IDM and IDES systems
In our company we'd like to introduce IDM for central user maintenance, account creation / role provisioning and self-service for all our SAP Systems.
I have a question regarding IDES systems:
On these systems exist a lot of users and roles/profiles. Some of them (I'm inspired by another post [here|How to handle these exceptions when read the information from abap system?;) may lead to error messages or require additional manual steps to be done. Furthermore I don't want all the users, roles, companies and so on in the IdentityCenter database because I want a consistent view of our company users and permissions.
On the other hand some of our employees already have / will need an account in these IDES systems for training purposes.
I was already thinking about
a) a filter (e.g. in the WriteABAPUsers-Pass of InitialLoad) where the SQL-Statement compares the TempDB with UniqueIDs from another DB -> this still leaves all the unwanted Roles & Profiles.
b) the deletion of all unwanted entries in the source systems. But this is difficult and a waste of time since some entries are needed for IDES training material.
c) to leave these IDES systems as they are. Then account creation and profile / role assignment will still be manual steps. IDM will the "only" be used for the non-IDES systems. But I think it would be great to look at a MX_PERSON entry in IdentityCenter and see all the systems where this person has an acount or which privileges are assigned to him, including IDES.
How would / did you guys solve this situation? Have you another solution I didn't come up with?
Any input highly appreciated. Especially some "live" experience would be nice