Yeah. Thank you very much. My name is an Spitzer. I'm the CEO and principal architect also from Wisconsin. We are in close to Hamburg, located second.
Sorry, just figured that out. You good? So first of all, first of all, it's late Friday afternoon already, so thank you very much for attending this session.
I made a, a agenda for, for this session though, it's, it's more going a little bit more deeper. I mean, Martin did a great job strategic wise and so on.
I mean, we are doing the work and we know what's going on under the, the machine. Let's say when, when I made the slides, I came up with this idea how long I'm doing this work. So first of all, it was starting 2007, so I was working also in the SAP headquarters. Someone came to my desk and asked me, Hey, can you talk about SAP identity management or NetWeaver identity management? At this point of time, I was preparing my first slide deck and in two days and I gave my first presentation. So later on I did also a first presentation in Washington DC and I did proof of concepts.
So I worked in the entire world.
I was also presenting at some some SAP events experience, all level of tiredness and craziness in that space. Lots of travel, very nice customers, projects and so on. So overall, 17 years of experience. So I think that's, yeah, I put this picture here behind me like a dinosaurs. When I look back and try to give an assessment, I mean, S-A-P-I-D-M is still a great good synchronization tool. This is kind of core feature. I heard already the statement that somebody would probably enjoy this tool still.
So not everybody wants probably to remove it and, and change gear, but you have to. That's, that's clear. There is no other choice. S-A-P-I-D-M is also a toolbox, so it's not an an a real framework given, so when we talk about processes, they are not really out of the box there, right? You have to develop them. So that's something which, which you have to know also, connector development, when I look back was al always different in all customer places. Connectors were utilized differently. Some developed their own connectors.
So there was not a central marketplace or store where you can probably sell or get some standard or from other companies created code, which is more also a kind of standard as a P world is a huge ecosystem. They are leader in, in all kind of industries.
Of course, it's a huge world. When I went into projects, I saw always two, two groups, the IT people doing all the ad and mailbox and network things. And then I saw also the SAP team managing SAP systems based on this. I can also see that probably you don't have not only one IAM system or IGA system. Some clients they have four or five IGA systems, which makes the whole thing a little bit more complex.
But I think it's important when also what Martin mentioned, when you modernize now your systems that you don't separate between IT and SAP, have a look together, sit together and make your concept holistically and not only looking to the SAP world only.
I think that's, that's probably my recommendation. I would give you also, when we look at business roles, I mean it was some, some of to topic which was important for me. A business role hierarchy was some never utilized.
So also modern products, they can also provide a hierarchy when you make a role model, which makes the life sometimes also a little bit easier. Technical project documentation. I don't know how, how, how you perceive this in your, in your environments, but usually either there was no time to do it or the budget was already exhausted. And sometimes we also went into places where Zap, IM Zap Im was running, but there was no documentation.
I mean, I, to be honest, zap had a great chance to make Zap to become S-A-P-I-D-M as a great leader in that market. But I think when we look at the SAP strategy, and I call it coalitions, some mistakes in the past, one thing that changed, of course, the whole thing, bill McDermott triggered here major change because they went to the cloud initiative, and this was kind of real statement.
Either you put Hannah or cloud on your slides or on your product or you know where to leave the building. Right? So this was then a kind of cut or a move into a new direction. Yeah.
2006 was a Norwegian company. Max were acquired. This became the SAP network identity management product subs controlled, or GSC known was also acquired from the systems. There was always a battle between the two units. Business units, I think there was not a real integration and they were not sitting really together. Also a shame because two good products also the license topic was a big thing because decision was made to use to utilize. When you utilize SAP, only the IDM system, only with SAP landscape, you don't have to pay a price for that.
When you now migrate to something else, you have to pay a price. There will be license cost for sure.
Yeah.
Also, the whole developer team was exchanged, and after that, there was a key, key alive strategy from my perspective. So over years, nothing really was developed further, but of course, SAP probably did the, the right choice to move more and more to the cloud. So at the moment, we have all the cloud systems, but those systems or this coming without any license fees while they're part of other products, should you panic.
Now, I, I was really thinking about this timing. Well, I put an analogy here on, on, on my slide deck, which looks probably a little bit different than, you know, some other pictures of this little ship here.
I, I think currently if you're using SAP identity management, you know that you have to do something. So you can't wait for next year and then year after, you have to do now something, right?
But you, you should not panic now, right? You, you think you should think ahead.
I mean, Martin brought is also up. You have to do an assessment. You have to think because the, the next solution will probably stay a couple of years in your organization, right? Martin also brought up sunset is 2027, you can purchase some extended support. So there are still some years to go, right? But when you consider a migration, now, you should plan approximately minimum for two years for that because you need to review and simplify your processes. I think that's, that's a good choice. Now or good timing, you need to allocate budget for that, right?
