IDM for the food retail trade

Project goals

The IT of the food retailing (FR) group was faced with an enormous challenge without additional personnel resources in the IT department.

  • Supporting the expansion of opening hours in the FR
  • Continuing the globalization of the company
  • Operating additional applications (business applications and portals)
  • Adapt to the growing demands and competitive pressures

The use of intelligent, self-explanatory self-service models and extensive automation, even in user and authorization management, are the best solutions to meet the narrow margins in this industry as well as numerous requirements. However, self-service models require that a robust, simple and secure user and authorization management is available and can be integrated.


Project duration

  • Preliminary: 5 months
  • Implementation Phase 1: 12 months till operational handover
  • Implementation Phase 2: 12 months till operational handover
  • Implementation Phase 3: Currently in implementation


Connected systems in Phase 1

  • Active Directory services
  • SAP ZBV for provisioning in diverse SAP modules
  • Personal administration systems as a source for internal employees
  • GUI for FRH market employees which is not managed in personal administration systems
  • Ticketing system for the UHD for controlling semi-automatic and manual processes for SAP portal solutions
  • Domino server
  • Access control
  • Mail
  • eSSO



Methodology and project procedure

deron CURRENT state analysis

Due to the complex branch structure in retail, it was difficult for IT to retain control over existing accounts and assigned authorizations. Too few staff were available to cope with all the tasks at hand. The allocation of access rights or the creation of accounts was still relatively structured. The revocation of authorizations and the associated “de-provisioning” rarely succeeded completely. Demanding fluctuation rates and organizational changes exacerbated this situation. In addition, an individual authorization management procedure was used for each application. Authorization management was regularly carried out by IT staff on call and mostly “sidelined” without complete and comprehensible documentation.

The deron Big Picture – a preliminary project

In order to be able to map the special corporate structures and requirements of a chain store operator in the food sector in authorization procedures, special attention must be paid to user acceptance when designing processes. For example, the authorization check had to be designed in such a way that users (e.g. the store manager) were not kept from their daily business by dealing with security issues. At the same time, the procedures had to function securely and flawlessly without the intervention of the central IT department. Only in this manner can real time support be guaranteed. For example, a cashier’s authorizations on the ERP system of the local supermarket can immediately be revoked, even outside the operational hours of the central IT department and during the working hours of the store employees.


A positive side effect of this process optimization was a security gain and an increase in process speed, which led to a better reputation of the IT services in the company.

deron product evaluation

For the introduction of the new IDM procedures no technology platform was available at the customer – the previous authorization administration took place completely decentralized in the individual systems and specialized applications. In order to open the way to a high-performance and audit-capable solution in the future, it was necessary to collect, process and evaluate customer-specific technical and business requirements. Essential aspects in the decision for a preferred IDM platform were:


  •     a wide range of very good and flexible interfaces for the heterogeneous system world
  •     distinct role modelling capability, which corresponded exactly to the wishes of the customer


The introduction of a central user administration for more than 50,000 employees posed a challenging planning task. This made it all the more important to hand over the planning for the master plan to a consultant (deron) who is specialized in the IDM topic and at the time had 10 years of market experience. It was fundamental for our customer to receive a comprehensible, long-term and benefit-oriented evaluation of the individual project phases. This enabled him to correctly plan the course of the project without additional personnel resources. By prioritizing the project steps, a prototype for a first corporate division was to be realized in a short time in order to get identified acute problems under control at short notice. This clean dependency planning of the individual steps avoids expensive detours and change requests and thus saves resources for employees and budget.

Implementation – ongoing

After all important decisions regarding the big picture, product selection and roadmap had been made, the implementation of the first phase began. This included the management of the AD as the basis for the “secure primary authentication” as well as the connection of the SAP portal solution as part of a prototype. In addition, the life cycles for “internal employees” and “grocery stores” were defined in the course of the detailed conception and documented for joint coordination.

In order to achieve the desired high degree of automation, deron suggested the introduction of a business role model to his customer. Based on the role-based assignment of accounts and authorizations, the majority of requests could be processed fully automatically within seconds, taking into account the company-specific SoD and compliance requirements. The system continued to be so flexible that special cases such as holiday replacements etc. could be safely decided by involving the line managers. A large number of templates and empirical values could be used to create the technical and functional detailed concepts with all the necessary exceptions. As a result, the detailed concepts were completed within a few months. During implementation, the typical 3-step model was used (development, test, production), so that partial quality assurance could already be carried out by the customer, while further elements were still being developed.


In the third phase of the project, which is currently underway, the primary objective is to provide additional user target groups with accounts and authorizations in a meaningful and effective way via the IDM and to connect further specialist applications of the retail and wholesale trade.