cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM 8 Project Planning

Go to solution
Former Member

on ‎04-14-2015 12:13 AM

0 Kudos

Hi specialists,

I have been a long time reader but this is my first reach out for some advice, so if I am not following the correct rules please be patient.

At the moment I am writing a design document for IDM 8 in an existing SAP landscape but have two questions that I cannot find clarity on in the documentation available:

1) With respect to an IDM landscape I was under the impression that a two tier landscape would be appropriate in a similar way to Solution Manager is used.  The proposal I was going to make was to use the development box as both a development and test environment using two identity stores (development and test) and to duplicate the repositories.  What I cannot understand is how the user interface would behave with this proposal as there would be just one UI for both identity stores?  What is the SAP best practice and what is your experience?

2) Using HCM integration means that HCM is likely to be the leading system for identity creation, with ECC initial loads run second to create system privileges.  This approach will result in all existing identities being assigned system privileges that would have to be manually migrated to the new business role design in IDM.  How have you approached this task, is it worthwhile not doing the initial loads in existing landscapes and simply assigning new business roles to replace the existing privilege assignments?

Thanks,

Andy

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎04-14-2015 2:45 PM
0 Kudos

Hi Andy,

Always good to see new people in our continuing conversation!

I'm 99% sure that SAP IDM 8 works the same way as IDM 7 in that each Identity Store requires a dedicated NW to act as the presentation layer / app server. If you need to have one NW for two ID Stores, you will need to go into NW and change it each time.

My experience has been that the load from HCM establishes the Identity but you will need to have loaded users and roles from each supporting system (e.g., ECC) To update new users status in the connected systems.

Have you looked at the Landscape and Solution Operations guides?

Matt

Show replies
Show replies
Former Member
‎04-15-2015 1:40 AM
0 Kudos

Hi Matt,

Thank you for the reply, I have looked through the guidelines and cannot find any concrete guideline for the architecture.  I wanted to avoid having 4 or 5 IDM installations to mirror a SAP landscape and to use the identity stores instead.

To clarify your answer, are you saying we need a separate IDM installation for users to be able to concurrently access the two different identity stores, or are you saying it’s possible to have two application servers for the same IDM installation?

Regards,

Andy

former_member2987
Active Contributor
‎04-15-2015 2:42 PM
0 Kudos

Andy,

There are plenty of documents about sizing and architecture in the documentation library. 

The rule is one NetWeaver install provides the UI for one Identity Store, You will need to reconfigure NetWeaver each time you want to access a different Identity Store.

Matt

Former Member
‎04-15-2015 3:58 PM
0 Kudos

Hi Matt,

I appreciate you taking the time to reply.

One final (long) question, I promise! I had envisaged that IDM would work like solution manager, and production IDM would provision to all of an ECC landscape (dev, test and prod).

I am not sure how this would work with this constraint, is the best practice to have dev IDM provision dev ECC, test IDM provision test ECC and prod IDM provision only prod ECC?

This would mean for example having one singe ECC repository created and transported through the IDM landscape, rather than having 3 (dev, test, prod) ECC repositories in each IDM system - and I guess would remove the risk of development IDM being able to provision to production SAP.

It would however increase the IDM footprint and mean you have to log onto different UI to maintain your ECC landscape?

I have configured a single IDM system but now thinking of delivering a landscape is challenging me due to the flexible solution it offers.

Cheers,

Andy

former_member2987
Active Contributor
‎04-15-2015 4:12 PM
0 Kudos

Andy, No worries!

So IDM can provision to all environments, however, even with version 8, it should not be assumed that it is like any other SAP module.  It's still in the process of it's SAP metamorphosis.

The way that we would do this is by setting up repositories that map to your systems.  Personally, I'm not a fan of this and prefer to set up separate IDM instances to govern each environment, but I see the merits of the counter-argument as well.

The good news is that there is no one right answer, except for the one that fulfills your projects needs!

Good luck,

Matt

terovirta
Active Contributor
‎04-15-2015 7:39 PM
0 Kudos 


Andy Chambers wrote:




I am not sure how this would work with this constraint, is the best practice to have dev IDM provision dev ECC, test IDM provision test ECC and prod IDM provision only prod ECC?

Hi Andy,

when doing IdM development work in DEV IdM you would potentially have unfinished development stuff or break your something in existing configuration while developing new functionality. This would mean that you would not be able to provision, deprovision and modify your developer/testing/training etc users. Most likely also your business users participate the SAP-project and have access to test or training systems.

I work currently in SAP development programme with 150 consultants and they're as productive users from the IdM point as business users. Not being able to provision developer or SAP-module consultant access to a system due to an IdM bug/issue means preventing them from working. You would also want to remove the access when a developer / external consultant leaves.

You should always aim for full identity lifecycle, either with managing the users in HCM or other system (or in IdM) in controlled manner that they're on/off-boarded when needed.

Also due to the way the IdM UI has been built - you configure the UI to connect to certain one Id Store in IdM DB. Having several IdMs means that users would have to request access with several UIs. Also depending on your reporting needs you may have to run reports from multiple IdM systems.

regards, Tero

Former Member
‎04-29-2015 2:09 PM
0 Kudos

Hi Andy,

I'm another avid reader of the SCN and first time contributor thanks to your interesting topic.

It's a tricky up front decision that entirely depends on the projected landscape and how you perceive the volatility and growth factors.

If it's any use, after debating the merits of having an IdM 8 installation per environment (SBX, DEV, QA, TRAIN, PPD, PRD, inc BOBJ, HANA), and also evaluating the possibility of the absolute minimum number of installations (leveraging more of the capabilityof IdM 8 but introducing obvious increased complexities) I decided upon an IdM for SBX - high level to test any changes to the component and to allow some degree of administrator training and gauge impact of other known unknowns - upgrade runs etc, without impacting the technical support organisation, another IdM to manage DEV to PPD, and a final standalone for PRD.  I'll let you know how it goes.

Good luck with your implementation!

Kind Regards,

Mark

Message was edited by: Mark Simmet - typo corrected

Answers (0)

Ask a Question