Assess Your Current IT Infrastructure
Updated: June 7, 2006
Applies To: Windows Server 2003 with SP1
Previous Sections in This Guide
Overview for Identifying Your Identity Integration Project
Define the Project Structure
Start the Solution Proposal
Document Your Business Goals
Assess the current infrastructure to establish a baseline and provide input to the design. Information about the current infrastructure helps you decide which MIIS 2003 deployment scenario to pursue first and also helps you design future MIIS 2003 deployment scenarios. To assess the current infrastructure, perform the following tasks:
Identify the network topology.
Evaluate the network for the ability to handle MIIS 2003 traffic.
Evaluate operating procedures.
Analyze current security state.
Assess the state of current data.
Of these tasks, the state of the data is most important. The two key elements are data quality and data join potential. An analysis of the data quality should reveal the reliability of accurate or expected data, and should clarify any processes that could update the data accurately or inaccurately. Reliable, accurate data is important for any design that flows the data to other systems.
The second key element is data join potential. If the current state of your identity data across all the potential data sources will require you to implement custom data joining techniques (using rules extensions) to obtain the required results, you need to plan for extra time and effort. If the analysis shows you can make simple joins (where you can use the join rules that are built into MIIS 2003), then implementation is made easier.
Figure 9 illustrates how you can add these assessments to your scenario diagrams.
Identifying Network Topology
Some MIIS 2003 processes, such as import and export, rely on the networking infrastructure; so evaluating the current state of your network is an important step to a successful deployment. In identity management, you need to have connectivity between the various data sources that contain identity information for both full imports and changed imports. After data is synchronized, it might need to flow back to the same or a different data source. Sometimes these connected data sources are secured behind firewalls or rely on third-party networks. In almost every case, MIIS 2003 makes the connection to the data source and the SQL Server store over the network.
Obtain a network diagram for the part of your organization that will be affected by synchronization, or create a diagram with assistance from the IT department. Ensure that the network diagram indicates available bandwidth on each link, high traffic times, security barriers, and system availabilities.
Also obtain information about the capacity of each computer that is involved in the network traffic. Determine your needs for storage and servers, and determine their best placement on the network. Identify any upgrades you might want to consider, and add this information to the cost and schedule section of your solution proposal.
After you collect information about the network topology, test network traffic with and without the identity data import and export traffic in a lab environment to identify potential bottlenecks. Be sure to test network traffic that is caused by a full import and also by a delta import.
Evaluating Operating Procedures
The MIIS 2003 deployment will, at minimum, require additional operational procedures to be put into place, and can require that you modify existing operational procedures. Because of this, document the operational procedures or processes that might affect your design. Gather information and document the following processes with the assistance of your IT department:
Any network bandwidth restrictions that are imposed on moving data across a LAN or WAN, including recommended timeframes for data synchronization.
Existing security procedures on any of the participating data sources. For example, document existing policies about moving data to and from the mail database.
Your current process for:
Hiring or firing an employee and how it affects any of the participating data sources. For example, identify the processes that occur for a new employee to obtain a telephone number, a mailbox, and a user account.
Flowing data from any of the participating data sources. For example, document processes for obtaining information from highly secure databases that are used by departments like Human Resources.
Moving objects between data sources. For example, document how Exchange mailboxes are currently moved between forests.
Password management or synchronization.
- Hiring or firing an employee and how it affects any of the participating data sources. For example, identify the processes that occur for a new employee to obtain a telephone number, a mailbox, and a user account.
After assessing the operating procedures of your IT infrastructure, you can begin to refine your identity integration objectives, plan your deployment phases for each synchronization objective, and set reliable timelines for your MIIS 2003 deployment goals.
Analyzing Current Security State
Synchronization of data sources can expose security objects and new identity integration processes might require access to those data sources. Because MIIS 2003 synchronizes data from a variety of sources, you need to analyze all security aspects of each potential data source as well as the network and access to highly trusted systems.
Your current security implementation most likely follows the business rules of your organization. Analyze the current security state so that security planners can write a security plan for MIIS 2003 later in the design and planning process.
For more information about writing a security plan for MIIS 2003, see “Planning Your System Configuration for MIIS 2003” in this collection of the MIIS 2003 Technical Library.
Assessing the State of Current Data
Frequently, data sources contain information that does not synchronize smoothly with other data sources. Analyze data sources for incompatibility at an early stage to minimize the time and effort required to update the disparate data sources, or design the synchronization to resolve each issue. This analysis is probably the most important preliminary step to the actual synchronization. If the state of the current data is not thoroughly analyzed, the synchronization might not complete successfully because of some problem with the data. In addition, data that is critical to one data source may not be critical in another, and some disparities might result.
For example, a human resources database containing information about both current and former employees has been identified as part of the synchronization process. However, only the current employee data is required to be synchronized. If you analyze the data in this data source now — before you begin the design — you can prevent unnecessary data from entering the identity management system.
Identify situations for which your design must contain specific solutions:
Object control is restricted. You might not be able to create or access the object in the target database.
Data required for the target data source does not exist or is invalid. When assessing the state of your identity data, check current data for required keys to create objects in the other connected data source. This condition might cause unreliable data or, even worse, data that has been unintentionally deleted from the target data source. Further, you need to document all the unique aspects about the data and processes that affect the data for each data source.
Business policies might be violated. For example, if every employee object in the target data source requires a unique employee ID, but employee ID is not used in the source data store or has a different format that is not compatible, the object in the target data source might be accessible but without a valid, unique employee ID. Therefore, use your business policies to verify that the data conforms in each connected data source and verify that all the objects will be valid after the synchronization.
Dependent processes might be affected.For example, if reports are produced from a data source involved in synchronization, they may no longer work or may produce invalid results. That is, a report may require valid department IDs, but if the data source is synchronized with another data source where these IDs were not kept up to date, or are not compatible, then the report may give incorrect values, or may not run at all. To assess dependencies on systems to be synchronized, run similar reports at each connected data source, and compare them.
Data source stewards and experts from your own organization play an integral part in data assessment. Their involvement can prevent problems where the dataflow design can negatively affect downstream systems.