Formalized Training
For years now, Oxford Computer Group (through SQLSoft) has been the only company in the world capable and knowledgeable enough with the product to offer training for MIIS and they've done a superb job between their two classes (of which the 2731 course is now offered by Microsoft CTECS - but be forewarned about non-OCG instructors with little or no practical knowledge). Formalized training is of course the quickest way to obtain training, but is certainly the most expensive.
Mentored Training/OJT
I think many companies tend to rely on On the Job Training or training through a skilled mentor when available. This has mixed results, of course, as many variables can interfere and limit the effectiveness of this method, but certainly nothing beats OJT for shear exposure to process and problem solving. Even those with plenty of OJT can still benefit from some formalized training to increase breadth of knowledge, but we still haven't identified what types of skills provide an effective base for which to layer on formalized, mentored, or on the job training? Also, remember that introducing Identity Management to a new organization adds a tremendous amount of impact to its People, Process, and Technology.
MIIS Skillset Requirements
MIIS is certainly unlike most other Microsoft applications in that it demands knowledge of so many diverse skills. While traditional products like Active Directory and Exchange require deep administrative knowledge, MIIS requires the following:
- Knowledge of SQL - MIIS is a SQL application so knowing how to construct basic SQL queries is essential when dealing with SQL data sources and building simple SQL based reports. As you get more and more familiar with MIIS, you'll find that many of the more "advanced" tips and tricks are just SQL tricks that a DBA is likely to know.
- Development Skills - MIIS is built to be extended and customized, yet it is this rich extensibility that quickly leads any MIIS implementation deep into coding territory. Some background in scripting or coding is a must here! Experience with the .NET Framework is a serious plus.
- Knowledge of the Connected Directory - MIIS isn't much until you connect it to something. Usually you're feeding a series of file, DB, and LDAP data sources into a System Directory like Active Directory or eDirectory so it is vital that you have more than casual knowledge of the data sources you are provisioning to.
My Opinion
Coming from an NDS/NT4/AD background you could say I am heavily stilted towards the Directory Admin side and since I've always considered myself more of a scripter than a developer, I've had to pick up the SQL and DEV skills as I went along. I've also had the fortune of attempting to mentor pure DEV and SQL Admin types who were "forced" into supporting an MIIS implementation and while the whole forced aspect certainly tends to kill chances for success faster than anything, the biggest learning curve for both camps wasn't picking up MIIS, but understanding Active Directory. So, I firmly believe that the best skill set to start with is someone who has a experience with Directory Administration (and has felt the pain that is supporting a large deployment) and has an interest in scripting or development of some sorts. Admins who can write their own utilities or scripts to accomplish administrative tasks are a step above the rest!
So, I'm anxious to hear your input - what do you think is most important in selecting a potential MIIS convertee? What should you have before attending your first MIIS class or working on your first MIIS deployment?
4 comments:
Hi Brad,
There is no doubt; there is a shortage of talent out there for identity management specialization. Talking with others in the practice of IdM, it’s not only a shortage in the Microsoft camps, but also within the competitors. I think it is because identity management consists of such a broad range of areas within an infrastructure, not to mention the DBA/Developer/Admin technical skills you mentioned earlier.
Definitely I think the biggest key is, finding those individuals that are self-starters wanting to take on a real challenge. I think that is the most important characteristic for any potential candidates wanting to pick up this specialization.
Formalized training does help, however it is expensive for the employer and the business will want some type of reimbursement after giving that training. It ends up really bad when they invest in this training, then the individuals either don’t like the technology or don’t take advantage of it by using it properly. It is an argument depending on your perspective of the situation.
Nothing is better than being exposes to it in the field. After one gains that experience, they’ll need to put the initial footwork and effort in learning the technology by reading and doing labs from resources such as on-line documentation (Microsoft’s site, MIIS Experts, and yours for example) and newsgroups, etc. After that initial investment, then attending the classes will only re-enforce one’s desire to excel in this specialization. At that point, everything will be much clearer. The fact is one has to like or love the technology to really implement it properly or sell it as a solution. If there is any negativity, then it only increases the risks of failure.
I think your idea for a mentoring program is great. By doing that, you can control how one will view the product and be able to address the frustration experienced during the learning process.
I agree with you on the MIIS skill set requirements. Much of that will come, working with the product. The funny thing about MIIS, is it such a cross-skilled product between development and technical infrastructure.
To start out, I think potential candidates must have a strong, in-depth knowledge of Directory Services.
