- Extensible and reliable identity provisioning and synchronisation
- Extensible workflow and policy engine
- Extensible delegated access management platform with web UI
- PowerShell-aware web API
I consult in the implementation of this product for my customers. I advised where improvements are needed to improve operational efficiency, security compliance and transparency of policy.
The SharePoint-hosted web UI, while functional, lacks the features one would normally expect of a modern web application when used in its vanilla form. The BHOLD suite, which is an optional extension for RBAC modelling, should not be implemented without substantial budget being set aside for investment in additional training and understanding, and ensuring access to specialist resources is available when required.
I've been using FIM 2010 for five years, and prior to that another five years between the 2003 and 2007 versions.
FIM is more an Identity and Access Management (IAM) framework rather than an out-of-the-box (OOTB) solution. With customization invariably required, deployment must be carefully planned according to the solution architected.
The latest R2 release is stable and has no significant issues that affect implementation stability with regards to the core components.
The biggest limiting factor is that the sync engine cannot be configured for load balancing or redundancy, followed closely by the through-put limitations that apply to the FIM Service connector (management agent) when dealing with high volumes of objects under synchronization. Nonetheless, FIM has been successfully deployed to manage the entire identity life-cycle for very large sites, such as well over one million staff/student identities under management for the Queensland Education Department in Australia.
Also, when the "declarative" sync rules requiring "expected rule entries" (EREs) are employed, the sync overhead is further exacerbated. As such this type of sync approach should be avoided in lieu of a code-based rules extension or the "scoped" sync rule capability released with R2.
High, depending on availability. Support is available by subscription to the "Microsoft Premier Support Service" (PSS) and/or third party solution support. In complex scenarios where skilled technicians are required, some delays (while generally minimal) may be experienced in getting a full resolution. A managed service arrangement might be worth considering through a third party such as UNIFY Solutions to mitigate the need for this in most cases.Technical Support:
High, depending on availability. There is often a dependency on skilled resources that need to be accessed from outside the immediate PSS group.
No. Only earlier versions of FIM which are now mostly end-of-life.
Generally complex in terms of number of components required, number of deployment steps required, and time generally taken with some of those steps.
We implemented it in-house.
The knowledge gained to perform more implementations for other clients, and the potential to leverage our own complementary products and services.
Yes - Novell, Sun (now obsolete) and Oracle.
Be prepared to consider the total cost of ownership (TCO) of a FIM (or any IAM) solution when assessing its comparatively cheaper price-tag over the mainstream alternatives. Be sure to include training and resource development costs are covered in your budget, along with any ongoing "level three" type dependency on specialist resources to maintain and extend the solution once in Production. These costs may be minimized and service delivery/reliability optimised by leveraging a reputable managed service option such as the one available through UNIFY Solutions.