ILM2, User Provisioning and SAP
I'm looking into the best method of having SAP be the single source of truth for all user informationso that when HR create a new user within SAP ILM2 willthen provisiona corresponding user account in AD. I'ma bit of an ILM noviceand I'm having a discussion with a colleague who is excellent at Sharepoint but unfamiliar with the capabilities of ILM2.I am proposing the following tasks happen:For user provisioning:1. HR creates new user in SAP2. ILM2 recognises a new user has been created and creates a corresponding user account in AD3. Based on SAP information (such as user's job title) ILM2 puts the user in the appropriate role based groups4. ILM2 creates a new mailbox for the user5. ILM2 creates new accounts in applications that the new user will require access to (based on role)6. Any additional workflow (such as informing another department to order a uniform via e-mail)For User De-Provisioning:1. HR removes user from SAP2. ILM2 kicks off workflow to archive or disable a mailbox3. ILM2 kicks off job to delete user accounts from other applications the user had access to4. ILM2 either disables or deletes user account (based on rules TBD)5. Any additional workflow required to complete the de-provisioning processFrom what I understand this can be done out of the box with the ERP MA. Myt sharepoint friend is telling me that it would be necessary to create a SharePoint front-end to SAP in order to utilise workflow, provision mailboxes etc. I can't see much benefit other than perhaps giving HR a new and fancy front-end to their SAP system because all the functionality required to manage the AD/Application provisioning and other workflow has been built in to ILM2.Which one of us is correct (or are we both wrong)? Can the scenarios stated above work with SAP, ILM2, ERP MA (we do have SharePoint btw), or is it best practice/will I be forced to create a SharePoint front-end to SAP for this functionality to be achievable?Thanks!PDB
June 26th, 2009 7:26am
HiI have the same scenario in production but based on PeopleSoft HR database.(ILM "2" RDP project).Provisioning:ILM 2 creates a new account with maibox in the good storage group based on Alphabetic rules.ILM 2 manages user account in the different security group based on Role & profile provide by HR & Securitymanager from HR Database.About the point 5 (Provisioning in applications), I work on the same scenario. But because ILM "2" don't include all connector for some legacy applications, We decide to consolidate/publishtrhough AD LDS (ldap server) or SQL database, the user information needs for the legacy Application.De-Provisioning:According to my client, we prefer to disable the account in AD and Move the account in a specific "Retired" OU.According to my experience, the point 1 is not a good idea. We decide with my customer to keep all user. We just put a different flag between Active,disable (Long disease or maternity) and retired. HR must keep the information for all employee for Compliancy. For HR Manager and for me it is a very very good idea. It is more easy for ILM2 to manage this 3 profile users. ILM 2 is based on the statement. Erase an object is not a good idea.Also, This choice is to avoid some error from HR manager who accidentally deletes a user.So we implement a de-provisioning process in 3 phases. first day (D0), the account is move in specific "Retired" OU. the account is disabled and hide from Adress Book (exchange 2007) D+7: The Mailbox is moved in a specific Mailbox Storage "archive" D+30: The mailbox attribute are removed.Also you have a retention time in exhange 2007 in case of restoration demand.My Customer decide to keep the old account for history and security Compliancy.Regards,Eric
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 11:41am
Among others ILM2 has two new features thatmay answer your question:- ILM Portal: is aSharepoint-based portal to give bussiness users and administrators the front-end capability that was missing in MIIS 2003/ ILM 2007. You need Windows Sharepoint Services at the butom on your ILM2 server, but the ILM-Portal as Sharepoint applications comes out of the box. You may have tocustomize the portal to your requirements.- Workflow Engine: Within ILM 2 you can design and implement workflows based on Windows WorkflowFoundation. This is one of the basic components of ILM2.Email-Notifcation workflows, as you require,are easily to realize with ILM2And yes, together with the ERP MA, which was introduced inILM2007 FP1 already,you can implement your scenario with ILM2Hope this helps/MatthiasBy the way: your friends description is 100 % correct when you're talking about ILM 2007.
June 27th, 2009 1:11pm
Just provide some more info.The web services exposed will give the same functionality as the portal exposes.Meaning you can write a Front-end with any language that can use web services.But as Mattias says, use the Portal that comes with ILM "2".JoeJoe Stepongzi - Identity Management Consultant - ILM MVP - www.microsoftIdM.com,ilmXframework.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2009 11:13pm