The Vault!
Rate this post

Vault
The vault or more precisely the “Identity Vault” is a single pane view of all the collated data of your users, from the various data source repositories. This sounds like a lot of jargon but it’s quite simple really.
In the diagram below we look at a really simple attribute firstName (givenName within AD) DataFlow
As you will see at the centre is the attribute, and branching off this is all the Connected Systems, i.e. Active Directory. What this doesn’t illustrate very well is the specific data flow, where this data is coming from and where it’s going to. This comes down to import and export rules as well as any precedence rules that you need to put in place.
The Identity Vault, or Central Data Repository, provides a central store of an Identities information aggregated from a number of sources. It’s also able to identify the data that exists within each of the connected systems from which it either collects the identity information from or provides the information to as a target system. Sounds pretty simple right?
Further to all the basics described above, each object in the Vault has a Unique Identifier, or an Anchor. This is a unique value that is automatically generated when the user is created to ensure that regardless of what happens to the users details throughout the lifecycle of the user object, we are able to track the user and update changes accordingly. This is particularly useful when you have multiple users with the same name for example, it avoids the wrong person being updated when changes occur.

AttributeUser 1User 2
FirstNameJohnJohn
LastNameSmithSmith
DepartmentSalesSales
UniqueGUID1029413218274932

So the table above provides the most simplest forms of a users identity profile, whereas a complete users identity profile will consist of many more attributes, some of which maybe custom attributes for specific purposes, as in the example demonstrated below;

AttributeContributingMAValue
AADAccountEnabledAzureAD UsersTRUE
AADObjectIDAzureAD Users316109a6-7178-4ba5-b87a-24344ce1a145
accountNameMIM Servicejsmith
cnPROD CORP ADJoe Smith
companyPROD CORP ADContoso Corp
csObjectIDAzureAD Users316109a6-7178-4ba5-b87a-24344ce1a145
displayNameMIM ServiceJoe Smith
domainPROD CORP ADCORP
EXOPhotoExchange Online PhotosSystem.Byte[]
EXOPhotoChecksumExchange Online Photos617E9052042E2F77D18FEFF3CE0D09DC621764EC8487B3517CCA778031E03CEF
firstNamePROD CORP ADJoe
fullNamePROD CORP ADJoe Smith
mailPROD CORP ADjoe.smith@contoso.com.au
mailNicknamePROD CORP ADjsmith
o365AccountEnabledOffice365 LicensingTRUE
o365AssignedLicensesOffice365 Licensing6fd2c87f-b296-42f0-b197-1e91e994b900
o365AssignedPlansDeskless, MicrosoftCommunicationsOnline, MicrosoftOffice, PowerAppsService, ProcessSimple, ProjectWorkManagement, RMSOnline, SharePoint, Sway, TeamspaceAPI, YammerEnterprise, exchange
o365ProvisionedPlansMicrosoftCommunicationsOnline, SharePoint, exchange
objectSidPROD CORP ADAQUAAAAAAAUVAAAA86Yu54D8Hn5pvugHOA0CAA==
snPROD CORP ADSmith
sourcePROD CORP ADWorkDay
userAccountControlPROD CORP AD512
userPrincipalNamePROD CORP ADjsmith@contoso.com.au

So now we have more complete picture of the data, where it’s come from and how we connect that data to a users’ identity profile. We can start to look at how we synchronise that data to any and all Managed targets. It’s very important to control this flow though, to do so we need to have in place strict governance controls about what data is to be distributed throughout the environment.
One practical approach to managing this is by using a data exchange agreement. This helps the organisation have a more defined understanding of what data is being used by what application and for what purpose, it also helps define a strict control on what the application owners can do with the data being consumed for example, strictly prohibiting the application owners from sharing that data with anyone, without the written consent of the data owners.
In my next post we will start to discuss how we then manage target systems, how we use the data we have to provision services and manage the user information through what’s referred to as synchronisation rules.
As with all my posts if, you have any questions please drop me a note.
 

Category:
Architecture, Azure Infrastructure, Business Value, Cloud Infrastructure, FIM, Identity and Access Management, Security, Strategy
Tags:
, , ,

Leave a Reply

  Subscribe  
Notify of
Follow Us!

Kloud Solutions Blog - Follow Us!