To be well equipped to compete with other retail companies, this department store developed a powerful and responsive IT system. However, authorization and access management were neglected and could not cope with the size of the company. The processes regarding identity and access management were too unstructured and labour-intensive, there were discontinuities in the medium, creating sources of error. The traceability was not guaranteed, the flexibility in dealing with organizational or personnel changes was insufficient. From this situation it was decided to call in deron as an external, manufacturer-independent and process experienced service provider.
- Big picture: 4 months
- Implementation phase 1 – 2: 15 months from functional design till operation handover
- SAP systems
- Lotus notes
- Host (diverse applications)
- Other connections are in development
- Implementation of employee processes and branch employee processes for entry, transfer, name change, etc. as procedures with preventive authorization control. This allows the business to act proactively because it is requested to take action before critical situations can occur. For example, automated messages are sent to line managers to revoke authorizations when employees are transferred.
- Supervisors are able to create the authorizations for new employees themselves without the help of IT / administration.
- IT is relieved by automated authorization assignment for the most important and most frequently used applications.
- The customer is able to further develop IDM themselves and to connect further target systems.
- A role management was established, which adapts the business roles and keeps them up-to-date.
Methodology and project procedure
deron CURRENT-state analysis
The stocktaking according to the method revealed the following problems: For example, when hiring or changing departments, HR only delivered incomplete information about employees to the IT organization after a delay. In addition, authorizations were in fact never revoked because no information was sent to the IT department. The unambiguous identification of the names within the assigned accounts was partly not given. Already at a first consideration it became clear that no improvement can be achieved with a technologically driven solution approach and that optimization aspects of the “IDM process level” are left out. Only the combination of process-related and simultaneous technological improvements could be effective. Furthermore, it was necessary to define a uniform authorization procedure for the heterogeneous applications and platforms.
The deron Big Picture
deron developed the life cycle models for internal and branch employees. This took into account the fact that HR was not able to make its personal data available in the source system in sufficient time. Additional organizational measures were necessary to generate data that could be loaded in terms of content and that was available in real time for the authorization procedures. Business departments and IT had to work together to create these. Such supporting procedures were also mapped in the IDM. After intensive workshops, it was possible to develop an optimal process for HR, IT and corporate security that was accepted by all, which represents a resilient basis for the allocation of authorizations.
A simplified process platform alone does not increase usability enough for the person responsible for authorizations in the subject area. The creation of a concept with a reduced, context-oriented selection of authorizations was necessary. This requires a business role model with speaking roles and a limited number of selection options. Internal manager and department heads in branches were to be given a simple user interface that they could understand. In this phase of the rough concept, the internal organization and that of the branches were therefore examined to determine which role system is best suited for them. In addition, the basis for a future role model was developed together with the customer and his branch representatives. The representatives of the branch rated this role model extremely positively, as for the first time no deep and IT-technical expert knowledge was necessary to equip an employee with his authorizations.
deron product evaluation
Up to now, authorization management could only be handled by intensive mail traffic between business departments, IT and dedicated administrators, despite the use of various auxiliary tools. In contrast, the new IDM procedures were to run automatically in order to relieve the administration. For the future solution, deron developed a catalogue of requirements (deron catalogue, supplemented with customer-specific requirements) with more than 170 criteria, which considered the following topics among others:
- Workflow Engine for mapping of processes
- Integration of a role model for simple authorization assignment with resolution of the roles into individual authorizations
- Automated authorization assignment in the most important applications
On the basis of these requirements, the customer decides on a suitable IDM product that has proven itself in practice to this day.
The customer wanted a quick implementation and prompt results for the end users in a short time with limited internal resources. Elements that provide the greatest relief should be implemented first. With the deron master plan methodology, the introduction of IDM is possible in small project steps because each project step is intelligently prioritized. In total deron defined 8 phases and implemented the project in cooperation with the customer. A know-how transfer took place to enable maintenance and further development.
Project realization and the resulting improvements
After the master plan had been worked out with the customer and the prioritization of the subprojects could be defined, the detailed technical and business concepts with all necessary exceptions were created. The multitude of deron templates and experience values was used, which made it possible to complete the detailed concepts within only 3 months.
The implementation took place according to the typical 3-step model (development, test, production), so that a partial quality assurance could already be carried out by the customer, while further elements were still developed.