed users where homeMDB is not populated. 
#>
function AD-CreateMailbox([int]$changes,[string]$TargetDomainName,[string]$SearchBase)
{
    $DC = (Get-ADDomainController -DomainName $TargetDomainName -Discover).HostName[0]

    $Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(employeeNumber=*)(!(homeMDB=*)))"
    $Users = @(Get-ADUser -Server $DC -SearchBase $SearchBase -LDAPFilter $Filter)
    if ($Users.count -gt 0)
    {
        $PSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeURI -Authentication Kerberos
        Import-PSSession $PSSession | out-null
        foreach ($user in $users)
        {
            Enable-Mailbox -Identity $user.SamAccountName -DomainController $DC | out-null
            $changes += 1
        }
        Remove-PSSession $PSSession | out-null
    }
    $changes
}

The final step is to create the trigger in AutoSync and schedule it to run at a high frequency. I’ve got mine running every 60 seconds and it doesn’t seem to cause any performance issues as the script does its LDAP searches and then goes straight back to sleep when there’s nothing to do. However if a new user is detected (or a new Distribution Group, or a terminated user needing to be hidden from the GAL) it does it’s thing quickly and the information about it flows straight back to the Portal where the Service Desk can see it.

All in all a good result, and thanks to Ryan for making such a great utility freely available!

The result was a scheduled PowerShell script which populates groups based on a filter rule written to the group itself. It uses only attributes already in AD and is managed through AD Users and Computers.

To make sure the script only targets the right groups, I’ve asked for them to be moved to a “Managed Groups” OU, and then it’s just a matter of putting a valid PowerShell filter statement in the Notes field. The script is scheduled to run hourly and figures out if any members need to change based on the filter.

I like the way the rule is clearly visible to the people managing AD, and if they’re trying to figure out why a user is not in the group they only have to check the Notes field for exact attribute values, then update the user to match. The data gets cleaner and they get used to the idea of automation – win-win!

Here is the script. Note that the lines which change the groups are initially commented out so this will log only, until you’re ready to un-comment:

Import-Module ActiveDirectory

$LogFile = "Update-Members-{0}.log" -f (get-date).ToString("s").Replace(":","")
"Update-Members.ps1 starting" | out-file $LogFile -Encoding default

$domainController = (Get-ADDomainController).Hostname
$Groups = Get-ADGroup -Server $domainController -SearchBase "OU=Managed Groups,OU=MyOrg,DC=mydomain,DC=com" -Properties "*" #change OU and/or add a filter#
$ADUsers = Get-ADUser -Filter * -Properties *

foreach ($grp in $Groups | sort -Property Name)
{
    "`r`n" + $grp.DistinguishedName | Add-Content $LogFile

    ## Get the filter from the info (Notes) field on the group, and add a rule to select Enabled users only
    $filter = '$_.Enabled -and (' + $grp.info + ')'
    "Membership filter: $filter" | Add-Content $LogFile
    try
    {
        $scriptFilter = [scriptblock]::create($filter)
        $ExpectedMembers = ($ADUsers | where $scriptFilter).DistinguishedName

        ## Get current members
        $AllMembers = Get-ADGroupMember -Identity $grp.DistinguishedName
        $CurrentMembers = @(($AllMembers | where {$_.objectClass -eq "user"}).DistinguishedName)

        ## Compare
        $MembersGood = @()
        $MembersAdd = @()
        $MembersRemove = @()
        if ($ExpectedMembers -and $CurrentMembers)
        {
            $CompUsers = compare-object -ReferenceObject $ExpectedMembers -DifferenceObject $CurrentMembers -IncludeEqual
            foreach ($comp in $CompUsers)
            {
                if ($comp.SideIndicator -eq "==") {$MembersGood += $comp.InputObject}
                elseif ($comp.SideIndicator -eq "=>") {$MembersRemove += $comp.InputObject}
                elseif ($comp.SideIndicator -eq "<=") {$MembersAdd += $comp.InputObject}
            }
        }
        elseif ($CurrentMembers)
        {
            $MembersRemove = $CurrentMembers
        }
        elseif ($ExpectedMembers)
        {
            $MembersAdd = $ExpectedMembers
        }

        foreach($m in $MembersGood) {"OK: $m" | Add-Content $LogFile}

        if ($MembersAdd -ne $null)
        {
            foreach($m in $MembersAdd) {"Add: $m" | Add-Content $LogFile}
            #Following line commented – logs only. Remove comment to make changes.     
            #Add-ADGroupMember -Identity $grp.DistinguishedName -Members $MembersAdd -Server $domainController
        }
        
        if ($MembersRemove -ne $null)
        {
            foreach($m in $MembersRemove) {"Remove: $m" | Add-Content $LogFile}
            #Following line commented – logs only. Remove comment to make changes.     
            #Remove-ADGroupMember -Identity $grp.DistinguishedName -Members $MembersRemove -Server $domainController -Confirm:$false
        }
    }
    catch
    {
        "Error: " + $Error[0].Message | Add-Content $LogFile
    }
}

This is my own summary of the five stages of maturity against common IAM product features.

So to recap, a good source of truth:

• is probably one of a number of sources you’re using, but preferably the only one for this particular type of data,
• is a place where this type of data is well managed because stuff breaks if it isn’t,
• has appropriate processes to correct the data if it’s wrong,
• enforces data quality through selection mechanisms rather than free text.

Today I’m adding a new one to this list. An essential feature of a source of truth for an IAM solution:

• is a data store I can query at any time for the current state of the data.

This last one is what makes a service ticketing system a generally poor source of data for identity automation. I was having this conversation with someone recently and he had a good analogy – it’s like if the only way you could get your current bank balance was by going back over all your transactions since the last time you checked. Only it’s worse than that because we’d also be dealing with free text, and mistakes in the request that got sorted out with a phone call, and access granted on the side because the user knew how to call directly, so it’s unlikely we could even construct that current state by going through the history.

A ticketing system is fine and essential for all sorts of requestable stuff, but as far as IAM automation is concerned it’s only good if the end result of the ticket is someone updating the data in the static data source we use for our actual SoT.