You find a new product or vendor as a successor also take some time. You need to schedule the project. You have to find people, you need to prepare the team, and you have to get the work done, right?
So it, it, it, it'll take some time. Testing, documentation, training is also part of that. You have to go live and hyper here and so on. So this will take, take of course some time according to migration strategy.
I mean, Martin Ports is of course a little bit more sophisticated up in more detailed.
You have to think if you are, if you're having all your system OnPrem right now, I think it might be not the best choice to go with the cloud only strategy right now. But you have to consider then an an on-prem, A-A-M-I-G-A tool to reach that good level of what you have right now, right? Or you have AZA solution, which provides you a similar possibilities if you have a hybrid approach.
I would say if you're planning already towards move to the cloud and ship, get rid of all systems, I think a cloud based solution is probably not the right approach for you. But, but of course you have to end the cut off some special or custom development.
I mean, sometimes you need then probably change a little bit of organizations and make things easier. Simpl simplify things, and if you need custom development, of course on-premise, our solution can also provide this, right? If you are already or almost in the cloud, I think you should stick within cloud solution only.
Of course, if you have simple, simple processes, I mean, I know there are systems out which have a lot of complexity. It might be then also difficult. Another point is there are also clients in the defense, defense or, or classified areas.
I think you can only think about an on-prem or probably private cloud approach. Those clients will not move into a public cloud, I'm pretty sure. Which makes the whole thing also a little bit more, more complex to, to consider.
Well, so I I, I promise I will go more, probably more in a little bit more in details. What are the key points for your migration? I think this could be a kind of checklist or initial overview to see what you could, could you do what you could do, right? Or what you have to check in, in, in your organization and with your system. The database platform is sometimes important. Which systems do we have behind, right? There are always also something to consider about performance and so on.
About my, my, my takeaways I have made in a also in projects is you could probably have a system, a SQL server or system behind you run a, a simple query. You want to query some data and the performance is so slow that the whole system is stuck. When you now connect another IGA system to that, probably your whole production system is down for half a day and no one would be happy. So then you have to find another way, which we also did to make, to make that happen, right? Amount of workflows.
I mean, if you have less workflows, simple workflows, it might be easier to migrate. You have to spend less time if you have a lot of workflows. Either you migrate everything what you have right now or you make things simpler, right? Yeah. Standard approvals. Do we have standard approvals? Do we have some own approval things developed?
I know from a project in Finland, they had some dynamic approval generation going back and forth and whatever with 14 levels you could reach might be difficult, right?
To, to migrate this and also to another project or cost more money at least, right? User interface. Some of the clients we know they're having developed their own user interface, right? What are you doing then? I mean you have then to think also what you're doing just only with the front end, right? That's another thing you have to consider in your project. Business roles, I mean some using a lot of business roles, there are clients using no business roles. Probably you can also think about a redesign of your authorization concept with that project. Could also make sense.
Standard connectors versus customized connectors. I mean if you have a customized connector, of course it might be difficult to just copy and paste this connector to another system, right? Or the opportunity is that in the new vendor you would choose would probably have set connector already, right? Then you just need to tweak it a little bit. Amount of connected systems could be also also performance related thing. I know clients, they have probably 500 clients or systems connected, which might be then a huge number, right? Export of data.
I mean it depends also when you export identity data, right? You could export this data and I think this question came up also to me this week. Can I just hook the HR system to that or do I need to export the, the real data, which is an S-A-P-I-D-M. It depends on of course how how much you have enriched the identity data.
Sometimes you have additional data to that identity. Then you need of course to probably migrate the S-A-P-I-D-M identity data to your new solution based on the business world thing. Entitlements, what kind of entitlements do you have?
It it's also a a, an an also an amount perspective probably, which you have to, to think of. I think one, one of a very important piece is cleanup data. I heard also some discussions about ai.
This, this, this week here, if you don't have a clean data structure, AI would also not help you, right? So to clean up data, we saw also a client which has probably 800 identity related attributes. So when you now migrate this amount of data, what attributes, I mean if you bring in a consultant and say, let's migrate my system, 800 attributes, what shall you do with that? Right? So what we looked is when was that actually put written last time in your system, right?
So we figured out, oh, five years ago to it away period, I mean clean, clean up your data risk in sods of course, do we have probably a GSE system connected? You have to then to think about how your new vendor is able to, to integrate this or pull something from GSC into the IGA solution or also possible. This is something you have to consider. Amount of IM system. I already mentioned there are clients which having probably multiple IM systems, probably you can then migrate to an existing IM solution already, which is a new environment or you have to build up a new system, right?
