Now that MIIS is being utilized for more pervasive provisioning systems, we see more and more questions around how to perform user entitlements. The term “user entitlements” is used to describe privileges or personalized environments on the network. Quite simply, a “user entitlement” is something that a user needs when they login to their network account. This can be a home directory located on a specific file share or provisioned access to a specific application such as a SharePoint Portal. Some of the questions we see surrounding this topic are “should MIIS perform these user entitlements?” and if so “should MIIS perform these user entitlements directly or through some asynchronous processes?” The answer depends on the nature of the solution, but in most circumstances MIIS can in fact drive these user entitlement solutions. However, to architect the most efficient solution or one where connectivity may be an issue, asynchronous processes may be required.

Before we delve into the solution architectures, I would like to briefly discuss how user entitlements are typically done in a non-MIIS world. Probably the most common approach is accomplished through the use of logon/logoff scripts. I have seen scripts that venture into the thousands of lines of code! They perform such tasks as creating directories or file structures for the user, to setting file permissions, adding group membership, or evening backing up and restoring entire home directories when a user changes locations. I’m sure if you are a system administrator, you could name a dozen more entitlements without hesitation. However, most entitlements are given utilizing manual processes. Whether it requires an administrator to add a user to a security group or a manager to configure access to a specific application, many entitlements are prescriptive and can be automated with a provisioning system. Some applications have vendor-specific provisioning that may get you part of the way there, but through experience, most require someone to “push a button”.

MIIS may be the perfect solution for creating user entitlements that are accessible directly through built-in Management Agents. The most common example is Active Directory or ADAM group membership management. You can quite easily provide the logic to MIIS to manage group membership. I will not delve into that here, as there are many available resources that discuss this topic. If MIIS does not have some built-in approach to managing a user entitlement out-of-the-box, there is the ability to create custom management agents that perform tasks directly. The only limitation to performing the tasks directly by MIIS depends on the connectivity to the host of the user entitlement. The rule of thumb is, if the host is always available and the tasks to be completed are not long-running, then it may be game. For example, if you are provisioning a SharePoint portal, you may need to make web service calls to the web server that hosts the SharePoint portal. This is applicable because the SharePoint portal is likely to be located in a centralized location that is always online and accessible by the MIIS server. That way MIIS can reliably perform the tasks without error. If you have experience with MIIS, you know that errors can bring the whole system to a screeching halt!

Given the nature of many user entitlements, MIIS may not be the best solution for managing the related tasks directly. You would not want MIIS to perform long-running tasks or ones where connectivity may be an issue. In addition, MIIS may not be able to perform tasks until some other action has completed. The most common scenario asked about is the creation of home directories for users on large networks. Most likely, the home directories are hosted on file servers that are located close to the physical location of the user and far away from the MIIS server on a WAN. First of all, MIIS may not even be able to reliably connect to the file server. Second, the file server may connect to an Active Directory domain controller located in the same site where replication is scheduled on a less-than-optimal timeframe. If MIIS just finished creating a new user account on some centralized domain controller, the home directory could not even be created until that new user account is replicated to the remote site. Finally, home directory management would fall under the “long-running task” category because it will likely include such capabilities as moving or synchronizing files from one location to another, archiving folder structures for inactive accounts or setting granular permissions on the hierarchy. Another example of a user entitlement that MIIS could not perform directly would include the ability to “push a button” on some remote computer at some specific time with the right information at hand (such as a CSV import file). These types of user entitlements are best performed through asynchronous processes.