Managing User Identities with Forefront Identity Manager 2010

Published: February 24, 2011

Updated: May 12, 2011

Applies To: Forefront Identity Manager 2010

Many organizations struggle managing the lifecycle of user identities. Employees (users) are in a constant state of flux, from changing roles or departments to leaving the organization all together. You can use Microsoft® Forefront® Identity Manager (FIM) 2010 to manage user identities from the time the identity is created through the time it is no longer needed.

This guide will walk you through how a solution works when using FIM 2010 to manage a user’s identity from the date of hire through departing the organization. The accompanying test lab guide (TLG), Managing User Identities with Forefront Identity Manager 2010 Test Lab Guide, demonstrates how to provision a user account (moving a user from one connected data source to another) and how to deprovision a user account (removing that user from a connected data source).

Contoso, a fictitious company, wants to evaluate a solution that will allow them to automatically manage users within Active Directory® Domain Services (AD DS). The management of user accounts will be based on information contained within their Human Resources database. This database is the authoritative source for all users within Contoso.

The following process describes how this solution works:

  1. Upon hire, a user object is created for the new hire in the HR database. The user is either a Full Time Employee (FTE) or a Contractor.

  2. After the user object is created in the HR database, the FIM 2010 synchronization service then provisions the object into the FIM 2010 Portal.

  3. The user is then provisioned into AD DS. The user object will be placed in either the contractors or FTE organizational unit (OU). This is determined by the EmployeeType attribute in the HR database.

  4. If the EmployeeType changes in the HR database from contractor to FTE or vice versa, the user will be moved to the correct OU in AD°DS.

  5. The EmploymentStatus and EndDate attributes in the HR database determine whether a user is no longer with the company.

  6. FIM 2010 detects these attribute changes in the HR database and then FIM 2010 moves the user object in AD°DS to a specified organizational unit (the FIM_Inactive OU) for 30 days and disables the user account.

  7. After 30 days has passed, the user object is then deleted in AD°DS. The object will still remain in the FIM 2010 Portal for an additional 15 days.

  8. After 45 days the user will be removed from the HR database view and then removed from the FIM 2010 Portal.

Community Additions