Ein realitätsnahes und vielseitiges Rollenkonzept und Prozessautomatisierungen in Identity & Provisioning Management Lösungen liefern einen erheblichen Beitrag zur Compliance. Die Einführung von Identity & Provisioning Management-Lösungen bedingt die Überarbeitung vieler administrativer und operativer Geschäftsprozesse. Diese Prozesse müssen unternehmensweit definiert und abgestimmt sein, bevor sie implementiert und durch Systeme unterstützt werden können. Erfahrungsgemäß führt dieser Schritt zum mit Abstand größten Anteil am Gesamtaufwand bei der Einführung von IPM-Lösungen.
Der Vortrag zeigt unterschiedliche Ansätze zur Rollenmodellierung und bietet Erfolgsfaktoren für ein optimales Rollenmanagement.
Herr Hinnemann berichtet über seine Erfahrungen während der Implementierung und des Betriebs eines IPM-Systems bei E-Plus. Dabei fokussiert er sich auf das Rollenkonzept, das in Anlehnung an die Aufbauorganisation und Aufgaben einzelner Abteilungen modelliert wurde. Des Weiteren werden folgende Aspekte des IPM System näher betrachtet:
Short description of biCube IPM in general
IPM is an abbreviation of “Identity and Provisioning Management” and is deployed at E-Plus (named “ZUM”) for the assignation, modification and deletion of access rights. The system is used for all internal and external employees as well as subco´s like SNT (callcenter services) and Atos Origin. Access rights are managed as far as possible by the E-Plus users themselves via web-frontend. Request for access rights have to be approved by different deciders in a pre-defined workflow processes. Approx. 50% of all access rights are managed automatically by automated scripts.
Role concept – possible content of a role
All access rights at E-Plus are summarized within roles. There are two types of roles used in biCube. The first type of roles contains only one application that consists of multiple components (e.g. frontends, servers, databases). The second type of roles contains different applications and is a role in its theoretical meaning. This second type is used when numerous users need the same access rights, for example a callcenter-agent that needs access to Windows, Lotus Notes, several customer care applications etc.
Role structure for E-Plus and subcos
Within the presentation the structure of roles is shown. The structure consists of 1886 workflows. 389 of these workflows are type-2 roles (see above).
Automated provisioning of access rights
Windows accounts can be created and deleted by an automated interface in two independent AD Domains. Global Groups can be added or deleted as well. This helps the administrators to focus on more qualified tasks than user management in AD.
Limitations and capabilities of a role model
A role model can not describe 100% of all access rights. The daily routine shows that employees that work on the same job in the same organizational unit can need specialized rights that differ from their colleagues. Beside the defined roles nearly all access rights have to be requestable for the users. This fact helps to understand why “only” 389 of 1886 workflows in biCube are roles in the strict sense of the word. A role often can only be the basis of the needed access rights.
A role model helps to keep the overview over a complex structure of access rights for administrators and users as well. This fact allows a strengthening of IT security and enables consistent support for compliance requirements (e.g. ISO, Sox). Users profit from an easier way of requesting access rights which reduces the range of possible errors. Rights of employees are grouped which makes modifications of access rights for several users easier. Considering this a role model is mandatory needed to manage large amounts of different access rights for a high amount of users.
Since the first attempts have been made to model an individuals relationship to the organization and express this relationship in roles, role modeling has faced several challenges. Not surprising several role modeling project failed. Some people even state, that the failures outnumber the successes.
The experts panel will give some insight in state of this discipline, the driving forces towards more formal model based entitlement assignments, the critical factors for success and failure, some quality metrics of good results, the necessary re-requisites for successful role modeling projects, the tool support available and finally some real world examples.