We are in the planning phase of implementing SAP Identity Management 7.1.
There are 2 restrictions in the existing SAP Central User Administration (CUA) functionality that, if the restrictions also apply to SAP IdM, will fundamentally affect our rollout strategy for SAP IdM.
1. In CUA once a SAP client becomes a Child of a CUA Master client, user-ids in the Child client are only able to be created via the CUA Master client. Some local user settings can still be maintained in the CUA Child client, but as a general rule, all User master data maintenance must be performed via the CUA Master Client.
QUESTION: Is there a similar parallel with SAP IdM? In other words, once we configure SAP IdM to provision to a particular child SAP client, are there any restrictions imposed by SAP in relation to maintaining user master data directly in the child SAP client? Alternatively, can all user-id creations & user master data maintenance be performed from SAP IdM as well as directly in the child SAP client?
2. In CUA, once a SAP client becomes a Child of a CUA Master client, then it cannot become a child client of another CUA Master client.
QUESTION: Is there a similar parallel with SAP IdM? This question impacts how we provision access to our non-Production SAP systems using SAP IdM (e.g. dev, test, etc). Ideally, we would like to have the capability of connecting 2 SAP IdM systems to selected dev/test systems:
a. A productive SAP IdM system for provisioning access in Dev/Test systems to "real" employees involved in development of our SAP systems.
b. A development SAP IdM system, for configuring/testing our IdM system. This system would also need to provision to Dev/Test systems for the purposes of testing provisioning procedures. In these scenarios, we would probably only provision to a range of test user-ids to avoid affecting the access of "real" Dev/Test system users.