Notes (hidden) 檔案請存成 Power Point 2010 可讀之格式 字體規範：中文字型請用微軟正黑體， 英文字型請用 Calibri

SIA304 企業身分識別與認證管理解決方案 陳明吉 技術顧問 德瑞數位科技股份有限公司

Agenda 身分識別與認證管理(IDM)概述 Forefront Identity Manager 2010 R2 啟動你的IDM計畫 AD委任授權的應用 Q/A

為何需要身分識別與認證管理? 現今的企業需要其IT服務不斷提高靈活性和能力。資源授權管理的需求增加，產生龐大的管理開銷。作為管理者，您必須安全有效地使人們（企業內部或外部人員）能夠順利工作。同時，您還面臨連續、複雜的問題，諸如忘記密碼與更改角色以及業務關係等。

管理者的困境 : 身分識別知多少? 越來越多的系統帳號需要建立,管理及移除 如何對組織或人員定義權限與角色(Role) ? ERP帳號 Workflow帳號 越來越多的系統帳號需要建立,管理及移除 如何對組織或人員定義權限與角色(Role) ? Portal, ERP : 如何整合舊系統的資料庫 ? 風險: 沒有人知道任一使用者到底有多少企業資訊系統權限(網路安全) UNIX/Linux/FTP/.. eMail帳號 Firewall帳號 自行開發AP的帳號 Database帳號 AD網域帳號 系統管理者

使用者到底有多少帳號密碼要記? 太多帳號密碼, 容易忘記 Help Desk忙線中.., 明天再幫你設定! 系統使用申請或變更流程繁複, 耗時費日 三個月改一次號密, 且不得重覆 每個密碼都要安全性檢查實在很煩!! AD網域 電子郵件 WorkFlow 應用系統/ERP

您需要一個身份自動配置的管理平台 供應商 管理高層 業務人員 一般員工 客戶 IT管理人員 離職員工 授權管理人員 policies roles rules 授權管理人員 AD網域與 Exchange CRM Workflow系統 人事系統 薪資系統

Forefront Identity Manager(FIM) 專用於幫助您應對動態環境下的這些管理難題。通過使用FIM的管理，更易於解決您面臨的主要複雜問題，提高您企業的運行效率。

FIM 2010 R2的演進 Web based password reset Reporting Simplified deployment and troubleshooting Enhanced performance Enhanced MA connectivity Added language support User Management Group Credential Common Platform Workflow Connectors Logging Web Service API Synchronization Policy R2 Office Integration for Self-Service Declarative Provisioning Group & DL Management Workflow and Policy Support for 3rd Party CAs User Management Group Credential Common Platform Workflow Connectors Logging Web Service API Synchronization Policy Identity Synchronization User Provisioning Certificate and Smartcard Management 1997 Acquired LinkAge Directory Exchange 1999 Active Directory Acquired Zoomit Via 1999 Metadirectory Services 2003 Identity Integration Server 2003 2005 Acquired Alacris 2007 Identity Lifecycle Manager 2007 2007 Identity Lifecycle Manager FP1 2010 FIM 2010 AD FS 2.0 2011 Acquired Bhold technologies FIM 2010 R2

Group membership and user attributes generated 自動化配置, 資料重整與企業總目錄服務 HR System FirstName Terry LastName Adams Title Sales Manager Dept Sales Mgr: Melissa Meyers EmplID 123 Private Cloud Exchange FirstName Terry LastName Adams Title Sales Manager Dept Sales Mgr: Melissa Meyers Username: . Tadams SharePoint Web Sites Line of Business Apps Phone 555-1212 Group membership and user attributes generated File / Print Email Tadams@litware.com Integrated and federated common identity FIM 2010 Workflow Phone 555-1212 Email Tadams@litware.com Groups Melissa’s Directs All in Sales Sales App Owners Public Cloud PaaS SaaS LDAP AD Givenname Terry Surname Adams Phone 555-1234 Windows Azure Office 365 Email LoginID Tadams Email tadams@litware.com

Forefront Identity Manager 2010 R2 使用者提升 自我管理portal 簡單易用的介面 生產力的提升 簡化數位身分 生命週期管理 異質資料整合 方便的管理程序 高擴充性 強化資安與法規符合 Role-based 存取控管 與SCSM整合的稽核與報表服務

Forefront Identity Manager 2010 R2 使用者提升 自我管理portal 簡單易用的介面 生產力的提升

使用者自我資料管理 使用者可透過FIM portal管理其個人資料，並同步到其他的資料源，例如將最新的個人手機資訊回寫到AD與HR系統。 也可直接修改AD的資料，再透過FIM回寫HR系統。

