As I have been using identity manager only for a short period of time, I have a quite weird question.
In my scenario i use SAP HR as authoritative Ressoure. Out of the SAP data I would like to dynamically create new ressource accounts for Active Directory, so that a person, that is imported from SAP can access AD.
Is this possible and if, how can it be managed?
thanks in advance
karl
Do you mean an automated process or a manual process to create the AD account?
The manual process is pretty straightforward -- build forms for SAP and AD and then use the attributes from SAP to populate the AD fields however you like. E.g. Field displayName for AD is an Expansion field that refers to the SAP legalFullName field. Add both resources to a user, recalculate, and save.
The automated process is more complicated, and involves ActiveSync adapters. We do this with PeopleSoft, so it should be possible with SAP. However, there a lots of moving parts involved.
Most of the work comes from analyzing the business process of how people get hired. Sounds simple, but there are some odd circumstances which you need to account for. Do you need to create the userids on the first day of work, or in advance? If it's in advance, can SAP provide you with all the data needed to create the account, or do you have to wait for the start date? How do you plan on handling terminations or canceled job offers (candidate failed background check or took another offer before starting work)?
You'll probably need a new form specifically tailored to handle the automated process, because there are ActiveSync fields like 'feedOp' that you'll want to refer to in order to determine what kind of activity is taking place.
The form will need some logic to determine what resources or role to assign to the user that comes in from SAP. This could be a simple Expansion of waveset.resources that appends "Active Directory" or a rule that make sophisticated decisions (this type of user gets A,B,C while this type gets X,Y,Z).
You will probably need custom workflows that the activesync form will drop into (by selecting viewOptions.process based on feedOp and other criteria).
Looking back over the list of things that are involved, I hope I haven't scared you out of attempting this! My advice would be to start small and build on it over time. Start with the manual process -- the field relationships need to be there for the automated process, too. Get the activesync adapter working for creating users from SAP only, then add in the AD assignment later.
Jason
Thanks for your interesting response Jason.
As I see the situation, I prefer the manual process, because the target of my scenario is only to create new AD Users out of SAP data. Furthermore we can leave the complete hiring process beside, becaue it is only a test project, where we should "generate" AD Accounts out of SAP HR data.
Currently I have imported all user data out of SAP HR. This works fine and to my mind there is enough data (firstname,lastname,email, AccountID,...) to populate active directory accounts. Now I try to create Active Directory ressource accounts out of the available data provided by the SAP ressource accounts.
As I understood, the only way to create AD Accounts is to create 2 forms (one for SAP and one for AD), or is there another possibility to achieve this?
As you can see I'm quite a newbie in IDM, therefore I appreciate every knowledge input.
Thanks for your help,
Karl
You could have have an all-in-one form that contains all of the fields for the resources, but experience at our shop is that this is awkward to manage over time as requirements/functionality for each resource change (your situation may be different).
Another reason to split them into different forms is if you have situations where some userids have only some of the resources. You put a Disable tag on the form that checks waveset.resources for the resource in question and suppresses it if the resource is not listed for the user. This improves performance (less fields to display) and keeps irritating required fields/validation logic from executing unless it really has to.
As a proof of concept, one form will probably work for you. The important thing is to make sure that the forms and the resource schema definitions are in agreement about what goes where.
Jason
