on 05-23-2012 4:35 AM
We're implementing SAP IDM 7.2 for a client which wants to segregate user access and provisioning for two of its subsidiaries(A & B).
I've thought to create two different identity stores (A & B) - each one for a subsidiary - to partition user access and provisioning request.
But how should I link each of these identity stores to the User Interface so that
If this isn't possible, should I install multiple instances of IDM UI?
Experts , please advice.
I would suggest two implementations of IDM. Both implementations can share the same database and even the same MMC console. However each installation will require it's own NetWeaver stack for the Web UI.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Are the requirements for the UIs, approvals and other workflows the same for both subsidiaries? If you have both Subsidiaries in the same MMC / Identity Center as different Id Stores, you would have to maintain two sets of configurations but some of the functionality could overlap (like jobs or global scripts) so you would need to pay attention under which Id Store you're working on. You would need to have two UIs etc. There would be more testing involved as it would be more complex. If they're two separate databases / Identity Centers then you could potentionally develop one system (if the requirements match) and deploy it to to Identity Centers.
I would put all the data to same Id Store and just hide the Subsidiary A from Subsidiary B (and vice versa) by the means of product ACLs or hiding the data on the entry type level (set search attribute vs user attribute on the entry type).
With the search attribute vs user attribute scenario create a custom attribute that holds the user's organization (user attribute) and another attribute that holds all the organizations (search attribute) to whom the entry is visible. By populating correct values then you can limit the Subs A not to see Subs B and have special group like "IdM Uber Admins" that can see both Subsidiaries.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.