群組管理 可根據使用者的資料屬性產生 群組，包括動態的群組(可彌補 AD無法組成動態的缺憾) 可與Microsoft Office Outlook® 的 群組與人員整合，提供整題生 產力

Microsoft Office 整合 FIM add-in 支援 Outlook 2010的群組管理與審核 3/7/2017 Microsoft Office 整合 FIM add-in 支援 Outlook 2010的群組管理與審核 Add support for 32-bit and 64-bit Outlook 2010 Add-in localized to 33 languages, as for Outlook 2007 FIM portal支援SharePoint 2010 Can install FIM portal on the newest version of SharePoint Foundation Seamless installation experience Continued support for WSS 3 (SharePoint 2007) Same UI experience on both platforms © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User requests password reset 自我密碼管理 使用者可透過Windows logon或browser修改密碼 大幅降低IT help desk的負擔 Active Directory User requests password reset Oracle Passwords updated FIM Server End User SQL Server IBM DS LDAP Reset Password

FIM 2010 R2 密碼管理範例架構 Internet Intranet IIS FIM Service FIM Sync Service FIM Password Reset Portal End User Active Directory Browser Reverse Proxy FIM Password Registration Portal Mobile Phone Windows End User FIM Password Reset Extensions (optional) Browser SharePoint FIM Admin Email provider (optional) Other Directories (optional) Internet Explorer FIM Portal SMS Provider (optional)

Forefront Identity Manager 2010 R2 簡化數位身分 生命週期管理 異質資料整合 方便的管理程序 高擴充性

自動配置,自動移除配置與角色更新 提供身分配置管理流程 服務 自動同步使用者資訊到 整個企業的各種資料儲 存體 3/7/2017 自動配置,自動移除配置與角色更新 提供身分配置管理流程 服務 自動同步使用者資訊到 整個企業的各種資料儲 存體 自動配置新進同仁報到 帳號開通程序 即時的同步作業，避免 非法存取企業資料 Active Directory Lotus Domino HR System Workflow User Enrollment LDAP FIM SQL Server Approval Manager Oracle DB FIM CM User provisioned “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” Scott Weir, IT Manager–Desktop Architecture First American Title Insurance Company Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604 © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

自動配置,自動移除配置與角色更新 提供身分配置管理流程 服務 自動同步使用者資訊到 整個企業的各種資料儲 存體 3/7/2017 自動配置,自動移除配置與角色更新 提供身分配置管理流程 服務 自動同步使用者資訊到 整個企業的各種資料儲 存體 自動配置新進同仁報到 帳號開通程序 即時的同步作業，避免 非法存取企業資料 Active Directory Lotus Domino HR System Workflow User de-provisioned or role change LDAP FIM SQL Server Oracle DB User deleted FIM CM User disabled © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

身分資料同步與一致性(健康度) Identity Data Aggregation 3/7/2017 身分資料同步與一致性(健康度) Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System Identity Manager givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone givenName sn title mail employeeID telephone GivenName sn title mail employeeID telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Active Directory/ Exchange givenName Sam sn Dearing Identity Data Aggregation title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 008 telephone 555-0129 555-0129 © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

不正確或是缺少的資料 身分資料同步與一致性(健康度) Identity Data Brokering Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System Identity Manager givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Samantha Bob Samantha sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samarntha mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling 不正確或是缺少的資料 employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail employeeID 007 telephone Active Directory / Exchange givenName Sam Identity Data Brokering (Convergence) sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129

資料同步規則 FIM 2010透過Management Agents(MAs)來與其他資料源做資料交換 3/7/2017 資料同步規則 FIM 2010透過Management Agents(MAs)來與其他資料源做資料交換 資料同步時利用MA的同步規則來定義同步的方式 Join Provisioning Attribute flows Data cleanup Attribute Flow Provision Join © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

帳號同步管理規則 透過FIM 2010 R2 同步的機制與規則的設定,包括 資料欄位對映規則 資料查詢規則 資料建立規則 資料存放位置規則 事件轉換規則 管理者可針對每一應用程式設定密碼同步方向。 支援密碼初始化、重設等管理機制。 支援同步過程資料有效性檢查，若資料未產生則先暫停，待資料產生後 再自動同步。 例如人事資料中可能還沒有電子郵件資訊，則先不同步，等到電子郵件資料輸入後再同步。 policies roles rules

