Employee data from HR to AD – Retail project
Employee data is usually managed by the human resources (HR) department. However, every employee with a computer workstation also needs an AD account. Maintaining multiple employee databases manually quickly leads to chaos. Synchronization in the direction of AD can be part of the solution here.
Effectively manage HR database and AD
A German family business in the retail sector from the western Ruhr area was faced with exactly this problem. As is often the case in practice, the customer had a SAP HCM database in use which contained employee data. It was particularly time-consuming that:
- this staff database had to be maintained manually and
- synchronized with Active Directory manually.
With a size of 1,000 employees at the project site, this parallel maintenance of two systems was a time-consuming process. Not only did it usually keep several IT administrators busy, but it was also a source of errors. Data was often entered either late, incomplete or incorrectly. It also meant that users had to put up with waiting times. In practice, users did not have all the access rights to applications before data was transferred from the HR system to AD.
Save time, automate manual data maintenance from HR to AD
The customer approached FirstAttribute with the request to automate this time-consuming manual process of synchronization. In detail, selected entries in the HR database were to be transferred to the AD database automatically and time-controlled via an SAP interface. The goal was to relieve the IT administrators of time-consuming routine tasks and to stabilize the data quality between the systems.
IDM-Automation for reliable data synchronization
FirstAttribute’s IDM-Automation Software was identified as a quick workaround. The automated service runs hidden in the background and updates the data in Active Directory. This works by using information that is regularly exported from the SAP system and made available to the interface.
Using several scripts developed by FirstAttribute
- the data is mapped, missing values are generated and saved in AD
- home directories are created
- group memberships are set
- and an extensive error logging is provided.
This is a one-way synchronization, as no data is written back from AD to the SAP HCM system. Within a few months, the processes were converted and automated in close cooperation with the customer.
Fast user creation directly in AD for special cases
At the same time, there was another requirement from the customer. External and technical employees were not maintained in the customer’s HR database. These users had to be entered directly in Active Directory. It was requested that this task could also be delegated to non-IT employees.
Non-IT employees edit user accounts
To accomplish this, FirstAttribute’s FirstWare IDM portal was chosen as a user-friendly solution. The portal enables identity tasks to be performed independently, self-explanatory and in a short time.
In-depth IT knowledge and direct access to the end systems are not necessary. The customer was impressed by the portal’s intuitive web interface, where all the information can be conveniently entered on a single page.
Depending on the user type, external or technical, individual interfaces with different, company-specific fields were designed. In Exchange, mailboxes should be created when a new user is created.
Overall project summary
Thanks to customer-oriented project management, the customer’s requirements were implemented within a few months. This included regular consultations and test runs to ensure perfect mapping of the customer’s performance specifications. In addition, the customer received configuration documentation that precisely recorded all parameters and included assistance.
Both projects were successfully completed. The software applications have been in effective and productive use for several months.
