Skip to Content
author's profile photo Former Member
Former Member

Multiple Identity Store within an Identity Center

We're implementing SAP IDM 7.2 for a client which wants to segregate user access and provisioning for two of its subsidiaries(A & B).

I've thought to create two different identity stores (A & B) - each one for a subsidiary - to partition user access and provisioning request.

But how should I link each of these identity stores to the User Interface so that

  • User administrator in Subsidiary A manages entities under Identity Store A
  • User administrator in Subsidiary B manages entities under Identity Store B

If this isn't possible, should I install multiple instances of IDM UI?

Experts , please advice.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on May 23, 2012 at 01:33 PM

    I would suggest two implementations of IDM. Both implementations can share the same database and even the same MMC console. However each installation will require it's own NetWeaver stack for the Web UI.

    Matt

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 31, 2012 at 09:36 PM

    Are the requirements for the UIs, approvals and other workflows the same for both subsidiaries? If you have both Subsidiaries in the same MMC / Identity Center as different Id Stores, you would have to maintain two sets of configurations but some of the functionality could overlap (like jobs or global scripts) so you would need to pay attention under which Id Store you're working on. You would need to have two UIs etc. There would be more testing involved as it would be more complex. If they're two separate databases / Identity Centers then you could potentionally develop one system (if the requirements match) and deploy it to to Identity Centers.

    I would put all the data to same Id Store and just hide the Subsidiary A from Subsidiary B (and vice versa) by the means of product ACLs or hiding the data on the entry type level (set search attribute vs user attribute on the entry type).

    With the search attribute vs user attribute scenario create a custom attribute that holds the user's organization (user attribute) and another attribute that holds all the organizations (search attribute) to whom the entry is visible. By populating correct values then you can limit the Subs A not to see Subs B and have special group like "IdM Uber Admins" that can see both Subsidiaries.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.