While supporting supporting FIM customers to assess their FIM environment and helping them to maintain their FIM configuration, 2 discussion topics are alltime favorites: FIM Security and FIM best practices.
For ease of use I’ve been collecting this information in some articles.
Below you’ll find the short links for ease of use:
As you might see, there is still a lot of room for improvement, so I invite you to update the article where you think information is missing.
When discussing a basic FIM setup (using FIM Sync and FIM Service + Portal) a common diagram being drawn is the one below.
It does not discuss the other FIM add-ons (like FIMCM, BHOLD or reporting) but still it’s a useful and very visual guidance for planning you security.
Main purpose is to explain that the initial security setup for your FIM
- DOES require a collection of security accounts and groups to segregate duties (so installing FIM with one single account, used for all FIM functions and accounts is a very bad idea.)
- ONLY needs 1 core administrator account with administrator access to the FIM server’s local security
- DOES NOT require services or technical accounts with local or domain admin rights (except 1, the FIM Installer account)