Entities, attributes, of course I know clients that have a lot of entities for, for different contexts, context things. Established attributes is a thing.
You, you have to also integrate a steering committee. It's not only a technical thing. You have also to bring the right people together, right?
Change management. You have to think about change management, how you bring in the new system. Probably your email templates will change, right? They look differently. There are systems that have a lot of standard email templates already in place. Probably you can utilize them. You have to change and again, your process, but you can then use existing templates, right?
Hosting many server, probably your system is not, most probably your systems are not hosted in your base, in in your cell anymore, right? In your organization could be also a topic to think about where, where they're located. Can we access them? Is are there some special firewall policies and to connect systems to get data out. Network segments probably you are not able to connect to certain systems or you need to plug in another job service or whatever in that space. Master source of truth. I know clients, they have five different HR systems, right?
So there, there is some complexity behind right reports. I mean do you use utilizing reports? Usually CSV reports are very common and so on. Probably you have then an own report solution. Then you have to think also about this topic IDM jobs, do you have scheduled jobs running all the time? This is something also you need to think, do you need some still anymore or can you then let some vanish into the new I IG edge solution, right? Stuff and training.
I mean, if you now move to a new solution, you have to train people, right? You have to train your staff in your organization and you should also consider this early and also are the people willing to learn the next new solution? It it'll take time, right? You have to, to consider this consulting, you have to find a company which supports you probably in that space. Also. Then the given experience, I saw also a a, a client talking to me, I guess in Switzerland.
They also brought a company in during the migration and asked the guy, do they know the IDM and then he told me, no, they don't know I-D-M-Z-S-A-P-I-D-M. So you, you don't have guys in the team which knows the product, right? Might be also a problem. Budget is a topic, right? You need to allocate the, the money early for this.
Yeah, and then of course authentication, authorization, how you access those solutions, right?
A rough project set up and efforts overview is very rough.
I, of course I came up with a very simple structure here, so because the complexity could go up to the sky, no, no question. Then it costs much, much, much more money for sure, but of course some planning, planning and project management is need needed.
You need, you need to analyze, right? You, you need to do an assessment, you need to clarify things, you need to review things. You need to provide a common understanding and review. Of course all existing processes you have if they, if you need them still further, right?
Design, cut off all processes, define new standard processes, finalize the architecture implementation. Of course, you have to set up a new landscape, right? Configuration, connectivity to SAP, IDM and so on is necessary. Testing dry run. Dry run is always recommended to see if the data which is coming in is good or not, right? With the processes are are working. If email sent out, of course then you have to go live, which is a normal thing. I guess training I guess is also important.
Yeah, and probably technical documentation, right?
So we, we are really thinking a lot of what can we do here because it's, it's, it's a lot of complexity and usually when we approach a new client, which which has already an existing as a PI IDM system, it always takes a lot of time to figure out what is behind what, what is in the machine, right? Which wheels are running there.
Of course, what we can, what we can offer is some advisory consulting. We can help you to, we are not running the project, but we support you.
Look, look to your application support you with is issues and open questions, but we approach now this topic a little bit differently and we call this fast lane, so we have two kind of tools now in place or bringing them alive, so the second one is not, not yet already the first is in progress.
It's called a migration analyzer. What we are doing here is we have a tool, we know the system, we know all the database stuff and so on. We are providing you a kind of report which helps you to, to understand your systems or the workflows are there.
You can see everything which is important for the migration. This is also vendor inde independent, right? The report, you can go wherever you want, right? The next thing what we are planning is also a kind of visit that we automatically probably import and export or export and import master data. We are also thinking about probably setting up something that you can already, there's a kind of template approval processes in place that we could, can assign those templates.
We can then extend the schema of a new, new solution, which you could choose At the moment, we have two products which we are looking into.
One is one identity, which might be a good fit for SAP. They have certified connectors for instance, for SAP and that could work very well. Microsoft Enter ID is a, it's a very hot topic for this solution. I can only say I, I know that SAP and Microsoft are working together right now, so it's not an IGA solution right now.
Yeah, if you want, just think, okay, I'm just replacing my, my SAP IDMs enter it. This will not work right now, but SAP is working with Microsoft together because it's a platform to platform approach, right? There are two platform vendors and I guess that was a idea behind to recommend Microsoft here. Yeah. Thank you very much for your time.
Thank you very much. So this was a, a different perspective. So from a practitioner's point of view, thank you very much. I would like to close down here because we have 10 minutes for fetching a coffee or something and getting up to the closing keynote.
If there are any questions to the Ocon team, please reach out to them. There's, there are colleagues down here, down there and here is arn and if you have any questions regarding how to do that, how to get to this tools, just reach out to them. Thank you very much for this great presentation for the final presentation for today and thank you very much.
