IBM Security Identity Manager at ATPImpact of On-boarding 1500 Users in a Highly Customized ISIM System
About ATPThe largest pension fund in Denmark managing public pensionsschemes for 4.7 mill. personsTotal assets worth of DK...
History/Background of the ATP ISIM InstallationATP was converting the pension system from monolithic(”Silos”) system to a ...
ATP ISIM Primary FocusAutomated Lifecycle ManagementFully automated on/off-boarding of employees/consultants via SAP HRIde...
ATP ISIM Primary Focus (cont.)Role GovernanceAll ATP Business Platform Roles 100% controlledRoles modelled in top/down pro...
ATP Role Request ManagementIntranet custom tool for requests (general system covering allkinds of requests)Requests for ro...
The ATP ISIM Server SetupITDIWASTIM applicationTAMActiveDirectoryR/3ProvisioningProvisioningProvisioningPerson feedHR extr...
ATP ISIM – Systems ManagedIn Production 16 system managedIn Pilot 17 system managedProduction PilotWindows AD 1 (Windows A...
Important CustomizationsTime Based Roles (managing roles with a start- and end-date)AD Hybrid Management ModelGroups are m...
ATP ISIM – History and FutureOriginal platform ITIM 32 bit version 4.5.1 2005/1/1Migrated to ITIM 32 bit 4.6 2007/Q2Migrat...
The UDK projectAgreement between the goverment and municipalities in06/2010 to :Centralize welfare payments into a new org...
ATP ISIM System – Important NumbersUsers :14638 AccountsRoles :621 Static and 86 Dynamic Roles (plus 50 UDK roles outside ...
ATP ISIM System – Process NumbersProcess 2012/07 2012/08 2012/09 2012/10 2012/11 2012/12 2013/01 2013/02 2013/03 2013/04Ac...
14Questions
Upcoming SlideShare
Loading in …5
×

ATP

804 views

Published on

v/ ATP and IBM in cooperation

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
804
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ATP

