I am doing the feasible study of implementing NW IDM into our organization. After going through few doucment, I have a question for wich I am unable to get the definite answer.
When a person joins a organization, user account info has to be present into AD to create the user identity into IDM. OR the NW IDM Administrator will be the first point of contact to create the user identity in all SAP applications and Windows account in MS AD. To make it easy, will Windows user account will also be created with NW IDM or not.
It would be helpful, if anyone can suggest the workflow and use of IDM from the point a person joins a organization and how the roles are assigned to him through IDM.
Thanks for the reply. So it means if we configure IDM as primary source of user, than the IDM Administrator will be the center point of contact to create and assign the roles to Windows, SAP, Portal, etc accounts. there will not be any other team is required to act on the new user joining or transfer. In this case, how the IDM Admin will come to know of the new user joining the organization.
Sorry, I know this looks very basic about this subject, but in our company the new hire process is all messed up as it takes a month for a new joinee to get all the access. I am trying to find if NW IDM can help is this regard.
Its all depends on how customer want to manage the accounts based on the company policies. Usually companies with AD and IDM use AD as primary.
AD can have its own admin and IDM can have own ADMIN or both can be same. Here you can use IDM to provision accounts (windows,sap, non-sap...), usually initial access is given with predefined rules (based on position or user groups given to user or just end user access...).
Coming to the hiring process, lets take an example. Say new employee is hired and this hiring process is managed by SAP. He/She details, hiring details will be recorded in SAP. This data can be sent to AD to create AD credentials.
Same SAP HR Data will be read by IDM and create the required accounts with respective access based on the configuration. Here you using IDM as the user management account. AD details might be used by other applications which you dont want to connect to IDM. Here AD and IDM are acting independently, but the primary user data source is SAP HR Data.
I suggest you draw how user data flows in your org. You will get an idea, borken links in process. Once you find where things are going wrong try fixing them.
Hope this helps !!
Dear Ajesh, This was very helpful. We have SAP HR data which can be the starting point to feed the user details to IDM as you have mentioned.
My question is, if the AD, Portal, SAP users are provisioned through IDM, than how the Passwords are communicated to users. IDM provides that functionality to send them via emails or something like it.
The passwords will be communicated to the back end systems in an encrypted format (if you set it up that way). It can then be un-encrypted using the Keys.ini file which is generated by IdM. As part of your password synchronization process, you can certainly set up a e-mail notification to send the passwords via e-mail. Be careful though, that introduces high risk sending around passwords in clear text, and might violate some of your compliance audits.
Chris, Thanks. You are right, our company policy do not allow password to be sent via email in plain text.
Than which is the other way companies use to send the passwords to end users if the ID's are provisioned through IDM. I am hoping something automated without helpdesk intervention to provide the password manually to users.
For password self service, you can allow the password to set their own passwords into a text box, which eliminates the need to notify them. You may want to try that.
If you must allow them to grab their passwords, in some way other than e-mail or having someone tell them, then your options are fairly limited. You will have to authenticate them somehow (perhaps through SSO) to get into the IdM system in the first place, and then you could have the password decrypted for them to see through the IdM system. That is another option.