4 Replies Latest reply: Mar 4, 2014 8:49 PM by NRL KM RSS

IDM Implementation queries

Sameer Sheikh
Currently Being Moderated

I am doing the feasibility study of implementation of IDM 7.2 in our organization., and decided to use case "Identity Lifecycle Management" to provision the user accounts for LDAP, PORTAL, ABAP SYSTEMS (BW. APO. ETC) AND MS EXCHANGE.(also IDM to be integrated with GRC). I have few doubts.

 

1. In our organization, AD and SAP account exist with the naming convention of last name + first character of first name.  If we implement IDM, this convention can still be used for event driven creation of new user accounts in LDAP, EXCHANGE, SAP, etc (via HCM).

 

2. We can use HCM as the user input data for NW IDM, and can create user accounts in LDAP, ANY ABAP SYSTEM, PORTAL, and MS EXCHANGE. Does this also assign the groups/update the properties( like designation, dept, tel, etc) to accounts in AD and can add user to default outlook email distribution list.

If this can be achieved, it will be great help as no manual activity would be required to update user properties in LDAP or to add users to EXCHANGE email distribution lists.

 

3. When the user id provisioned in all connected systems, how the password will be communicated to the user.

 

4. Existing SAP ABAP roles can be imported into IDM and can be assigned to business roles.

 

5. Can IDM also provision account for Documentum and BO dashboard. Is there connectors available for it.

 

Thanks in advance to all experts.

  • Re: IDM Implementation queries
    Matt Pollicove
    Currently Being Moderated

    Sameer,

     

    I am doing the feasibility study of implementation of IDM 7.2 in our organization., and decided to use case "Identity Lifecycle Management" to provision the user accounts for LDAP, PORTAL, ABAP SYSTEMS (BW. APO. ETC) AND MS EXCHANGE.(also IDM to be integrated with GRC). I have few doubts.

     

    I can tell you from my own experience that IDM can work with the systems that you referenced here

    1. In our organization, AD and SAP account exist with the naming convention of last name + first character of first name.  If we implement IDM, this convention can still be used for event driven creation of new user accounts in LDAP, EXCHANGE, SAP, etc (via HCM).

    Absolutely.  This is "classic" IDM.  I am assuming that since you are referring to Exchange that the LDAP variety is Active Directory.  The Provisioning Framework works quite nicely and natively supports AD, other LDAPs, Exchange, SAP Java and SAP ABAP.  HCM support is also provided through a separate framework, but also requires configuration of the Virtual Directory Server and of course HCM.

     

    2. We can use HCM as the user input data for NW IDM, and can create user accounts in LDAP, ANY ABAP SYSTEM, PORTAL, and MS EXCHANGE. Does this also assign the groups/update the properties( like designation, dept, tel, etc) to accounts in AD and can add user to default outlook email distribution list.

    If this can be achieved, it will be great help as no manual activity would be required to update user properties in LDAP or to add users to EXCHANGE email distribution lists.

    It sure can! Doing this on my current project.  Of course you'll need to define the logic for putting an Identity into the correct Groups.

    3. When the user id provisioned in all connected systems, how the password will be communicated to the user.

    There's a few ways to do this and it will depend on what your organization requires.  But basically it falls into a few methods:

    • All users are set up with a well known password e.g., Welcome1 or generated based on known values (birthday, name, etc.))which must be changed on first login
    • Random passwords are sent to the user's manager or HR representative via email.
    • Password is sent to a secondary email address for the user or via SMS.
    • The user must contact the Service Desk for initial password set

     

    All of these have pros and cons.  I am not setting any of these as a recommendation or best practice.  Just laying down what I've seen.  You'll have plenty of conversations with IT Security on this one.

     

    4. Existing SAP ABAP roles can be imported into IDM and can be assigned to business roles.

    Again, standard part of any project.  Take a look at the initial load tasks which handle this.

     

    5. Can IDM also provision account for Documentum and BO dashboard. Is there connectors available for it.

    I have no idea, but if they can be reached via LDAP, Database, ABAP, JAVA, or expose an API it can happen.

     

    These are just some high level answers.  Hope they are helpful.  I'd also suggest reviewing some of the documentation available from SAP for more in-depth information and examples.

     

    Good Luck!

    Matt

    • Re: IDM Implementation queries
      Sameer Sheikh
      Currently Being Moderated

      Thanks a lot Matt, it was very good informaton.  Just to clear on few things which you have mentioned.

       

      1. Please confirm while provisoning MS Exchange account, user can be added to the company's default distribution list. For example, we have a email distribution list for all managers.  So if any manager joins, he can be added to his group without any manual steps.

      2. For new user network password, I like the option of generated password by birthday or name. As in this case, only user will be aware of his b'day date and the default password.  So I assume in this case, there will be no requirement to send the password to new user, as we can inform the user in joining formalities to login into network, with password set to name + birth date. 

      • Re: IDM Implementation queries
        Matt Pollicove
        Currently Being Moderated

        Sameer,

         

        1. Please confirm while provisoning MS Exchange account, user can be added to the company's default distribution list. For example, we have a email distribution list for all managers.  So if any manager joins, he can be added to his group without any manual steps.

         

        Yes, basically you'd add these groups as privileges that would be part of a manager role. This is easily done through the framework.

         

        2. For new user network password, I like the option of generated password by birthday or name. As in this case, only user will be aware of his b'day date and the default password.  So I assume in this case, there will be no requirement to send the password to new user, as we can inform the user in joining formalities to login into network, with password set to name + birth date. 

         

        That makes a certain amount of sense, but there still needs to be some sort of notification sent to let the user know that the account is ready. However, as you have noted the notification does not need to include the password.

      • Re: IDM Implementation queries
        NRL KM
        Currently Being Moderated

        Sameer,

         

        Hope you would have implemented IDM successfully in your organization by now. I am in a similar scenario where you were in May, 2012. Pls share your valid experience that will help me in my project. I am in the initial stage now. You can reach me offline at nlkmurthy@yahoo.com if necessary.

         

        Thanks

         

        -KM

Actions