Ensuring Identity Consistency [Auto-Consistency Manager]

Raju Bhan here… I’m the Senior Security PM in Information Security Tools Team at Microsoft. Before choosing to be a PM, I was a developer and one of my projects was AutoConsistency Manager. AutoConsistency was all about ensuring Identity Consistency across different data sources. Before going into what challenges my team faced building the solution, it’s necessary to explain what this project does and how it was designed. Lucky for me, this project ended up as an IT Showcase and therefore easy for me to copy and paste. Following are some of the snippets from the showcase:

Requirements for AutoConsistency

· Enhance consistency-checking functionality. Migrate existing consistency-checking functionality from the earlier consistency-checking tool to MIIS 2003.

· Implement automated correction features. Enable automatic updates of enterprise directory data.

· Consider exception scenarios. Detect exception scenarios and take appropriate action, based on whether an exception exists.

· Automate reporting and alerting. Send email notifications and generate detailed reports of inconsistencies identified.

· Allow for extensibility and flexibility. Incorporate the ability to easily configure new business requirements.

In collaboration with our Identity teams, my team designed a solution that leveraged Microsoft Integration Identity Server (MIIS) solution. MIIS has since evolved into Forefront Identity Manager (FIM), more on that here.

Architecture

MIIS 2003 uses management agents and a well-defined set of synchronization rules to control how data flows between a connected data source and the MIIS 2003 database, which is known as the metaverse. The metaverse contains the aggregated identity information from all connected data sources stored in a set of tables in a Microsoft SQL Server 2000 database. The connector space is a staging area that contains representations of objects and their attributes from a connected data source. Management agents use the connector space to stage incoming changes for import to the metaverse and stage outgoing changes for export to the connected data source.

The main components of AutoConsistency Manager include management agents to connect to the identity stores, custom business logic to implement the business rules, and Web-enabled reports to record discrepancies. The XIT team configured management agents to connect MIIS 2003 to the account provisioning system, to four of the six Microsoft IT–managed Active Directory forests, to the security exceptions database, and to the holding table. To implement the business rules, the XIT team extended each management agent by creating a rules extension to store custom business logic.

More details on the Architecture & Benefits of Auto-Consistency Manager can be found in the “Microsoft IT Show Case” here.

Next time, I will explain how this platform evolved into tools we build on today and some of the challenges we faced in creating this platform.