Thiesen, Klaus Poul (Computer Science and Engineering, Department of Informatics and Mathematical Modeling, Technical University of Denmark, DTU, DK-2800 Kgs. Lyngby, Denmark)
||Most companies have for many years integrated a lot of different IT-systems independently of
each other. Commonly these systems don’t have interfaces to connect to each other, they use
separate databases and are generally incompatible. The systems often have department specific
functions; Human Resource management for the personnel department, Incident tracking for the
IT department and so on.
The same data is often stored across these systems, typically user identities and rights. These
doublets of identities make proper management tiresome, because they often need to be
manually changed in each system. There is a big chance of having a forgotten, ill-maintained
system with expired user with full rights on it. Not only do these aspects pose a significant security
risk, but also weighs down the IT-department, which probably can spend its time better on other
The mentioned problems are very relevant in the Danish Department of the Environments
(DOE) IT-department, the so called Center for Koncernforvaltning, Informatik department (CFK-I).
The department uses a lot of time with simple user administration, not to mention the extra work
that comes with wrongly created users, due to most of it being manually maintained. When
changes to the organizational structure happens somewhere in the DOE, there is suddenly placed
a lot of work on the people working with user administration. These people often are integral to
other IT projects in the department, which in turn have to be postponed.
To solve these problems the DOE’s IT-department has chosen to start an Identity Management
(idM) project based on Microsofts “Identity Lifecycle Management Server” (ILM). The goal of the
project will be to make a connection between systems that share data, reduce redundant users
accounts and free up resources in the IT-department for development of other technologies.
The core of the project, the ILM server, will synchronize between the main user database
“Active Directory” (AD) and a process tool called “Omada Enterprise” (OE). The OE system will be
the entry point for the creation of new users or changes to existing accounts. The ILM server will
make this possible. With time the plan is to integrate ILM with a larger set of systems used in the
DOE. To facilitate this, the project will run over several phases, to ensure compatibility and
minimize loss of work hours. The solution has to be future proof and module based, so
extensions to the system can be added with relative ease. To this end a large part of the project
will be classifying data and flow of data across the different systems.