GEHE distributes access authorizations automatically and system-wide

GEHE Pharma Handel GmbH employs around 2,900 people at 19 locations throughout Germany. For the IT administrators, this heterogeneous company structure entailed enormous expense. After all, they had to activate the access rights for each employee individually – separately for all 19 location servers. By using an identity management system, the pharmaceutical wholesaler was able to significantly reduce this effort.

Who is allowed to access which data in a company? What user rights are associated with a particular position? How can unauthorized persons be prevented from accessing sensitive data or applications? Behind these questions lies a complex set of rules that includes a multitude of possible scenarios: New employees come, others change departments, others leave the company. For user administration, this means: access rights must be redistributed, user accounts adjusted or deactivated. In addition, there are often partners and suppliers who also need access to selected applications. For many IT administrators, user administration therefore involves a great deal of effort. However, this time-consuming and costly undertaking can hardly be avoided. If gaps occur in the system, business-critical data is exposed to unauthorized access without protection. The assignment of individual access rights is therefore highly security relevant.


Managing authorizations for 19 locations


The Stuttgart-based pharmaceutical wholesaler GEHE has always been aware of this. “Because of our activities in the pharmaceutical industry, we have to apply stricter security standards in user administration than other companies. For example, we have to comply with the regulations of the US Food and Drug Administration (FDA), which sets specific requirements for recording data in electronic form,” explains Robert Henke, Manager Infrastructure Group Intel at GEHE Pharma Handel GmbH. However, the company did not want to accept the associated high administration costs.

By the end of 2003, GEHE’s IT administrators had to activate the access rights for each employee individually – separately for all 19 location servers. Since setting up a new user account, including logging in and logging out, takes about five minutes, the administrator was busy for a total of one and a half hours creating the access rights for a new employee. “This situation was untenable,” says Robert Henke. “Our IT managers were to be relieved so that they could concentrate fully on their core tasks again.”

GEHE decided to introduce an identity management solution in order to make the allocation of access rights for the approximately 2,900 employees more efficient and at the same time increase the security standards for user administration.


Independent consulting firm takes over faltering project


The choice fell on the Novell Identity Manager. The software solution was intended to noticeably reduce the administrative effort. However, the desired automated, cross-system assignment of rights did not succeed at the first attempt. On the one hand, the rule structure for the automated assignment of rights proved to be highly complex. On the other hand, the heterogeneous IT landscape had also been underestimated. “In our branches, we use various platforms such as Windows NT and IBM AIX. They should all be connected to the identity management system,” explains Robert Henke. After the project had come to a standstill, GEHE sought help from a manufacturer-independent consultant. The pharmaceutical wholesaler found support from deron, a Stuttgart-based consultancy specialising in Identity Management systems.

When the Stuttgart consultants took over the project, it had already progressed considerably. Nevertheless, the deron employees began a fundamental analysis once again. “The project was a good example of how the frequently praised plug-and-play philosophy does not do justice to such complex IT projects,” explains Klaus Scherrbacher, Managing Director at deron. “Projects that are implemented without the necessary preparatory work often exceed the alloted time and budget. We rely on a comprehensive analysis in which all questions are clarified in detail in advance and different scenarios are run through. Since an identity management system offers many application possibilities, a prior detailed requirements analysis is indispensable. Because not everything that is possible makes sense – especially with regard to the cost-benefit ratio. “We particularly liked this analytical approach from deron,” recalls Robert Henke.


From off-the-shelf to tailor-made


Together with the GEHE project managers, the deron consultants then developed an individual concept to adapt the Novell solution to the specific needs of the pharmaceutical retailer. It became apparent that the company wanted to centrally administer the merchandise management systems of its 19 branches and attach importance to a uniform interface for users and administrators. Each employee account was to be set up only once. In future, the assignment of rights for all other servers was to take place automatically using clearly defined rules. Role-based administration was to relieve the burden on IT managers. Using these roles, the administrator defines which access authorizations an employee should receive. For example, they define which information sales employees can access or which applications are relevant for HR administrators. Once a role has been created, it can be assigned automatically and assigned as often as required – securely and cost-effectively.

After the requirements had been clarified in detail, deron began to adapt the existing identity management solution, making all relevant presettings and deploying rules. To keep the project manageable, deron implemented functions sequentially. Only when one function was successfully implemented did the next follow. With this step-by-step implementation, the consulting firm ensured that the project remained exactly within the agreed budget.


Account allocation in two minutes


GEHE is now benefiting from all the advantages of using the customised identity management solution. The pharmaceutical wholesaler sees the enormous time savings as particularly positive. Today, administrators need only two minutes to set up a new user account. This is used across all locations and application areas. “Each user now has only one account for all AIX and Windows systems – including Siebel, Lotus Notes, Microsoft Exchange and various intranet applications,” says Robert Henke. Because the accounts can be set up in minutes, new employees can access all relevant applications immediately after their data has been transferred to the HR department and start work immediately.

In addition, users only have to log on to the system once (Single Sign On). After the changeover, a single password is sufficient to log on to the various systems and applications.


Protect business-critical data from misuse


The pharmaceutical wholesaler has also improved the important security aspects with the Identity Management solution. If an employee changes departments or leaves the company completely, access can be blocked using a single action. All authorizations are then adjusted in the background or lose their validity immediately.

In order to be able to change the password themselves, deron also implemented a self-service with password synchronization for users – an important prerequisite for being able to introduce stricter password regulations if necessary without additional administrative effort. This means that the pharmaceutical wholesaler is well prepared for future requirements. Robert Henke is very satisfied with the improvements: “The solution fully meets our security requirements. It makes a significant contribution to protecting our business-critical data. And, of course, it has helped us to reduce administration to a minimum.”


Advantages at a glance:


Time and cost savings through simplified assignment of rights/permissions

    • Reduced workload for employees through Single Sign On
    • Immediate data access for new employees
    • Immediate blocking of former employees
  • All subsidiaries and their different IT systems and applications connected to one Identity Management system