This document provides information about IBM Security Identity Manager (ISIM) implementation at ATP, the largest pension fund in Denmark. Some key points: - ATP implemented ISIM in 2005 to automate user lifecycle management across multiple systems like SAP, Windows AD, and others. - ISIM manages over 14,000 user accounts across 33 systems. It automates processes like onboarding/offboarding via HR feed and manages roles/policies. - A key project involved onboarding 1,500 new users from municipalities onto ATP systems to centralize welfare payments. This increased the number of managed systems and roles in ISIM. - ATP has customized ISIM over the years to suit their needs,

1. IBM Security Identity Manager at ATP
Impact of On-boarding 1500 Users in a Highly Customized ISIM System

2. About ATP
The largest pension fund in Denmark managing public pensions
schemes for 4.7 mill. persons
Total assets worth of DKK 700+ billions (app USD 100+ billions)
Generally regarded as one of the best performing pension funds
world wide with a very high return rate and low cost.
ATP has recently been appointed to take responsibility for most
public welfare payments payouts (”Udbetaling Danmark”)
Yearly payouts app. DKK 180 billions (app. USD 27 billions).
Reducing the cost with app. 30%
Onboarding app. 1500 users from the municipalities

3. History/Background of the ATP ISIM Installation
ATP was converting the pension system from monolithic
(”Silos”) system to a SAP and WebSphere Portal based SOA
Architecture
ISIM (ITIM 4.5.1) was selected as the IdM Platform to automate
user lifecycle management in Q2 2005
Target goal for Security Administration was to keep same
number of headcounts despite additional systems
The system went live 1/1 2006 supporting Windows AD, 2 SAP
systems and TAM 5.1
HRFeed from SAP HR app. 1000 users

4. ATP ISIM Primary Focus
Automated Lifecycle Management
Fully automated on/off-boarding of employees/consultants via SAP HR
Identity Feed (HRFeed)
Manual Master for external users and technical accounts
All aspects of lifecycle and pasword management :
New Hire/
contract
registrered
Termination
Account
deletion
Graceperiod
Changes
Administration
of user
accounts

5. ATP ISIM Primary Focus (cont.)
Role Governance
All ATP Business Platform Roles 100% controlled
Roles modelled in top/down process to fit purpose
The role model is owned and maintained by the business owners
and implemented in ISIM by the Security Administration
Roles are recertified regularly

6. ATP Role Request Management
Intranet custom tool for requests (general system covering all
kinds of requests)
Requests for roles are routed to the Security Administration via
the Service Management tool (”Helpdesk”)
Request are managed by the Security Administration via the
ISIM console

7. The ATP ISIM Server Setup
ITDI
WAS
TIM application
TAM
Active
Directory
R/3
Provisioning
Provisioning
Provisioning
Person feed
HR extract
SAP XI
DB2
IDS
Adapter
for TAM
HR feed
Adapter
for SAP
Adapter for
Active
Directory
WEMB
(MQ)
R/3
Multiple Systems
Lotus
Domino
Adapter
for
Kerne
Provisioning
Adapter
for Notes
Provisioning
NAFS
Kerne
Adapter
for
KSPCICS
KSP
CICS
Provisioning
internet

8. ATP ISIM – Systems Managed
In Production 16 system managed
In Pilot 17 system managed
Production Pilot
Windows AD 1 (Windows AD 1 (non-functional system)
SAP NW (ABP) 9 SAP NW (ABP) 9
Custom "Kerne" (ABP) 3 Custom "Kerne" (ABP) 3
SAP XI 2
Lotus Notes 1 Lotus Notes 1 (non-functional system)
KSP CICS UDK 1
ITAM (ABP) 1 ITAM (ABP) 1
ITIM 3 ITIM 3

9. Important Customizations
Time Based Roles (managing roles with a start- and end-date)
AD Hybrid Management Model
Groups are managed ”hard” (RBAC model) if placed in specific AD
OUs
Groups outside these OUs are non-managed (can be managed
using Accesses)
Auto Create of AD groups (organization based groups)
Workflow for Management of Unauthorized Accounts
Accounts created outside ISIM are detected on reconciliation
Workflow locks account upon detection and triggers approval flow
Provisioning Policy report in CSV format (weekly via mail)
Migration/Synch tool to manage business objects
(Roles/Policies/Workflows etc.) between environments
(Development/Pilot/Prod)

10. ATP ISIM – History and Future
Original platform ITIM 32 bit version 4.5.1 2005/1/1
Migrated to ITIM 32 bit 4.6 2007/Q2
Migrated to ITIM 5.1 64 bit 2011/Q4
Upgrade to ISIM 6.0 planned for 2013

11. The UDK project
Agreement between the goverment and municipalities in
06/2010 to :
Centralize welfare payments into a new organization ”Udbetaling
Danmark” (UDK)
Uniform Processing
Saving target DKK 300 million/year
3 Waves starting 10/2012 covering app. 1500 users
ATP deliver Administrative systems support – e.g. IdM
3 new Systems (2 SAP NW + RACF/CICS via WS)
Public Certificate and other govermental systems
Role Governance based on organization and job role (based on
ATPs role governance model) – app. 50 roles

12. ATP ISIM System – Important Numbers
Users :
14638 Accounts
Roles :
621 Static and 86 Dynamic Roles (plus 50 UDK roles outside ISIM)
20938 Role assignements (403 Roles)
Policies
15 Identity Policies
2 Password Policies
12 Adoption Policies
906 Provisioning Policies
Employees 2273
Consultants 155
External 521
Technical 101

13. ATP ISIM System – Process Numbers
Process 2012/07 2012/08 2012/09 2012/10 2012/11 2012/12 2013/01 2013/02 2013/03 2013/04
Account Add 263 722 1460 1244 971 616 2230 2060 2478 450
Account Pwd
Chg
126 125 108 160 210 72 130 202 133 145
Account
Delete
385 183 267 274 374 245 474 370 605 460
Account
Modify
25089 26566 24712 23825 19281 19230 19230 11990 11215 11293
Account
Restore
81 141 358 792 297 460 204 1368 1953 176
Account
Suspend
345 256 191 269 362 361 549 315 574 289
Check
Policies
34989 38548 39333 38285 44803 45861 48413 60604 72459 68954
Person Add 44 148 304 141 2429 92 1309 4344 911 122
Person
Delete
67 36 45 42 63 47 68 63 116 68
Person
Modify
682 1859 3074 3338 2006 1729 2946 6689 2451 1084
Reconciliation 517 512 517 527 539 587 640 579 632 610

14. 14
Questions