This course (A895) or workshop (W895) is design for serving customers who have complex data sources and targets. As a workshop for customers, this activity is performed within the first week or two of an identity project that is deploying Microsoft Identity Manager or SoftwareIDM products.
Who should attend?
Data source and data target owners, or their experts. Those people within the enterprise who are responsible for the identity data, including attributes and permissions, within these source and target systems. This is usually represented by two distinct groups of people. One group is the data owners, like Human Resources, and second is the systems’ owners, like those technically responsible for access to the the HR system or other data source/target. It is not uncommon for customers to send identity management personal to these workshops after they have interviewed their identity data owners internally, and set expectations.
Course – This 1-day course, when offered as a course rather than a workshop, is for anyone who will be gathering requirements, designing, and laying-out the user and system functionality of Microsoft Identity Manager, Identity Panel, Service Panel, and Access Panel solution. This course is ideal for consulting firms, independent consultants, and internal IT staff responsible for a successful collecting information from customers and then implementing or expanding a Microsoft Identity Manager Solution that ingrates Identity Panel, Service Panel, or Access Panel. Upon completion of this course, the successful delegate should be able to conducted course A895 as a workshop.
Workshop – This course is also offered a workshop, as detailed within this article. When this course is offered as workshop, as noted with a “W” (W895), it is as paid workshop (W812) when offered by SoftwareIDM. In the paid workshop, an identity professional(s) walks the audience through their options, and collects their identity data design requirements.
Outcomes – The outcome of this workshops is to understand the customer’s identity data sources and data targets, and those targets’ general connectivity and and identity data requirements. Additionally, data owners and the host system are identified.
This phase also identifies and creates the initial data risk list as part of the project management life-cycle.
Discovery and Requirements Gathering Phases for Data Source and Data Targets
Discovery and requirements gathering can be divided into three phases. Often, W895 is repeated to fully cover the three phase at various points in the early stages of the project. Some of Phase III can be incorporated in Phase I, and validated again in Phase III. All three phase can be combined when an organization’s environments and identity data are clean and well understood.
Workshop Scope – This workshop is focused on gathering information regarding the data sources. Requirements for automated communications, workflows, user flows, and design are held in separate workshops, often immediately following this workshop.
Phase I – When offered as a workshop, this is usually delivered in three phase. Phase I identifies the data sources and targets for Identity Panel Core Framework and MIM (may also include ADConnect, ADFS, AzureAD, and ServiceNow).
Phase II – In Phase II, Identity Panel then peers into these data source and targets to draw relationships between data sources, document current identity life-cycle practices, and analyzes the quality of identity data. Phase I requirements that were gathered are validated against the source and target systems. From the customer, we show them their data results and collect from them how existing data should be, so a data clean-up or corrective solution can be implemented prior to the final automated solution (This correction can be a bulk clean-up, a cleansing of unused accounts, terminated users with access, and more).
If the data or systems are to be migrated, joined, or consolidated, that is discovered here, in Phase II.
All of this information is taken to the customer in the Phase II workshop. Then, with the customer, the consultant assists the customer with identifying their data quality requirements.
Phase I and II are often performed in conjunction with a workshop versions of A802 – Identity Panel Requirements Gathering & Design
Phase III – Operational life-cycle requirements that are at the heart of your identity solution are identified in Phase III. In this phase, we identify the requirements used by MIM, ServiceNow, ServicePanel, and Access Panel for automating and maintaining your identity data.
PHASES IN DETAIL
Documenting and Interviewing
Below is an example list of the question asked in Phase I’s requirements gathering workshop. The consultant conducting the workshop will have additional question based on the customers project.
- What are the primary data sources?
- What sources are targets?
- What are the sources of truth for various attributes?
- What feedback loops are required to send data back to upstream source systems?
- What kind of initial reporting and clean-up is anticipated for each data source?
- What is the authentication method to each data source?
- What are the password management and synchronization requirements?
- What is the on-boarding and off-boarding process for each data target?
- What are the access control methods technically for each data target system?
- Who are the owner of each system?
What data protections should be put in place to protect incoming data, and outgoing data?
Reduction of data fed from a source could be the sign of a major upstream issue, and could impact downstream systems. What limits in reduction should be placed around inbound data, that would trigger a halt and workflow?
Massive changes, additions, or deletions should worry any enterprise. What thresholds should be used to protect target systems from unwanted changes?
With all of the protections in the world, unwanted changes can occur. What process do you choose for each data target, to roll back attributes, memberships, permissions, and identities from their unwanted changes? Sometimes this is modifying the end target, but often requires upstream systems’ data also be revised or restored.
What are your organization’s non-repudiation requirements? How do you prevent bad actors from covering their tracks when making flash or hidden access changes.
GDPR and the right to be forgotten
What are your GDPR and right to be forgotten requirements? What are your data-at-rest and data-in-transit data encryption requirements.
Here we map out the systems and their relationship. We gather the exceptions and requirements, and identify current gaps. These are then validated in Phase II. In Phase II, the customer is briefed on the state of their systems, opportunities, and technical needs to successful implement their identity solution.
Initial use cases
This session should begin collecting initial use case, and draw a conclusion to the amount of case development work that is required for this implementation.
These items above are further covered in course A825 – Protecting the Organization with Identity Panel
Phase II – Data Discovery
Phase II follows the installation and operation of Identity Panel. Identity Panel will scan each system to gather the data and determine its quality and state. Once the data is collected, it is analyzed.
Analysis of the data. Here we identify the gaps in customer data. Is there missing join information? Is data incorrect? Are the identifiable security risks? Are there orphaned or rouge accounts? Are permissions organized and logical? Are groups and role properly named and understood.
The data requirements are revisited using real identity data. Often customers are unhappy with their data, and add many additional requirements in Phase II.
Phase III – Data expectations
Here we discover your expectations for your identity data. This Phase topics including how account IDs are to be formed. What are your group and attribute value naming conventions? What are your uniqueness requirements? How are exceptions handled? Who or what sources can manipulate data targets?
Phase III typically blends with workshop A812 – Service Panel Requirements Gathering & Design. Course A812 also further develops Microsoft Identity Manager’s requirements.