FIM User Group BHOLD EIHAB ISAAC FIM MVP
FIM User Group BHOLD EIHAB ISAAC (FIM MVP) 11/3/2020 ZEVA INCORPORATED 1
About Me o FIM MVP o IAM Consultant at Zeva Incorporated o Masters in Information System from George Mason University 11/3/2020 ZEVA INCORPORATED 2
BHOLD History o Microsoft acquired BHOLD in September 2011 o BHOLD is an Role Based Access Control (RBAC) solution o BHOLD is an extension to FIM 11/3/2020 ZEVA INCORPORATED 3
BHOLD Implementation Purposes Automation Managing Access Rights Auditing Self-Service 11/3/2020 ZEVA INCORPORATED 4
Is BHOLD widely implemented? o Is BHOLD widely adopted? o Is it hard to implement and maintain? o Does the problem/s it addresses can be implemented in an alternative easier way? o Is it worth the effort of implementing it? o Should we recommended it to our clients? 11/3/2020 ZEVA INCORPORATED 5
BHOLD High-level Design & Integration AD MA FIM Sync DB HR BHOLD Attestation MA BHOLD Analytics FIM Synchronization Access Management MA B 1 database BHOLD Reporting FIM Service DB FIM Service BHOLD Integration BHOLD Core BHOLD Model Generator FIM Portal 11/3/2020 ZEVA INCORPORATED 6
BHOLD planning o BHOLD provides 7 components ◦ ◦ ◦ ◦ BHOLD Core BHOLD Access Management BHOLD Reporting BHOLD Attestation BHOLD Analytics BHOLD Integration BHOLD Model Generator More features 11/3/2020 More points of failure ZEVA INCORPORATED More maintenance 7
Implementation Steps 11/3/2020 Determine systems to integrate with Install the components Create BHOLD MA Create OUs in BHOLD Set up your request approvals Set up your role model Create permissions in BHOLD Create users in BHOLD Configure reports Configure attestation campaigns ZEVA INCORPORATED 8
Integration with other Systems/Applications o Needs to conduct sessions with application owners and stakeholders o Integrates with Active Directory and other directories that support groups o Doesn’t provide other means of access provisioning/revoking (Only group membership) ◦ Update an attribute ◦ Provision to a directory ◦ Others 11/3/2020 ZEVA INCORPORATED 9
Installing Components o Fairly straightforward o Challenges with the BHOLD Integration Component o Separate installers. Would be nice to see them integrated more with FIM o Hotfixes require uninstalling and reinstalling the new files 11/3/2020 ZEVA INCORPORATED 10
Root Account OU 3 OU 1 OU 4 User 3 can get/request Role 1 OU 5 OU 2 11/3/2020 OU 6 ZEVA INCORPORATED Role 1 Permission 1 App 1 Role 2 Permission 2 App 2 Role 3 Permission 3 11
Schema Extension o You can’t create additional object types o You can create attributes and bind them to existing objects 11/3/2020 ZEVA INCORPORATED 12
Organizational Units (OUs) & Users o A hierarchal concept to define your structure o Users need to belong to one or more OU o OUs has types ◦ Default is root ◦ Create your own o Define OUs supervisor roles o Define OUs approvers (Line Managers) 11/3/2020 ZEVA INCORPORATED 13
11/3/2020 ZEVA INCORPORATED 14
Applications and Permissions o Permissions are your groups o Each permission is part of an application 11/3/2020 ZEVA INCORPORATED 15
Roles o Collection of access rights and permissions o Few things to consider when configuring the role model 11/3/2020 ZEVA INCORPORATED 16
Creating Objects in BHOLD Database o Another data store for objects to manage BHOLD Core BHOLD Model Generator FIM Sync & BHOLD MA Organization Unit Users Applications Permissions Roles 11/3/2020 ZEVA INCORPORATED 17
BHOLD Core Component Pros Cons • Provide a definition for Roles • Add users to multiple groups using one definition 11/3/2020 • Limited to adding users to groups • Requires additional provisioning logic • Integration with other applications will require FIM Service/FIM Sync • Maintains objects in another data store ZEVA INCORPORATED 18
Would I recommend BHOLD Core Medium size and large deployments that have large number of security groups 11/3/2020 ZEVA INCORPORATED Trying to integrate with other system 19
Suggestion for deploying BHOLD o Not to include it as part of the initial FIM deployment o Use a phased approach: Not to try to integrate and automate every single application o Maintain a role mapping criteria matrix ◦ Which role belongs to which OU? 11/3/2020 ZEVA INCORPORATED 20
Organizational Units Root Employees Finance Information Systems Marketing Contractors Creative Designs Role 1 Assigned/Effective Inherited/Effective Inherited/Effective Role 2 N/A Assigned/Effective Inherited/Effective N/A Role 3 N/A Assigned/Proposed Inherited/Proposed N/A Role 4 Roles Role 5 Role 6 Role 7 Role 8 Role 9 Role 10 11/3/2020 ZEVA INCORPORATED 21
BHOLD Access Management MA o It’s easy to create and configure o Fairly stable in terms of runs o Limited and locked in terms of object types ◦ OU ◦ Permissions ◦ Users o Few challenges with provisioning ◦ bhold. First. Name and bhold. Last. Name attributes through exported changes not reimported warning ◦ OUs needs to be reference o Unlike FIM MA, you can write your own code 11/3/2020 ZEVA INCORPORATED 22
BHOLD Attestation o It’s one of the missing feature of FIM o It’s not attesting BHOLD roles. It’s attesting that accounts should have those permissions o If access is denied ◦ User will still have the role ◦ Their account for that application will be inactive o Campaigns allow you to attest accounts or permissions o Campaigns have owners and stewards ◦ Can be configured using BHOLD Core o Different ways to define Stewards ◦ ◦ OU Application User Upload a file 11/3/2020 ZEVA INCORPORATED 23
BHOLD Integration o An extension to the FIM Portal o A rigid User Interface based on Silver. Light o No customization o Users can submit requests to activate proposed roles assigned to their OU o Limitation in the Out Of The Box (OOB) approval process o Delegation button doesn’t work (even after applying latest hotfixes) 11/3/2020 ZEVA INCORPORATED 24
BHOLD Reporting o Run reports on BHOLD object only o Get several Build-in reports that you can run and modify o Create your own 11/3/2020 ZEVA INCORPORATED 25
Problems BHOLD Addressing o Attestation: a missing component from FIM, however you need BHOLD core to use it o BHOLD core adds users to groups ◦ Alternatively, dynamic groups can be used ◦ If concerned about the performance of FIM Service when having large number of dynamic groups, then implementing BHOLD core is a good option o Privileged accounts: we will soon have PAM o Self-service: the BHOLD Integration user interface is rigid and not extensible 11/3/2020 ZEVA INCORPORATED 26
Open discussion 11/3/2020 ZEVA INCORPORATED 27
- Slides: 27