The initial goal of the project was to connect other systems, especially SAPs, but also new systems such as TIPOM or ArcGIS.
The secondary objective was to extend the use of IdM among users in the CEZ Group, especially by means of new additional functionalities and methodological guides.
The security goal was also to create emergency scenarios for both the IdM application and SSO implemented via Kerberos.
In addition to the project manager, the project team consisted of one senior architect and 1-2 IdM specialists from AMI Praha. In addition, some subcontracts were moved to Profinit (mainly SSO and connection of 1 new system) and Avnet (mainly methodological documents).
On the customer’s side, the main participants were traditionally the user management department (the operational unit of ČEZ ICT Services for application support and administration of the IdM application) and the security department, which initiated the project. From other departments, SAP, ServiceDesk or AD administrators or administrators of newly connected systems participated in sub-areas. The project also involved 2 contractors on behalf of the customer who prepared database procedures for the newly connected systems.
The project was on schedule and did not contain any change requests.
The following functionalities and solution areas were implemented within the project:
- Updating of system infastructure – update of Solaris OS, installation of four new servers and change of OS settings according to ČEZ methodology, update of Java JDK 1.5 Update 11, IDM 220.127.116.11 patch, HW strengthening of testing and development environment.
- Merging of database schemas into one – IDM database schemas were merged into one for each environment for better management by IDM administrators in ČEZ ICT Services.
- Addition of SAP adapter for SAP setup in SSO – SNC attributes were added to the IDM – SAP interface to indicate whether a user can use Single SignOn to SAP systems.
- Connection of TIPOM – the document management and change process creation and management system for power plants has been connected to IDM. All user identities and most roles are managed via a Scripted JDBC adapter. The adapter uses database procedures that were prepared by the TIPOM system vendor.
- Accounting for system downtime – functionality has been implemented to put a long term unavailable connected system into downtime, ensuring that the IDM does not attempt to perform any operations on such a system, thus loading its bulk jobs. When the connected system is brought back online, IDM then catches up with any changes that should have been made to the system during the downtime.
- Mandatory entry of the original password when changing it – for security reasons, a mandatory password entry has been implemented when accessing the “change password” tab in IDM. This check was performed at the filter level on the application server.
- SSO SAP Portal – Single SignOn on SAP portal (PIA and PIP) via kerberos against MS Active Directory was implemented. SSo is functional for Windows OS (200, XP, 7) and IE (6,7,8) and FF 3 browsers.
- Analysis of system and program accounts – an analysis of registration and registration of program accounts of connected systems within SAP BCRI and IDM module was performed. Based on this analysis, the Target Solution Concept was written.
- Analysis of UNIX Adapters – an analysis of UNIX systems (RedHat, AIX, HP-UX and Solaris) was carried out with a view to preparing a universal adapter for identity and group management in these OS. Based on the information gathered, a Target Solution Concept was written – this proposed a single universal custom adapter that calls the appropriate scripts created on the OS.
- ArcGIS connection – the system for managing primary technical information in the CEZ group was connected to the IDM. All user identities and roles are managed through the Scripted JDBC adapter. The adapter uses database procedures that were prepared by the ArcGIS vendor.
- Ability to assign only 1 of n roles – functionality has been prepared within the role management and assignment framework to allow only one role to be assigned in a specific role group. Primarily this is used for home directory sizes.
- User home directory management – the creation of home directories and their size is now controlled at account creation or by role request from IdM.
- Role reassignment to all systems simultaneously – the role assignment status retrieval has been modified to run in parallel on all systems at the same time to reduce runtime and administration requirements.
- Password change support for Servicedesk – SD operators are able to have a password generated and sent via SMS to a mobile phone when a “customer” (user) changes their password. This functionality was implemented mainly for security reasons, so that the user in question does not have to identify himself via phone.
- Analysis of bulk import of role assignments – an analysis of the needs for bulk administration of roles was carried out, in particular for SAP systems.
- IdM and SSO emergency scenarios – emergency scenarios and remediation strategies for IdM and SSO via kerberos were developed.
- SSO methodology – a methodology for implementing SSO on information systems was developed from both a technical and process perspective.