cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OIM > VDS > IDM

Go to solution
former_member183326
Active Contributor

on ‎07-02-2018 1:07 PM

0 Kudos

Hi,

I would like to get some thoughts on the below design/concept, and if there are more simpler ways to achieve this.

There are 2 IDM systems in this scenario

1: OIM

2: SAP IDM.

OIM is the main source of identities here and this won't change. SAP IDM is only in place here to manage the SAP systems. We also have a connector from OIM but I believe using a VDS for this scenario would make life that bit easier instead of using the connector directly from OIM to IDM (I would like to know if this thinking is correct).

The flow would be:

OIM updates a Database Table with the Identity information, a VDS Temp table exists. OIM pushes the update to the VDS Temp table (real-time). Within IDM there will be an VDS repository (LDAP). I think I can use an LDAP pass to pass the information from the VDS table into this repository in IDM. All of this is done via event based triggers.

I would also like to ask the quesiton about reconciliation back from SAP to OIM, is this also possible?

Does this current design allow for real time provisioning, and most importantly, is this a lean model, I want to avoid performance issues.

Many thanks,

Michael

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎07-03-2018 5:12 PM

Hi Michael,

I think VDS as a bridge is a great idea. The advantage here is that you can then have OIM and IDM read updates on a regular basis.Making the virtual directory writable will allow both sides to update their authoritative attributes as needed.

In the old days, we refereed to something like this as a metadirectory.

What goes around, comes around I guess.

Matt

Show replies
Show replies
former_member183326
Active Contributor
‎07-31-2018 10:04 AM
0 Kudos

Hi Matt,

Thanks for your answer here.

What I would also like to ask, if OIM in this case is going to the "single source of truth", is it possible to also push back the roles and their underlying privileges (authorisations) when a change is carried out, so when looking in OIM, there is a direct sync between what the roles looks like in the back end and how it looks in OIM? Is this possible via VDS or does this need to be a connector straight from IDM to OIM? Rcertification basically.

Many thanks,

Michael

former_member2987
Active Contributor
‎07-31-2018 1:51 PM

Hi Michael,

I don't see why not, the only issue is that when one "bridges" between disparate user provisioning solutions, is figuring out what to use for the bridge. Most of these applications will "speak" database, LDAP, ASCII, and APIs. It's just figuring out which one makes the most sense. Security considerations, network architecture, access to servers and databases will all be part of the final decision. I'd say that while there is no correct solution, as these criteria vary from implementation to implementation, database connections have usually worked best for me in the past.

Cheers,

Matt

former_member183326
Active Contributor
‎08-01-2018 10:09 AM
0 Kudos

Cheers Matt, much appreciated,

Answers (0)

Ask a Question