Articles in this section

See more

Identity Panel to Safeguard your MIM Operations

Avatar
Bob Bradley (SIDM)
  • Created
  • Updated
Follow

As any organization with a MIM implementation will know, it is a constant battle to stay on top of a raft of operational and efficiency obstacles.  Even more importantly, there's always the constant risk that something will invariably go wrong!

These are exactly the moments where Identity Panel™ Framework and App comes to the fore, with its native tooling designed specifically to be your safe pair of hands.

Organizations striving to be Always On must also enforce a Zero Trust security model across all their digital systems, and to achieve this, a healthy and responsive Identity Management Platform is critical.

Yet while every organization values its digital security, all too often there is a tendency to be reactive and wait until incidents happen. It is far better to be proactive when ensuring day-to-day overall health, and this requires pro-active monitoring, and then responding to incidents in a timely fashion.

Your MIM experience until now

When it comes to most MIM implementations, business-as-usual (BAU) operations at the Service Desk (SD) level driving joiners/movers/leavers (JML) workflows while striving for continuous compliance is impeded by difficulties in:

  • secure remote access to multiple administration consoles
  • the timeliness and completeness of enough data to make the right decisions
  • the visibility of changes over time
  • mitigating vulnerabilities in bulk changes, particularly when upgrading or reconfiguring
  • the correlation of related identity information
  • ensuring confidence in system integrity immediately following configuration changes or upgrades
  • detecting configuration changes, either managed or unmanaged, and rolling back where necessary
  • recovering from unwanted configuration and or data changes
  • acquiring the necessary skills and understanding to correctly interpret data, and
  • multitasking and scheduling for competing priorities

Essentially the above amounts to an overall lack of adequate tooling, thereby placing increased demand on the necessary SD skills to compensate for this.

Your MIM experience with Identity Panel today

With Identity Panel, the SD experience is dramatically different within days:

  • full secure access is via a single browser-hosted operations console
  • informed decisions are made based on up to the minute data, including system changes
  • full identity history is natively presented via Time Traveller
  • readily adjusted change thresholds warn of unexpected changes before they are applied
  • correlation is presented unambiguously through context coloring and Contrails
  • what-if style reporting builds confidence prior to applying updates, backed by automated regression testing using Test Panel™ App
  • full configuration change history is logged, surfaced in a check-in report, enabling point-in-time configuration restoration
  • recovery options can now be put in place for when the unexpected does happen
  • skills are obtained within 1-2 days through hands-on interactive learning acquired through the SIDM Knowledge Pack(s)
  • SLAs are now achievable while SD load is reduced.

As MIM systems are migrated to the newer HyperSync Panel™ App platform, the great news is that this proven framework remains unchanged.

To learn more about how Identity Panel extends MIM see this Capability Comparison.

For peace of mind, implement Identity Panel

  • for a new or existing MIM solution with a MIM connector license
  • with a HyperSync license for a Greenfields or a migrated MIM solution

Become a safe pair of hands for your MIM operations and get Identity Panel directly from the Microsoft Azure Marketplace today.

Training

See A825 - Protecting the Organization with Identity Panel – Learn Identity Panel (softwareidm.com)

Test Drive now in our Demo Site

We have a MIM + Identity Panel demo site which is available for you to see this working for yourself.

Think about a simple scenario where you wish to confirm that (fictitious) active user Gus Daxie is still a current employee and therefore still entitled to be actively accessing company resources ...

To access for yourself anytime follow the following steps to start you on your journey:

  1. Browse to Home Page - Identity Panel
  2. Click on the Demo button (anonymous access option) and you will see a page like this (a sample dashboard of current MIM (you can add AAD Connect) activity - noting this one is geared to focus specifically on AD sync and password resets:
  3. Type the name Gus in the Search Time Traveler field (top right), hit Enter on your keyboard to see the matches across systems, then click on the arrow icon next to the silo MIM: Metaverse
  4. Click on the user record for Gus Daxie to see his identity details to see how they span the enterprise and cloud corporate networks:

  5. Note in the above the yellow highlighted values GDaxie are common across most silos.  Identity Panel uses join rules to define relationships between user identity attributes across both on premises and the cloud.
  6. Note also that in the third attribute in the MIM: Metaverse silo for Gus is the attribute accountEnabled, and it shows a value of true (active).  The question is how current is this?  Click on the attribute to see when it was last updated (noting that by the time you are looking at this yourself it could have changed since):
  7. In the top left corner of the "Time Traveler" click on the down arrow next to the date value displayed to select the date where a change was detected for user Gus in the silo in focus (MIM: Metaverse in this case):

  8. Click on the date to see what changed (attributes in green highlight across multiple silos in our case):
  9. We can now use the Contrails feature to examine from where the accountEnabled value was derived.  Click on this icon on the right of the pencil in the column header for MIM: Metaverse:
  10. The user title bar will become blue as follows and the Contrails icon becomes an X:
  11. Click on the accountEnabled attribute to see the contributing attribute flows:
  12. Notice the purple lines have arrow heads indicating the direction of flow. In this case we have an inbound attribute flow (IAF) from the EMPSTATUS attribute (value A for active) in the MIM: PeopleSoft silo, and then an outbound/export flow (EAF) to userAccountControl in MIM: Active Directory (value 512 for an enabled user account).  Click on the [?] icon for each of the IAF and EAF flows to examine the rule details.

    1. IAF (to the MIM Metaverse):

      ... from which we can deduce that the Contains function must have returned true because of the value A being one of the valid values ALPS.
    2. EAF (to the AD user account):

      ... and with some basic Active Directory context knowledge of the userAccountControl user account property we can now deduce that (MIM) synchronization with the PeopleSoft value of A has resulted in the value 512 (in this case our system constant value special.AD.NORMAL_ACCOUNT) being written to AD, thereby enabling Gus' user account.
      Now we wish to find out exactly when this happened ...
  13. Back in the Time Traveler date picker select an earlier date value from the drop-down list:
  14. From the following we are looking at a time when there was no Azure AD identity joined for our employee Gus (we can see no ADConnect:* silos, and Identity Panel was unable to find matches for all the join rules at this time):
  15. By examining the subsequent chronological changes we can trace the steps back to see what was changed and when, and thereby deduce how our user account came to be enabled across both on premises and cloud systems.  By subsequently selecting the 2:15 pm date we note that the ADConnect silos are displayed once more:

    ... and by hovering over the mail property in this case we can see (in yellow highlight) matching mail values across each silo.
  16. The following is an extract from the settings within Identity Panel which lifts the lid just enough to see how selected silos are connected for our user:

So to summarize, we are able to use the Time Traveler to look back over recent change history for specific attributes to determine that our user Gus is indeed entitled to be actively authenticating and accessing company resources across all on premises and cloud environments!

Related articles

Comments

0 comments

Please sign in to leave a comment.