Working with the User Profile Service Application
This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.
Session by Spencer Harbar & Kimmo Forss
Identity Management
- SharePoint people are in the identity mgmt business, whether you like it or not
- A lot of political issues concerning identity mgmt in the enterprise
- 10% technology 90% organizational stuff
- Considerations: ownership of data, data quality, system quality, access control
- Make friends with your directory services admins!
Lessons from the field
- Inadequate understanding of the UPA architecture
- Features and design constraints drive deployment options (e.g. federate or replicate, central or regional)
- Inadequate planning for user profiles
ForeFront Identity Manager
- SyncDB is in fact a FIM db
- Primarily a metadirectory solution
- SharePoint includes a bundled version of FIM
- Does not provide full synchronization!
- provisioning the service instance is effectively installing and configuring FIM
- Was FIM the right source? Yes it is! You cannot do IdM without a metadirectory
Provisioning
- via central administration
- via PowerShell, but beware the default schema issue
- do not try to script the creation of import connections, it’s not supported
- you shouldn’t ever see “welcome, system account” in your life : )
Augmenting Profiles with BCS
- Import only
- Runs only at full import
- Does not create new user profiles, only complements
- Single & multi value properties
- Create an external content type in SharePoint Designer
- Set permissions on the content type in the BCS to farm account (execute & set permissions)
- Create a new BCS import connection
- Change property to import from the BCS in stead of AD
Export to AD
- grant the farm account write permission in AD
- change the property to export its value to AD