Getting access to ODJ
To get access to the ODJ a user has to order the access package "odj-access" in the Azure MyAccess Portal. Use the following link: odj-access
If the user has assigned this access package he/she will be added to the Azure AD group grp-s-int-odj-access-pim.
External users
External users must use their Schwarz account (...@mail.schwarz) for engineering tasks and therefore use this account to order the access package and authenticate with the ODJ. The ODJ is in talks with management and stakeholders to allow these external users to use their Schwarz account without the requirement of having to connect from a trused network (e.g. VPN). They will be able to use two-factor authentication instead.
In general, the medium-term goal is that all employees, including externals, will use their Schwarz account (...@mail.schwarz) for engineering tasks in the future.
With the current organizational rules, login with the a Schwarz account is only possible from a trusted network like in the office or using VPN. However, many external companies no longer work via VPN and instead directly connect from the internet. To make collaboration in the day-to-day work environment possible, many external currently use a Azure AD Guest account to bypass this restriction for at least the important everday tools from the Microsoft universe (e.g. Azure DevOps).
Until we have found a final and acceptable solution for the use of internal accounts for external employees without VPN, we will keep this state for the time being.
Therefore, these externals should temporarily work with their Azure AD Guest account and order the access package with this account.
This enables external users to access the ODJ Portal, Azure DevOps, Azure Portal and Azure MyAccess Portal without necessarily being connected via VPN. However, this way is not technically possible for the other adjacent tools that do not originate from the Microsoft universe. In these tools, as in the past, external users have to use their @mail.schwarz account.
If everything is setup correctly the ODJ will automatically match the coresponding internal @mail.schwarz account to the external user's guest account. This auto-matching process will fail if the internal SIAM account is not created with the correct data like matching email addresses. Then a IT4YOU ticket to the ODJ team is required to manually match the Azure AD Guest account with the internal SIAM account for this user. Please directly provide the user's workforceId to make it easy to match correct internal account for the external employee.
As soon as we have found a good way together with the different stakeholders that allows external employees to use their mail.schwarz account without VPN and meet our security requirements, we will perform a migration and remove the guest accounts from the engineering systems.