  1. 1. IBM Security Identity Manager at ATPImpact of On-boarding 1500 Users in a Highly Customized ISIM System
  2. 2. About ATPThe largest pension fund in Denmark managing public pensionsschemes for 4.7 mill. personsTotal assets worth of DKK 700+ billions (app USD 100+ billions)Generally regarded as one of the best performing pension fundsworld wide with a very high return rate and low cost.ATP has recently been appointed to take responsibility for mostpublic welfare payments payouts (”Udbetaling Danmark”)Yearly payouts app. DKK 180 billions (app. USD 27 billions).Reducing the cost with app. 30%Onboarding app. 1500 users from the municipalities
  3. 3. History/Background of the ATP ISIM InstallationATP was converting the pension system from monolithic(”Silos”) system to a SAP and WebSphere Portal based SOAArchitectureISIM (ITIM 4.5.1) was selected as the IdM Platform to automateuser lifecycle management in Q2 2005Target goal for Security Administration was to keep samenumber of headcounts despite additional systemsThe system went live 1/1 2006 supporting Windows AD, 2 SAPsystems and TAM 5.1HRFeed from SAP HR app. 1000 users
  4. 4. ATP ISIM Primary FocusAutomated Lifecycle ManagementFully automated on/off-boarding of employees/consultants via SAP HRIdentity Feed (HRFeed)Manual Master for external users and technical accountsAll aspects of lifecycle and pasword management :New Hire/contractregistreredTerminationAccountdeletionGraceperiodChangesAdministrationof useraccounts
  5. 5. ATP ISIM Primary Focus (cont.)Role GovernanceAll ATP Business Platform Roles 100% controlledRoles modelled in top/down process to fit purposeThe role model is owned and maintained by the business ownersand implemented in ISIM by the Security AdministrationRoles are recertified regularly
  6. 6. ATP Role Request ManagementIntranet custom tool for requests (general system covering allkinds of requests)Requests for roles are routed to the Security Administration viathe Service Management tool (”Helpdesk”)Request are managed by the Security Administration via theISIM console
  7. 7. The ATP ISIM Server SetupITDIWASTIM applicationTAMActiveDirectoryR/3ProvisioningProvisioningProvisioningPerson feedHR extractSAP XIDB2IDSAdapterfor TAMHR feedAdapterfor SAPAdapter forActiveDirectoryWEMB(MQ)R/3Multiple SystemsLotusDominoAdapterforKerneProvisioningAdapterfor NotesProvisioningNAFSKerneAdapterforKSPCICSKSPCICSProvisioninginternet
  8. 8. ATP ISIM – Systems ManagedIn Production 16 system managedIn Pilot 17 system managedProduction PilotWindows AD 1 (Windows AD 1 (non-functional system)SAP NW (ABP) 9 SAP NW (ABP) 9Custom "Kerne" (ABP) 3 Custom "Kerne" (ABP) 3SAP XI 2Lotus Notes 1 Lotus Notes 1 (non-functional system)KSP CICS UDK 1ITAM (ABP) 1 ITAM (ABP) 1ITIM 3 ITIM 3
  9. 9. Important CustomizationsTime Based Roles (managing roles with a start- and end-date)AD Hybrid Management ModelGroups are managed ”hard” (RBAC model) if placed in specific ADOUsGroups outside these OUs are non-managed (can be managedusing Accesses)Auto Create of AD groups (organization based groups)Workflow for Management of Unauthorized AccountsAccounts created outside ISIM are detected on reconciliationWorkflow locks account upon detection and triggers approval flowProvisioning Policy report in CSV format (weekly via mail)Migration/Synch tool to manage business objects(Roles/Policies/Workflows etc.) between environments(Development/Pilot/Prod)
  10. 10. ATP ISIM – History and FutureOriginal platform ITIM 32 bit version 4.5.1 2005/1/1Migrated to ITIM 32 bit 4.6 2007/Q2Migrated to ITIM 5.1 64 bit 2011/Q4Upgrade to ISIM 6.0 planned for 2013
  11. 11. The UDK projectAgreement between the goverment and municipalities in06/2010 to :Centralize welfare payments into a new organization ”UdbetalingDanmark” (UDK)Uniform ProcessingSaving target DKK 300 million/year3 Waves starting 10/2012 covering app. 1500 usersATP deliver Administrative systems support – e.g. IdM3 new Systems (2 SAP NW + RACF/CICS via WS)Public Certificate and other govermental systemsRole Governance based on organization and job role (based onATPs role governance model) – app. 50 roles
  12. 12. ATP ISIM System – Important NumbersUsers :14638 AccountsRoles :621 Static and 86 Dynamic Roles (plus 50 UDK roles outside ISIM)20938 Role assignements (403 Roles)Policies15 Identity Policies2 Password Policies12 Adoption Policies906 Provisioning PoliciesEmployees 2273Consultants 155External 521Technical 101
  13. 13. ATP ISIM System – Process NumbersProcess 2012/07 2012/08 2012/09 2012/10 2012/11 2012/12 2013/01 2013/02 2013/03 2013/04Account Add 263 722 1460 1244 971 616 2230 2060 2478 450Account PwdChg126 125 108 160 210 72 130 202 133 145AccountDelete385 183 267 274 374 245 474 370 605 460AccountModify25089 26566 24712 23825 19281 19230 19230 11990 11215 11293AccountRestore81 141 358 792 297 460 204 1368 1953 176AccountSuspend345 256 191 269 362 361 549 315 574 289CheckPolicies34989 38548 39333 38285 44803 45861 48413 60604 72459 68954Person Add 44 148 304 141 2429 92 1309 4344 911 122PersonDelete67 36 45 42 63 47 68 63 116 68PersonModify682 1859 3074 3338 2006 1729 2946 6689 2451 1084Reconciliation 517 512 517 527 539 587 640 579 632 610
  14. 14. 14Questions

×