7 Replies Latest reply: Apr 18, 2012 12:23 AM by Chris Snyder RSS

Does NW IDM create the Windows account also in MS AD

Sameer Sheikh
Currently Being Moderated

I am doing the feasible study of implementing NW IDM into our organization.  After going through few doucment, I have a question for wich I am unable to get the definite answer.

 

When a person joins a organization, user account info has to be present into AD to create the user identity into IDM.  OR the NW IDM Administrator will be the first point of contact to create the user identity in all SAP applications and Windows account in MS AD. To make it easy, will Windows user account will also be created with NW IDM or not. 

 

It would be helpful, if anyone can suggest the workflow and use of IDM from the point a person joins a organization and how the roles are assigned to him through IDM.

  • Re: Does NW IDM create the Windows account also in MS AD
    Ajesh Raju Pujari
    Currently Being Moderated

    Hi Sameer,

    You can configure IDM both ways. IDM can be act as a primary source for user info or as secondary to AD.

    If you configure IDM as primary, you can create user in IDM and then sync the data to AD and Vice Versa.

    Regards,

    Ajesh.

    • Re: Does NW IDM create the Windows account also in MS AD
      Sameer Sheikh
      Currently Being Moderated

      Dear Ajesh,

      Thanks for the reply. So it means if we configure IDM as primary source of user, than the IDM Administrator will be the center point of contact to create and assign the roles to Windows, SAP, Portal, etc accounts. there will not be any other team is required to act on the new user joining or transfer. In this case, how the IDM Admin will come to know of the new user joining the organization.

       

      Sorry, I know this looks very basic about this subject, but in our company the new hire process is all messed up as it takes a month for a new joinee to get all the access. I am trying to find if NW IDM can help is this regard.

      • Re: Does NW IDM create the Windows account also in MS AD
        Ajesh Raju Pujari
        Currently Being Moderated

        Hi Sameer,

        Its all depends on how customer want to manage the accounts based on the company policies. Usually companies with AD and IDM use AD as primary.

        AD can have its own admin and IDM can have own ADMIN or both can be same. Here you can use IDM to provision accounts (windows,sap, non-sap...), usually initial access is given with predefined rules (based on position or user groups given to user or just end user access...).

        Coming to the hiring process, lets take an example. Say new employee is hired and this hiring process is managed by SAP. He/She details, hiring details will be recorded in SAP. This data can be sent to AD to create AD credentials.

        Same SAP HR Data will be read by IDM and create the required accounts with respective access based on the configuration. Here you using IDM as the user management account. AD details might be used by other applications which you dont want to connect to IDM. Here AD and IDM are acting independently, but the primary user data source is SAP HR Data.

        I suggest you draw how user data flows in your org. You will get an idea, borken links in process. Once you find where things are going wrong try fixing them.

        Hope this helps !!

        Regards,

        Ajesh.

        • Re: Does NW IDM create the Windows account also in MS AD
          Sameer Sheikh
          Currently Being Moderated

          Dear Ajesh, This was very helpful.  We have SAP HR data which can be the starting point to feed the user details to IDM as you have mentioned.

           

          My question is, if the AD, Portal, SAP users are provisioned through IDM, than how the Passwords are communicated to users. IDM provides that functionality to send them via emails or something like it.

          • Re: Does NW IDM create the Windows account also in MS AD
            Chris Snyder
            Currently Being Moderated

            Hi Sameer,

            The passwords will be communicated to the back end systems in an encrypted format (if you set it up that way).  It can then be un-encrypted using the Keys.ini file which is generated by IdM.  As part of your password synchronization process, you can certainly set up a e-mail notification to send the passwords via e-mail.  Be careful though, that introduces high risk sending around passwords in clear text, and might violate some of your compliance audits.

            • Re: Does NW IDM create the Windows account also in MS AD
              Sameer Sheikh
              Currently Being Moderated

              Chris, Thanks.  You are right, our company policy do not allow password to be sent via email in plain text.

              Than which is the other way companies use to send the passwords to end users if the ID's are provisioned through IDM. I am hoping something automated without helpdesk intervention to provide the password manually to users.

              • Re: Does NW IDM create the Windows account also in MS AD
                Chris Snyder
                Currently Being Moderated

                For password self service, you can allow the password to set their own passwords into a text box, which eliminates the need to notify them.  You may want to try that.

                If you must allow them to grab their passwords, in some way other than e-mail or having someone tell them, then your options are fairly limited.  You will have to authenticate them somehow (perhaps through SSO) to get into the IdM system in the first place, and then you could have the password decrypted for them to see through the IdM system.  That is another option.

Actions