IDM for food retail trade

The IT of the food retailing company (LEH)stands faces enormous challenges without additional human resources department in IT.

  • To support extending their opening timing in LEH,
  • To go along with the globalization of company
  • To operate additional application (business applications and portals)
  • To customize the increasing demands and competitive pressure

The usage of intelligent, self-explanatory self-service models and also an extensive automation in the user and authorization management are the best solutions to meet both the high cost pressure and requirements in this industry. However, the self-service model requires a solid, simple and secured user and authorization management for integration.

Project duration

  • Preliminary: 5 months
  • Implementation phase 1: 12 months till operational handover
  • Implementation phase 2: 12 months till operational handover
  • Implementation phase 3: Currently in implementation

Connected systems in phase 1

  • Active Directory services
  • SAP ZBV for provisioning in diverse SAP modules
  • HR management systems as a source for internal employees
  • GUI for FRH market employees which is not managed in HR management systems
  • Ticketing system for the UHD for controlling semi-automatic and manual processes for SAP portal solutions
  • Domino server
  • Access control
  • Mail
  • eSSO


Methods and project procedures

deron IST analysis

Because of complex branch structure in FRH, It was difficult for IT to maintain the control over existing accounts and assigned authorizations. Only few personal were ready to handle all the queued up tasks. The assignment of access authorizations or the creation of accounts was still relatively structured. The withdrawal of assignments and the respective deprovisioning are rarely succeeded completely. A demanding fluctuation rate as well as organizational modifications tightens this situation. In addition to that the individual authorization management processes are used for every application. The authorization management of employees of IT becomes regularly on demand and mostly without completion and on the other side completes the comprehensible documentation.

deron big picture – a preliminary project

In order to illustrate the company structure and retail store requirements in the food sector regarding authorization processes, the process design pay a special attention to the user acceptance. Thus, the verification of authorizations is designed in such a way that users (e.g. market leader) were not prevented from their day to day activities by dealing with security issues. At the same time, it should work securely without the assistance of central IT and functions perfectly. Only in this way e.g. the withdrawal of cashier’s authorizations on ERP systems of local supermarket requires the action immediately outside the core time of central IT and during the working hours of the company employees.

On a positive side, this process optimization increases the security gains and speed which results in a better reputation for IT services in the company.


deron product evaluation

There was no technology platform handled on customers for the introduction of new IDM processes by which the previous authorization management has occurred by completely decentralizing individual systems and specialized applications. It was considered necessary to collect, process and evaluate the customer specific requirements from technical and specialist areas in order to provide a way for high performance and also an audit capable solution in future. The essential aspect for deciding a favourable IDM platform was:

·         Large offers on very good and flexible interfaces for the heterogeneous system world

·         distinctive roll modeling capability that meets exactly the customer’s requirements



The introduction of central user administration presented a planning challenge for more than 50,000 employees. It was therefore extremely important for us to deliver the masterplan to our customers who was specialized in the IDM topic with a consulting company (deron) who has 10 years of market experience. The fundamental for our customers was to get an understandable, reliable for several years and benefit oriented evaluation of individual project phases. This enabled to plan thoroughly the project schedule without additional personal resources. By prioritizing the project steps, it was to realize  initially a pilot for a company within a short time in order to get a grip in the short period on the identified acute problems. This clean dependency planning of the individual steps avoids costly diversions, change requests and also saves the resources of employees and budget.

Implementation phase – on going

After meeting the big picture, product selection and to masterplan decisions begins the first implementation phase. This included the management of AD as the basis for secured “Primary Authentication” as well as connecting the SAP portal solutions as part of pilot. Furthermore, the life cycle for “Internal employees” and for the food market were defined in the course of detailed conception and documented for the mutual coordination.

To achieve the desired high level of automation, deron has suggested his customers the introduction of business role model. Based on the role based account and authorization assignments, the majority of requests are automated completely and the company’s specific SOD and compliance assignments are processed within seconds. Thereby the system was so flexible that the special cases such as vacation replacement are decided securely by the involvement of specific manager. For the creation of detailed technical and functional concepts with all necessary exemptions a large number of deron templates and experience values ​​could be referred. As a result, the functional design was completed within a month. In the implementation, the typical 3 stage model was used (development, test, production) so that a partial quality assurance can be performed by the customers while other elements were still developed.
In the third phase of project is primarily aimed therefore to equip other useful user and target groups with accounts and authorizations via IDM effectively and to connect other business applications in retail and wholesale.