1-Day Course
Course History and Future Events
Description
This is a workshop where there will be a concentration on labs and open Q&A. This course assumes you are already familiar with HyperSync and/or have attended M900.
HyperSync replaces or enhances the Microsoft Identity Manager (MIM) sync engine solution. When coupled with SoftwareIDM Service Panel, HyperSync replaces and improves what is offered with MIM Sync and the MIM Portal. Managed, programmed, tested, and operated from within the Identity Panel web interface, HyperSync is true SaaS application running natively on Azure App Services, with the option of running on premises. What is compelling when considering HyperSync, is its on-premises Panel Service component that empowers Azure to manage on-premises sources and targets. For those not ready for the cloud-based sync engine, HyperSync also can be installed and operated as on-premises software, much as MIM is operated today.
This course is for the identity solution developer who is planning or participating in a HyperSync implementation as a replacement for Microsoft Identity Manager (MIM), or to fix or enhance an existing MIM. MIM versions of this course focus on migrating MIM to Identity Panel's HyperSync and Service Panel. HyperSync versions cover the entire HyperSync application, including coding. Although the focus of this course is solution development, much of the material is useful for those who would like to understand HyperSync in-depth.
This course looks at how to design and implement solutions by applying Patterns and Practices for migrating from MIM or implementing a new HyperSync solution.
Who Should Attend
- Those who have attended W901 to learn the latest Patters and Practices for migrating from MIM, or implementing a new HyperSync solution.
- Consulting firms, independent consultants, and internal IT staff responsible for a successful implementation or expansion of a HyperSync deployment.
Prerequisites
- Must have attended A901 - HyperSync Patterns and Practices Primer for Experts.
- Own a subscription to the Knowledge Package for Developers or the Knowledge Package for Administrators or considering consulting on the Identity Panel Suite.
- Have experience writing SQL queries or using any language including PowerShell or MIM Portal Rules.
- Be a level 2 engineer or developer in one of the data sources you plan to use with Identity Panel, which must include one of the following:
- HyperSync or FIM/MIM
- Azure AADConnect
- Active Directory, LDAP
- Azure AD/Graph
- SQL Server, Oracle, or MySQL
- ADFS
- Office 365
- Exchange Server
- Workday
- ServiceNow
Agenda
The Patterns and Practices toolkit is a work-in-progress collection of PDFs that are being created and published according to the tree structure below. The items in bold represent current state, and are available to course attendees on request.
Selections from the available patterns will be introduced with a walk-through in a reference lab configuration, then associated config files and instructions will be supplied to candidates to install and configure in their own labs.
SoftwareIDM Patterns and Practices Toolkit
Access Required
© SoftwareIDM
- User Lifecycle
- Application (pre-HR)
- Verified ID (or equivalent for 100 pt check etc.)
- Letter of Offer
- Acceptance
- Pre-start access
- Joiner
- Account Provisioning
-
HR Provisioning (Org structure occupant, independent of whether or not application process precedes it)
- HR Contingent Worker (Org structure occupant)
- Contingent Worker Provisioning (non-HR)
- Guest provisioning (vendor/service provider)
- Other provisioning (contingent worker/interested party)
-
HR Provisioning (Org structure occupant, independent of whether or not application process precedes it)
- Multiple HR feeds
- HR feed masking/overriding
- Generate non-HR employee ids
- Immutable/correlation id
- Unique name generation
- Provisioning in advance of start date (in HR, not in HR yet)
- Provision before start date
- Use SvP to pre-create an employee in advance of HR
- Account Provisioning
- Mailbox provisioning (on prem AD or M365)
- M365 group based licensing, set remote mailbox
- Home folder provisioning
- Birthright access
- Azure license group/assignment
- VPN
- Internet users etc.
- Sign conditions of use agreement
- Activation
- Advance account activation
- Manager-driven initial Access/Activation (incl. notifications)
- Notifications (new account, manager, initial pwd, etc.) [TODO:enumerate password delivery options]
- Admin/Secondary account provisioning
- Out-of-band setup, e.g. mailbox scripts
- Location or Job based provisioning templates
- Email suffix
- OU/Domain target
- Azure tenancy
- Share/home folder locations (persona)
- Mover/Changes
- Change profile (personal details)
- Change profile (employment details)
- Change Org Structure (manager/subordinates)
- Change roles
- Non-employee manager reassignment
- Account dormancy
- Dormant account reclaim
- Name change
- Account name/email change (with notification/approval)
- Multi-domain/forest
- Primary domain
- Domain move
- Cross-domain join
- SID history management
- Account changes notes
- Leaver
- Non-employee re-certification
- Immediate/Emergency termination (walked)
- Termination on elapsed date
- Delayed termination
- Delayed archiving workflows
- Out-of-band cleanup
- Entitlement cleanup
- Litigation holds
- Re-joiner
- Rejoin as Non-HR contingent worker
- Rejoin as former employee
- Search and verify for previous account
- Rejoin as HR employee
- Rejoin as former Non-HR contingent worker
- Merge identity (user with multiple accounts)
- Re-certification of entitlements
- Rejoin as Non-HR contingent worker
- Password Management
- SSPR
- Service desk password reset
- Password synchronization
- Non-person and Special Account Management
- Service accounts
- Request authorization
- Metadata (ownership, application assignment)
- Decommissioning
- Test accounts
- VIP accounts
- Change approval for VIP accounts
- Board members
- Auditors
- Guest accounts
- Guest Lifecycle management
- Guest Invitations
- Service accounts
- Reference Data Management (Locations, Org Units, etc.)
- Ref Data Lifecycle Management
- Overrides (time-bound)
- Group Lifecycle
- Criteria Groups
- Exception management
- Group policy templates
- Job based granularity of group grants
- Group creation
- Request/approve
- Security groups
- Distribution groups
- Group ownership
- Pooled ownership
- Position derived ownership
- Membership request
- Approval
- JIT/PAM
- Out-of-band
- Mailbox setup
- Post removal cleanup
- Expiry and Extension
- Attestation
- Roles
- Link to groups
- Criteria assignment
- Hierarchical roles
- Attestation/certification
- Criteria Groups
- System Operations
- Availability monitoring (panel check, status page)
- Backup and Recovery (on-premises only)
- Timing (operational efficiency)
- System health
- Supported OS
- Supported dependencies
- Secure networking
- Connected system availability
- Schema changes
- Updates and compatibility
- Secret Management
- Threshold triggering
- Change Management (promotion of configuration)
- Housekeeping
-
Compliance and Reporting
- JML Reporting
- Leavers reporting
- License utilization
- Pending changes
- Exports
- Imports
- Sync Errors
- Requests and Approval history
- SLA adherence
- Change volume
- Policy violations [TODO: expand definition of policy violations]
-
Data integrity
- Mismatched accounts
- Enablement conflicts
- Expiry
- Ambiguous joins
- Incorrect joins
- Uniqueness conflicts
- Manager tree integrity
- Valid manager (e.g. employee)
- Unresolved references
- Dormant accounts
- AD flags (Password never expires, not required)
- Event syndication (to SIEM)
- IdP request logs
- Sync activity
- Data syndication to BI
- Org has a Power BI team that wants Identity data
- Org was dumping MV data into tables for reporting
- Groups with no members
- Groups with no owner
- Groups with no changes (e.g. add/remove in n years)
- JML Reporting
- Application (pre-HR)
Note: referenced JSON files for the above can be found here.
Comments
0 comments
Article is closed for comments.