Large directories are where you’ll really gain experience and appreciation for the need of scripting. In these scenarios, you’d be challenged with real world issues that will help when doing an MIIS design. As long as they have that, database management, development practices, will all come much easier.
Most of my perspective is very similar to your’s because it sounds like I come from a very similar technical background. I’ve been working with MIIS for two years now, and seeing how others with different specializations view identity management, definitely the directory guys are the best to start with because the concepts of managing a directory versus a metadirectory are very alike.
I hope this helps, good luck.
Chris C.
Hi Brad,
You definitely hit the nail on the head regarding MIIS skills. It is difficult because most of the time I find that experts of technology either fall into one camp or the other… Systems Administrator or Developer. Sure, both camps are required to “cross-over”, but I believe that the passion and effectiveness is with one or the other. If you are a developer, you will most likely struggle with networking issues such as why Kerberos is not working. Conversely, Systems Administrators will get frustrated easily because a slash in a dn causes DirectoryServices to fail.
MIIS requires that you know both. Coming from a developer background, I find that networking issues are tedious and no fun to figure out. But living in the MIIS world has forced me to venture into this territory until I finally did figure it out. However, I got virtual all of my Systems Administrator knowledge OJT. I think the same would be expected for someone in the opposite shoes.
The point here, as you have pointed out, is that a company will not typically find someone that is a “Jack-Of-All-Trades” to start off with, and if they do, I imagine they would come with a very high price tag. So what it really boils down to is that the right person for the job could be an expert of just one camp, but also a person who is a self-sufficient problem solver.
From my perspective, I think that the more elegant MIIS solutions come as a result of development expertise. My perspective is obviously tainted. My point in saying that is to not contradict that a Directory Administrator with scripting skills is not the best way to go, but to throw in that a developer with Directory Administration experience can be equally as effective. Want the best of both worlds? Hire two people, one that complements the other.
Once you have someone with the lust for MIIS, I found that the Oxford classes were indispensable. However, mentoring and OJT can potentially transfer that knowledge to those who have not taken the courses. A little trial-and-error can also be expected in the path to an MIIS Expert. More recently, I have discovered that reading the newsgroups can be very enlightening!
I completely agree with your assessment of the total skills required for MIIS. Getting there is obviously the fun part! If you don’t have fun with it, then anyone would struggle getting up to speed.
Thanx for posting such an informative topic!
-Richard Wakeman
PS: Congratulations on becoming an MVP!
I would think the best MIIS folks tend to come from the Directory Services backgrounds. Though thinking about this at first seems kind of backwards, since MIIS really may exist without being connected to a directory of any sort. (IE SQL/File only)
Since MIIS appears as a "directory" with common elements of objects classes and attributes similar to those in LDAP, those familiar with that structure seem to understand it better on the surface.
I think using the direct mapping features of MIIS brings alot of ability to solve some real common situations, yet it's only when you dig deeper into developing extension code that you unlock the power of MIIS.
Yet, how many admins are developers? Like you, I would have considered myself a scripter first, and no where near a developer. MIIS pushed me from the mindset of "I can do that with a script" to learn more development skills. I would also say, because of that I have developed other tools with the .NET framework to manage Identity related tasks, that have really helped out my enviornment.
The world of "try-catch" is alot friendlier and safer than "on error resume next" coming from a scripting background.
Another interesting part is not only knowing how to code your MV/MA rules for MIIS, but also have a better understanding of the connected data sources. I would like to believe the admins of those DS's understand MIIS and what it does, but that is far from the truth most times. So I find myself evanagelising, and also engineering how to better integrate their data source. Without prior DB or Development knowledge this would be all but impossible, since these come from various flavors of technologies.
More than once I have found DBAs who were surprised that a DB view was indeed updateable (depending on complexity).
I am also trying to mentor more people in the ways of MIIS, and for the most part the willing people are admins first, and no dev experience at all. The concepts of source control,while native to developers, Admins really are not familiar with.
There will be Admins who only want to be Admins, and developers who only want to be developers. It is the person who wants to be parts of both worlds that I think best suits the MIIS specialization.
Thank you all so much for the comments!
Chris C - yes, I think self-starters are a key here. They need to be able to operate independently and solve problems on their own once they know where to find the answers.
Richard - with respect to elegant solutions, YES, we scripters tend to bash things together when there is often a more elegant way to accomplish something assuming you know the language and the concepts.
Jef - with respect to "evangelizing", YES, it is so funny when you're trying to convince another resource just how valuable their data is to some other team. I think as IdM people and given our much broader view of the business flows we can usually identify opportunities for integration much more easily than the individual data owners can.
Post a Comment