ODJ SIAM Replacement

Motivation for ODJ to replace SIAM as Access Management

ODJ is the central entry point and developer journey for Cloud-native developed "MAKE" applications in the Schwarz Group. ODJ has used SIAM as its IDP and Access-Management solution for the last 3 years. Unfortunately SIAM became a major bottleneck for the ODJ in regards of speed, reliability and functionality.

To enhance the developers experience in the ODJ, especially when starting new Teams (formerly known as Subscriptions), or adding new team members, ODJ decided to switch to Azure IDP as the Cloud IDP and to implement its own Access-Management according to the Google Zanzibar publication.

Instead of waiting days until a developer can really utilize the ODJ to provide value for our customers, we now provide a much more convenient and even faster way to achieve your desired implementation goals, in just a couple of minutes. With the new ODJ Access-Management in place, you'll now be ready to lift off in a couple on minutes. This includes the team setup itself, as well as the possibility to easily edit current users roles.

Subscriptions are now teams

Be aware, to be more ARM compliant, we decided to rename our ODJ subscriptions to the more ARM compliant naming "Teams".

Implications

Replacing SIAM with our own Access Management comes with certain implications for new internal as well as for external users. Current users have been automatically shifted to the new Access Management by the ODJ already. All of them are listed below:

Internal Users

Service	Implications
ODJ	AAD user account required for login Access package "odj-access" must be assigned No SIAM roles are used anymore
ODJ Teams	Some teams will have new owner which need to be verified. There will be three role members available in a team (Owner, Engineer and Reader)
Provider STACKIT	Exact representation of ODJ Team Structure
Provider GCP	New users will be setup via the ODJ New groups will be setup, besides the existing ones with the same permissions/roles
Provider Azure	New groups will be setup, besides the existing ones with the same permissions/roles
Azure Devops	Access is granted via hidden access packages managed by ODJ only (for new created ADO projects) Existing projects will still be managed via SIAM roles (until they will be migrated to access packages)
ODJ Tools (SonarQube/Snyk/Artifactory)	no change (SIAM role still used)
ODJ Docs	no change

External Users

Service	Implications
ODJ	AAD user account required for login Access package "odj-access" must be assigned Access package/AAD group for "mfa-anydevice" must be assigned (RK0023481) No SIAM roles are used anymore
ODJ Teams	Some teams will have new owner which need to be verified. There will be three role members available in a team (Owner, Engineer and Reader)
Provider STACKIT	Exact representation of ODJ Team Structure
Provider GCP	New users will be setup via the ODJ New groups will be setup, besides the existing ones with the same permissions/roles
Provider Azure	New groups will be setup, besides the existing ones with the same permissions/roles
Azure Devops	New ADO projects: - AAD user account (SIAM ext) required - AAD guest account still works for existing ADO projects (until they will be migrated to SIAM ext accounts and access packages) - Access is granted via hidden access packages managed by ODJ only - Access package/AAD group for "mfa-anydevice" must be assigned (RK0023481)
ODJ Tools (SonarQube/Snyk/Artifactory)	no change (SIAM role still used)
ODJ Docs	no change

FAQ

The FAQ area is continuously extended based on the question we receive about the ODJ SIAM Replacement.

What Access Package do I need?

You can find the Access-Package within Azure My Access which is shown on the screenshot below. Just follow the dialog and request the Access Package.

Access Package Dialog

I am INTERNAL and I can't access ODJ anymore

You probably missed to add your user to the corresponding Azure Access Package . Access to the Access Package is possible without any approval and is the base membership you´ll need to log into the ODJ (console.odj.cloud)

I am EXTERNAL and I can't access ODJ anymore (may affect also SCRM & mmmake)

Every external User needs a SIAM account to be able to use the ODJ with its new Access Management. Externals must enable MFA for their Account with MFA-Setup. Further, as an external you need to order corresponding Azure Access Package Azure My Access.

It is important that you use your SIAM user account (Username for cloud applications, e.g. 123456@mail.schwarz). If you cannot log in with this account, it may be that your SIAM account was not properly synced to AAD. Please contact in this case the SIAM operations team to activate the sync for you (IT4YOU NSR to the team s-int-it-siam-operations).

Important: Please do not use Azure AD guest account.

How can I give other members access to my product?

You have to add them with the according role you want them to be in your Team. You only need their Email-Address which is registered in SIAM.

How can I remove members from my product

You have to delete the member from the team via the ODJ UI. In the background the ODJ takes care that the user will be removed in the Products of the Team.

How long does it take to provide fresh users access to my ODJ Team?

Immediately with up to few minutes and you're good to go.

Do I still need my roles at SIAM?

SIAM roles are not necessary to log in to the ODJ or to create a new team and it´s products. SIAM roles will be still necessary to access the following dev tools:

Snyk
SonarQube
Artifactory

We will remove the necessity for SIAM roles to access this developer tools soon. SIAM role request for this developer tools will be done automatically via the ODJ (like it was before).

Currently used SIAM roles (in already existing ODJ subscriptions (..._po, ..._dev)) will be moved to the ODJ Access-Management soon, ordering of the currently used roles will NOT affect the access to the dev tools in the future. Only source of truth will be the ODJ Access-Management.

info

Ordering SIAM roles with the naming pattern ..._po, ..._dev will have no impact anymore. We will disable the possibility to order these roles in the future.

Why do I get a 404 at ADO after Dev-Environment creation?

Microsoft caches your permissions. So if new things are created they are not directly reflected on your permission set. To solve this, you need to refresh your permissions. This is shown in the screenshot below:

Re-Evaluate Step 1

Re-Evaluate Step 2

None of my questions are listed here

For the period of the launch, the ODJ Team will offer a Hypercare Support Teams Channel where you can ask for help about questions not answered in our FAQ. Please keep in mind the channel will be available for one week and then closed. For further questions, feel free to use our "Contact us" Page.

Future prospects

Beside the removal of SIAM in the ODJ journey we are preparing the role out of the first draft of NEO-compliant roles in the ODJ, going away from just providing you the possibility to chose between "Owner" and "Member" inside of a development team. Currently we plan to implement the following roles according to the NEO initiative (on team level):

Product Owner
Engineering Lead
Engineer
Expert
Software Architecture Lead / Staff Engineer
Reader

Further (non-team related) NEO roles are in preparation as well. We will keep you updated, stay tuned.

ODJ SIAM Replacement

Motivation for ODJ to replace SIAM as Access Management​

Implications​

Internal Users​

External Users​

FAQ​

What Access Package do I need?​

I am INTERNAL and I can't access ODJ anymore​

I am EXTERNAL and I can't access ODJ anymore (may affect also SCRM & mmmake)​

How can I give other members access to my product?​

How can I remove members from my product​

How long does it take to provide fresh users access to my ODJ Team?​

Do I still need my roles at SIAM?​

Why do I get a 404 at ADO after Dev-Environment creation?​

None of my questions are listed here​

Future prospects​