- TYPE: Combined Session DATE: Wednesday, May 09, 2007 TIME: 14:00-15:00
Roles, Process Model and Automated Provisioning at ePlus
- Short description of biCube IPM in general
- Role concept – possible content of a role
- Role structure for E-Plus and subcos
- Process description from the entry of an employee to exit
- Automated provisioning of access rights
- Limitations and capabilities of a role model
Short description of biCube IPM in general
IPM is an abbreviation of “Identity and Provisioning Management” and is deployed at E-Plus (named “ZUM”) for the assignation, modification and deletion of access rights. The system is used for all internal and external employees as well as subco´s like SNT (callcenter services) and Atos Origin. Access rights are managed as far as possible by the E-Plus users themselves via web-frontend. Request for access rights have to be approved by different deciders in a pre-defined workflow processes. Approx. 50% of all access rights are managed automatically by automated scripts.
Role concept – possible content of a role
All access rights at E-Plus are summarized within roles. There are two types of roles used in biCube. The first type of roles contains only one application that consists of multiple components (e.g. frontends, servers, databases). The second type of roles contains different applications and is a role in its theoretical meaning. This second type is used when numerous users need the same access rights, for example a callcenter-agent that needs access to Windows, Lotus Notes, several customer care applications etc.
Role structure for E-Plus and subcos
Within the presentation the structure of roles is shown. The structure consists of 1886 workflows. 389 of these workflows are type-2 roles (see above).
biCube has an automated interface to SAP HR to import user data. The new employee is imported into biCube this way and gets first access rights (e.g. Windows / Lotus Notes / biCube access) on basis of his user attributes. This automated request is approved by the responsible department manager. The logon information is sent to the department manager. After that the new user can request special rights or (if defined) a role for his area of responsibility. This can be done throughout the whole duration of his employment. When a exit-date is captured in SAP HR an automated exit process is started and after different approvals all access rights are deleted.
Automated provisioning of access rights
Windows accounts can be created and deleted by an automated interface in two independent AD Domains. Global Groups can be added or deleted as well. This helps the administrators to focus on more qualified tasks than user management in AD.
Limitations and capabilities of a role model
A role model can not describe 100% of all access rights. The daily routine shows that employees that work on the same job in the same organizational unit can need specialized rights that differ from their colleagues. Beside the defined roles nearly all access rights have to be requestable for the users. This fact helps to understand why “only” 389 of 1886 workflows in biCube are roles in the strict sense of the word. A role often can only be the basis of the needed access rights.
A role model helps to keep the overview over a complex structure of access rights for administrators and users as well. This fact allows a strengthening of IT security and enables consistent support for compliance requirements (e.g. ISO, Sox). Users profit from an easier way of requesting access rights which reduces the range of possible errors. Rights of employees are grouped which makes modifications of access rights for several users easier. Considering this a role model is mandatory needed to manage large amounts of different access rights for a high amount of users.
- Registration fee:
- Contact person:
Mr. Joerg Resch
+49 (0)211 23707777
- May 07 - 10, 2007 Munich