Hi Patrick,

here is some answers:

Main purpose of VDS is to be an interface INTO IdM. It is an LDAP interface into the data stored in IdM database. It allows you for example to search, read, write and authenticate to IdM data via LDAP interface.

IdM has its own UI (http:host:port/idm). You are not supposed to see business roles in useradmin of the J2EE. It is objects known to IdM, not to the J2EE.

Repositories are objects representing mostly a source or target system. For example AD could be a source system where you get users from. An ABAP client can be a target system where you provision users to. Uploading users is just a way of creating users that you cannot get from some other source system like HCM, AD or ABAP. It depends on your scenarios and user life cycle where you get your user information from (source system) and where you provision to (target system).

The link you shared regarding the org units is not really related to IdM as a product. If you do some automatic assignments in ABAP directly, you might need to reconcile with IdM. IdM is supposed to be a central user administration tool. If you have information about org units in IdM and want to use it to automatically assign authorizations you can do that for example by using dynamic groups.

IdM is a very powerful tool opening a lot of possibilities as you can basically implement every requirement if you only have the required information available somewhere. It might be helpful for you to have someone to answer all your questions and help you solving your requirements in best way in the beginning, enabling you to use it in the most efficient way.

Regards

Norman