Identity Management 2

Identity Management 2

We implemented new functions within the central identity and role management in the SUN Identity Manager application; we connected new systems and created methodical documentation for user and role management.


The primary objective of the project was the connection of other systems, particularly SAPs, but also new systems such as TIPOM or ArcGIS.

The secondary objective was to spread the use of the IDM application among the employees of the CEZ group, mainly by new additional functions and methodical instructions.

The safety goal was also the creation of emergency scenarios for the IDM application as well as for SSO implemented through Kerberos.


pecialists from AMI Praha. ,Moreover, some sub‑supplies were transferred to the Profinit company (particularly SSO and connection of one of the new systems) and the Avnet company (particularly methodical documentation).

 For the customer, it was traditionally the department of user administration (the operational section of CEZ ICT Services for application support and administration of the IDM application) which took part in the project together with the safety department, the initiator of the project. Among other departments, employees of SAP and ServiceDesk and administrators of AD or newly connected systems participated in some parts of the project. There were also 2 supplier companies, which participated in the project on behalf of the customer; they prepared database procedures for newly connected systems.

The project schedule was met and there were no change requests.


Within the project, the following functions and areas of solution were implemented:

  1. Update of system infrastructure – update of Solaris OS, installation of four new servers and change of OS settings in accordance with CEZ’s methodical instructions, Java JDK 1.5 Update 11, patch IDM, HW enhancement of testing and development environment.
  2. Merging of database schemes into a single scheme – IDM database schemes were merged into one scheme for each environment for the reason of better management by the IDM administrators in CEZ ICT Services.
  3. Completion of the SAP adapter for setup of SAP in SSO – the IDM‑SAP interface was complemented with SNC attributes, which indicate whether the user can use Single Sign‑On to SAP systems.
  4. Connection of the TIPOM system – the system for document management and creation and management of change processes for power plants was connected to IDM. All user identities and most user roles are managed through a Scripted JDBC adapter. The adapter utilizes database procedures which were prepared by the supplier of the TIPOM system.
  5. Resolution of system shutdown – a functionality was implemented which allows shutdown of a connected system which is unavailable for a long time; this ensures that IDM does not try to perform any operations on such systems, thereby not overloading its bulk tasks. After the connected system is put back into operation, IDM performs all the changes which should have been carried out on the switched-out system during its shutdown.
  6. Mandatory entry of original password when changing password – for safety reasons, mandatory entry of the password was implemented on entry into the “password change” tab in IDM. This check was carried out on the filter level on the application server.
  7. SSO SAP Portal – Single Sign‑On was implemented on the SAP portal (PIA and PIP) by means of kerberos against the MS Active Directory. SSO is functional for Windows (2000, XP, 7) operating systems and IE (6, 7, 8) and FF 3 web browsers.
  8. Analysis of system and program accounts – an analysis of the registration and register of program accounts of the connected systems within the SAP module BCRI and IDM was carried out. This analysis was used for the preparation of the Target Solution Concept.
  9. Analysis of UNIX adapters – an analysis of the UNIX systems (RedHat, AIX, HP-UX and Solaris) was carried out with regard to the preparation of a universal adapter for identity and group management in these OS. Information from the analysis was used for the drawing up of the Target Solution Concept; the concept contained a proposal for a single universal custom adapter which would call relevant created scripts on the OS.
  10. Connection of the ArcGIS system – this system for the management of primary technical information within the CEZ Group was connected to IDM. All user identities and roles are managed through a Scripted JDBC adapter. The adapter utilizes database procedures which are prepared by the supplier of the ArcGIS system.
  1. Only 1 of the total of n roles can be assigned – within the management and assignment of roles, a function was prepared which allows having only one role assigned within a certain group of roles. This is mainly used for the size of home directories.
  1. Management of users’ home directories – the creation of home directories and their size is now managed at the moment of the creation of the account or based on the role request from IDM.
  2. Role reconciliation for all systems at the same time – the retrieval of role assignment status was adjusted in such a way that it was carried out concurrently on all systems, thereby reducing the duration of the operation and the requirements for administration.
  3. Support of password change for ServiceDesk – when changing the password for a “customer” (user), SD operators can have this password generated and send it to a mobile phone via SMS. This function was mainly implemented for safety reasons; the user does not have to identify himself by means of his mobile phone.
  4. Analysis of bulk import of role assignment – an analysis of the needs for bulk role administration, in particular for SAP systems, was carried out.
  5. Emergency scenarios for IDM and SSO – emergency scenarios and remedy strategies for IDM and SSO through kerberos were drawn up.
  6. SSO Methodical instructions – methodical instructions for the implementation of SSO in information systems in terms of technical and process issues were created.


  • HTML
  • Java
  • JavaScript
  • Linux
  • MySQL

Other projects for the client

Related products

Related services

Related solutions

Přejít na začátek stránky


© Copyright 1998-2011 AMI Praha a.s., powered by AMIGO CMS