This document provides information about IBM Security Identity Manager (ISIM) implementation at ATP, the largest pension fund in Denmark. Some key points:
- ATP implemented ISIM in 2005 to automate user lifecycle management across multiple systems like SAP, Windows AD, and others.
- ISIM manages over 14,000 user accounts across 33 systems. It automates processes like onboarding/offboarding via HR feed and manages roles/policies.
- A key project involved onboarding 1,500 new users from municipalities onto ATP systems to centralize welfare payments. This increased the number of managed systems and roles in ISIM.
- ATP has customized ISIM over the years to suit their needs,
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
IBM Security Identity Manager Onboards 1500 Users
1. IBM Security Identity Manager at ATP
Impact of On-boarding 1500 Users in a Highly Customized ISIM System
2. About ATP
The largest pension fund in Denmark managing public pensions
schemes for 4.7 mill. persons
Total assets worth of DKK 700+ billions (app USD 100+ billions)
Generally regarded as one of the best performing pension funds
world wide with a very high return rate and low cost.
ATP has recently been appointed to take responsibility for most
public welfare payments payouts (”Udbetaling Danmark”)
Yearly payouts app. DKK 180 billions (app. USD 27 billions).
Reducing the cost with app. 30%
Onboarding app. 1500 users from the municipalities
3. History/Background of the ATP ISIM Installation
ATP was converting the pension system from monolithic
(”Silos”) system to a SAP and WebSphere Portal based SOA
Architecture
ISIM (ITIM 4.5.1) was selected as the IdM Platform to automate
user lifecycle management in Q2 2005
Target goal for Security Administration was to keep same
number of headcounts despite additional systems
The system went live 1/1 2006 supporting Windows AD, 2 SAP
systems and TAM 5.1
HRFeed from SAP HR app. 1000 users
4. ATP ISIM Primary Focus
Automated Lifecycle Management
Fully automated on/off-boarding of employees/consultants via SAP HR
Identity Feed (HRFeed)
Manual Master for external users and technical accounts
All aspects of lifecycle and pasword management :
New Hire/
contract
registrered
Termination
Account
deletion
Graceperiod
Changes
Administration
of user
accounts
5. ATP ISIM Primary Focus (cont.)
Role Governance
All ATP Business Platform Roles 100% controlled
Roles modelled in top/down process to fit purpose
The role model is owned and maintained by the business owners
and implemented in ISIM by the Security Administration
Roles are recertified regularly
6. ATP Role Request Management
Intranet custom tool for requests (general system covering all
kinds of requests)
Requests for roles are routed to the Security Administration via
the Service Management tool (”Helpdesk”)
Request are managed by the Security Administration via the
ISIM console
7. The ATP ISIM Server Setup
ITDI
WAS
TIM application
TAM
Active
Directory
R/3
Provisioning
Provisioning
Provisioning
Person feed
HR extract
SAP XI
DB2
IDS
Adapter
for TAM
HR feed
Adapter
for SAP
Adapter for
Active
Directory
WEMB
(MQ)
R/3
Multiple Systems
Lotus
Domino
Adapter
for
Kerne
Provisioning
Adapter
for Notes
Provisioning
NAFS
Kerne
Adapter
for
KSPCICS
KSP
CICS
Provisioning
internet
8. ATP ISIM – Systems Managed
In Production 16 system managed
In Pilot 17 system managed
Production Pilot
Windows AD 1 (Windows AD 1 (non-functional system)
SAP NW (ABP) 9 SAP NW (ABP) 9
Custom "Kerne" (ABP) 3 Custom "Kerne" (ABP) 3
SAP XI 2
Lotus Notes 1 Lotus Notes 1 (non-functional system)
KSP CICS UDK 1
ITAM (ABP) 1 ITAM (ABP) 1
ITIM 3 ITIM 3
9. Important Customizations
Time Based Roles (managing roles with a start- and end-date)
AD Hybrid Management Model
Groups are managed ”hard” (RBAC model) if placed in specific AD
OUs
Groups outside these OUs are non-managed (can be managed
using Accesses)
Auto Create of AD groups (organization based groups)
Workflow for Management of Unauthorized Accounts
Accounts created outside ISIM are detected on reconciliation
Workflow locks account upon detection and triggers approval flow
Provisioning Policy report in CSV format (weekly via mail)
Migration/Synch tool to manage business objects
(Roles/Policies/Workflows etc.) between environments
(Development/Pilot/Prod)
10. ATP ISIM – History and Future
Original platform ITIM 32 bit version 4.5.1 2005/1/1
Migrated to ITIM 32 bit 4.6 2007/Q2
Migrated to ITIM 5.1 64 bit 2011/Q4
Upgrade to ISIM 6.0 planned for 2013
11. The UDK project
Agreement between the goverment and municipalities in
06/2010 to :
Centralize welfare payments into a new organization ”Udbetaling
Danmark” (UDK)
Uniform Processing
Saving target DKK 300 million/year
3 Waves starting 10/2012 covering app. 1500 users
ATP deliver Administrative systems support – e.g. IdM
3 new Systems (2 SAP NW + RACF/CICS via WS)
Public Certificate and other govermental systems
Role Governance based on organization and job role (based on
ATPs role governance model) – app. 50 roles
12. ATP ISIM System – Important Numbers
Users :
14638 Accounts
Roles :
621 Static and 86 Dynamic Roles (plus 50 UDK roles outside ISIM)
20938 Role assignements (403 Roles)
Policies
15 Identity Policies
2 Password Policies
12 Adoption Policies
906 Provisioning Policies
Employees 2273
Consultants 155
External 521
Technical 101