Identity Management

Identity Management

The implementation of the central management of identities and roles within the CEZ Group. Over 10 type systems are connected to the SUN Identity Manager (7.1) application; over 10,000 accounts and over 100,000 roles are managed.


The main objective of the Identity Management integration project was to ensure unified and centralized administration of user accounts and roles in individual systems used in the CEZ Group and managed by the CEZ ICT Services company. This objective was fulfilled by means of the implementation of the Sun Java System Identity Manager application, which controls connected end systems (SAP, MS Active Directory, Oracle Portal and others), thus maintaining all user accounts in consistence and in accordance with the authority data sources (SAP HR, Database of External Users).

Another objective of the project was to ensure role management, the role request process using the Service Desk application with role selection from the register, approval of role assignment by an approver matrix and auditability of any changes.

The last project goal was to facilitate the work for end users and to implement unified logging into selected applications. After logging into Microsoft Active Directory, the user is automatically logged into other systems where they have an account.


The project was implemented and managed by specialists from AMI Praha a.s. and CEZ ICT Services, a.s. Our partner company, Sun Microsystems, supplied the project know‑how and guaranteed the implementation by means of an experienced IT architect. Some functions were developed with the contribution of the Avnet and Profinit companies. An important part of the development in the field of identity and role registers was ensured by CEZ ICT Services, a.s.

Benefits for the customer

  • Automatic actions and controls to enhance security
  • Unified process of user account and role management
  • Auditability of changes and requests
  • Uniform password policy
  • Single login across systems
  • Facilitation of work for Service Desk operators
  • Unified user data in all systems


After a thorough analysis, a centralized solution was designed with the implementation of Sun Java System Identity manager, which retrieves data from the SAP HR authority system (by means of the SAP XI interface) and propagates (or processes and propagates) it further to other connected systems. Adapters used for connection of the systems included standard adapters (SAP, Oracle Portal, RSA SecurID, NDS Novell and others), on which some functions were additionally implemented in J2EE, and Scripted JDBC adapters (AIX, RedHat, Passport), in which all functions were programmed in their entirety. Some systems (MS AD, NDS Novell, RSA) require Sun Gateway, which is installed into the connected system and which intermediates communication between Identity Manager and the end system. Identity Manager creates a unified database of the virtual accounts of all employees with a unified attribute file assigned to them. Accounts in individual end systems are then coupled to these accounts and managed through them. This means that the creation, updating and deletion of user accounts in individual end systems are ensured by a single application (Identity Manager) and by means of a uniform management process. This process is characterized by various approval workflows, which are defined in Identity Manager. Furthermore, all processes are audited and can be reported.

Based on the customer’s requirements, the functionality of the request, assignment and management of roles and rights was additionally implemented in Identity Manager. The roles are managed in the BCRR application (an application developed internally by the customer), from which Identity Manager retrieves them and assigns them to individual users. Used roles include application roles (roles granting certain rights), login roles (roles granting access to systems) and business roles (roles grouping together several roles based on business requirements). These roles can be requested either by the relevant employee or by his superior across all the connected systems. The role’s properties may include a time limit and it can also bear a licence. A mandatory part of the role definition is the approver matrix. The role assignment process is subject to the approval of the role based on the workflow on several levels (for example, licence, methodical instructions, superior or system administrator). All approvals take place directly in the Identity Manager application; role assignment as well as approvals are audited and are also transferred to the ServiceDesk application, where the request is initiated and monitored.

The implementation of the project included a central password policy and history, which monitors the strength and validity of passwords and forces their change in a centralized manner and sends information to users. Great stress was laid at this point on the quality of the password encryption when transferring and storing passwords.

Due to the large number of passwords and safety standards, the problem of the single login (Single Sign‑On) was resolved within the project as well. Initially, the IdM itself with the use of the Access Manager application was implemented by Sun Microsystems; Kerberos tickets were used for the SAP, SAP Portal and Oracle Portal systems. Two login policies were selected for Identity Manager - for the user interface, single‑factor authentication was used, consisting of the verification of the name and password in the MS Active Directory and utilizing Single Sign‑On (SSO). For the administration interface, two‑factor authentication was used, comprising verification of the name by the RSA SecurID system and the so‑called passcode and verification of the password by the Microsoft Active Directory.


  • Java
  • JavaScript
  • Linux
  • MySQL

Other projects for the client

Related products

Related services

Related solutions

Přejít na začátek stránky


© Copyright 1998-2011 AMI Praha a.s., powered by AMIGO CMS