Modeling Roles

  • TYPE: Combined Session DATE: Wednesday, May 09, 2007 TIME: 14:00-15:00

Roles, Process Model and Automated Provisioning at ePlus

  • Short description of biCube IPM in general
  • Role concept – possible content of a role
  • Role structure for E-Plus and subcos
  • Process description from the entry of an employee to exit
  • Automated provisioning of access rights
  • Limitations and capabilities of a role model

Short description of biCube IPM in general

IPM is an abbreviation of “Identity and Provisioning Management” and is deployed at E-Plus (named “ZUM”) for the assignation, modification and deletion of access rights. The system is used for all internal and external employees as well as subco´s like SNT (callcenter services) and Atos Origin. Access rights are managed as far as possible by the E-Plus users themselves via web-frontend. Request for access rights have to be approved by different deciders in a pre-defined workflow processes. Approx. 50% of all access rights are managed automatically by automated scripts.

Role concept – possible content of a role
All access rights at E-Plus are summarized within roles. There are two types of roles used in biCube. The first type of roles contains only one application that consists of multiple components (e.g. frontends, servers, databases). The second type of roles contains different applications and is a role in its theoretical meaning. This second type is used when numerous users need the same access rights, for example a callcenter-agent that needs access to Windows, Lotus Notes, several customer care applications etc.

Role structure for E-Plus and subcos
Within the presentation the structure of roles is shown. The structure consists of 1886 workflows. 389 of these workflows are type-2 roles (see above).

Process description from the entry of an employee to exit
biCube has an automated interface to SAP HR to import user data. The new employee is imported into biCube this way and gets first access rights (e.g. Windows / Lotus Notes / biCube access) on basis of his user attributes. This automated request is approved by the responsible department manager. The logon information is sent to the department manager. After that the new user can request special rights or (if defined) a role for his area of responsibility. This can be done throughout the whole duration of his employment. When a exit-date is captured in SAP HR an automated exit process is started and after different approvals all access rights are deleted.

Automated provisioning of access rights
Windows accounts can be created and deleted by an automated interface in two independent AD Domains. Global Groups can be added or deleted as well. This helps the administrators to focus on more qualified tasks than user management in AD.

Accounts can be created or deleted on approx. 450 UNIX Servers in several networks. As this task was done by an external company before biCube saved approx. 500.000 Euro between 07-2002 and 12-2004 by using this interface.

Limitations and capabilities of a role model
A role model can not describe 100% of all access rights. The daily routine shows that employees that work on the same job in the same organizational unit can need specialized rights that differ from their colleagues. Beside the defined roles nearly all access rights have to be requestable for the users. This fact helps to understand why “only” 389 of 1886 workflows in biCube are roles in the strict sense of the word. A role often can only be the basis of the needed access rights.

A role model helps to keep the overview over a complex structure of access rights for administrators and users as well. This fact allows a strengthening of IT security and enables consistent support for compliance requirements (e.g. ISO, Sox). Users profit from an easier way of requesting access rights which reduces the range of possible errors. Rights of employees are grouped which makes modifications of access rights for several users easier. Considering this a role model is mandatory needed to manage large amounts of different access rights for a high amount of users.

Log in to download the presentation:  


Paul Heiden (1967) is BHOLD Company’s founder and CEO. Paul started his career as an officer of the Royal Netherlands Marine Corps specialized in mountain and arctic warfare. Having obtained a master degree in Dutch and Roman law, Paul became legal counsel at KPN, the Dutch...

Since 2002 I am responsible for the operation, maintenance and development of the identity management system "biCube IPM" for our customer E-Plus Mobilfunk GmbH & Co. KG. Until december 2004 this was done as an E-Plus employee, afterwards in scope of an outsouring deal by Atos...

Dr. Kuhlmann plays a key role in the continued development Omada’s solutions, including the award-winning Omada Identity Manager solution that is built entirely on the Microsoft platform and integrates with Microsoft Identity Lifecycle Manager to provide a robust solution for Compliance...

Dr. Ron Rymon serves as Vice President for Strategy, in CA Security Business Unit since 2008. Prior to CA, Ron was Founder of Eurekify, the pioneer and leading provider of role & compliance management solutions, where he filled management roles ranging from R&D, to product management, to...


Session Links


European Identity Conference 2007

Registration fee:
€1980.00 $2475.00 S$3168.00 21780.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Joerg Resch
+49 (0)211 23707777
  • May 07 - 10, 2007 Munich