帳號同步管理規則-續 因應各應用系統需求，可設定各同步資料源同步週期與系統啟動方式。 依目前行政系統中以關聯式資料庫方式儲存的行政組織自動同步至樹狀 組織的目錄服務，當關聯式資料庫中組織異動時亦會即時同步目錄服務 中的組織。 組織同步過程需能依組織功能需求自動產生相關群組，如資訊處群組、 人事室群組等。 人員同步時需能依人員所屬單位與職務自動加入所屬群組。例如資訊處 處長將自動成為一級主管群組成員。 人員異動時除了目錄組織單位異動外，其相關群組亦必須一起異動。 policies roles rules

帳號同步範例 : 人事資料同步到AD總目錄 關聯式 tables/views資料 AD總目錄之樹狀單位、群組與人員架構 ERM 單位資料 人員資料 群組資料 ERM policies roles rules 關聯式 tables/views資料 AD總目錄之樹狀單位、群組與人員架構

Forefront Identity Manager 2010 R2 強化資安與法規符合 Role-based 存取控管 與SCSM整合的稽核與報表服務

System Center Service Manager 3/7/2017 稽核報表架構 HR System FirstName Terry LastName Adams Title Sales Manager Dept Sales Mgr: Melissa Meyers Username: Tadams Phone 555-1212 Email tadams@litware.com Reporting in System Center Service Manager based on SQL Server Reporting Services (SSRS) FirstName Terry LastName Adams Title Sales Manager Dept Sales Mgr: Melissa Meyers EmplID 123 Phone Email AD LDAP Givenname Terry Surname Adams Phone 555-1234 System Center Service Manager FIM 2010 Workflow Staging SCSM Console SSRS Data Warehouse Email LoginID Tadams Email tadams@litware.com Repository SSRS Web Svc © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

使用者工作身份歷程報表範例 Colin於 2002透過FIM從 HR系統同步. Samantha Smith 是他的第一個主管 3/7/2017 使用者工作身份歷程報表範例 User Name User ID Operation Attribute Value Requestor Committed Time Request Colin Wilcox {732d2…} Remove User FIM Service 2/13/2011 01:22:00 {532aa…} Display Name First Name Colin Last Name Wilcox Add Manager gfort Garth Fort 9/22/2006 08:55:28 {8457b…} samanthas Employee Type FTE Contractor 5/2/2002 08:32:11 {126da…} Colin於 2002透過FIM從 HR系統同步. Samantha Smith 是他的第一個主管 Colin於2011年離職 In 2006, Colin於2006變成全職人員,且他的主管變成 Garth. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

1. 建構FIM 2012 R2平台 2. 強化利用AD的委任授權以增 加IDM計畫的ROI

啟動你的IDM計畫 依據企業的商業與IT環境、主要的應用系統，決定總目錄AD的需求分析。 分析其他資料源、資料需求與整合其他應用系統需求 設計資料同步流程與密碼管理規範。 設計存取控制模式與安全規範(委任授權管理) 選擇FIM 2012為IDM伺服器 測試與搜集回應 正式上線

AD總目錄的設計概要 Authorization Access Control Model 存取模式 角色原則 時間原則 交易原則 服務內容原則 一般原因(R/W/D/E/C) 安全政策 網路環境 資源分享政策 利用AD本身的Access Control Information 角色群組的運用 動、靜與巢狀群組 符合組織特性 授權模式 組織管理方式 組織安全政策 Directory Information Tree 目錄樹 Access Control Model 存取模式 Authorization Authentication Password/Certificate驗證模式

Web Based AD組織委任授權管理 直接設定組織樹狀單位組織 直接設定群組所屬成員、群組郵件信箱、使用權限等資料 直接設定人員電子郵件、配額等個人資訊 可快速將人員加入群組中，搬移人員至其他單位。 利用此彈性組織做資源的委任管理與授權

除了組織單位群組與人員的管理之外，我們還能如何利用AD強大的委任授權的管理呢?

應用系統授權管理(單一簽入) 我們試著把應用系統當成物件設計成Windows AD中的OU. 並將其授權給我們先前透過FIM所同步的組織群組或成員

利用web based AD的管理介面將各應用系統地執行屬性設定於AD中

利用AD本身的存取控制表(ACL)存取控制表設定應用系統執行的權限 以公文整合系統為例，要將其設給共通系統這個角色 展開機關組織，選取群組或人員 設定權限

使用者登入Sharepoint後看到的應用系統選單

QA

Notes(hidden) 除了您課程內容的投影片內容外，接下來的幾張投影片內容請務必全數保留。 請將您的課程內容與包含在課程内容中相關的資訊增加到接下來的幾張投影片中。