Facebook Twitter LinkedIn

Modeling Roles

Combined Session
Wednesday, May 09, 2007 14:00—15:00

Tailoring Roles for Automated Provisioning

Ein realitätsnahes und vielseitiges Rollenkonzept und Prozessautomatisierungen in Identity & Provisioning Management Lösungen liefern einen erheblichen Beitrag zur Compliance. Die Einführung von Identity & Provisioning Management-Lösungen bedingt die Überarbeitung vieler administrativer und operativer Geschäftsprozesse. Diese Prozesse müssen unternehmensweit definiert und abgestimmt sein, bevor sie implementiert und durch Systeme unterstützt werden können. Erfahrungsgemäß führt dieser Schritt zum mit Abstand größten Anteil am Gesamtaufwand bei der Einführung von IPM-Lösungen.

Der Vortrag zeigt unterschiedliche Ansätze zur Rollenmodellierung und bietet Erfolgsfaktoren für ein optimales Rollenmanagement.

Prof. Dr. Dr. Gerd Rossa
Prof. Dr. Dr. Gerd Rossa
ISM
Prof. Dr. Dr. Gerd Rossa ist Geschäftsführer des Instituts für System-Management mit Sitz im Nordosten von Rostock. Seine 20 Mitarbeiter entwickeln technische Lösungen, wie...

Roles, Process Model and Automated Provisioning at ePlus

Herr Hinnemann berichtet über seine Erfahrungen während der Implementierung und des Betriebs eines IPM-Systems bei E-Plus. Dabei fokussiert er sich auf das Rollenkonzept, das in Anlehnung an die Aufbauorganisation und Aufgaben einzelner Abteilungen modelliert wurde. Des Weiteren werden folgende Aspekte des IPM System näher betrachtet:

Short description of biCube IPM in general

IPM is an abbreviation of “Identity and Provisioning Management” and is deployed at E-Plus (named “ZUM”) for the assignation, modification and deletion of access rights. The system is used for all internal and external employees as well as subco´s like SNT (callcenter services) and Atos Origin. Access rights are managed as far as possible by the E-Plus users themselves via web-frontend. Request for access rights have to be approved by different deciders in a pre-defined workflow processes. Approx. 50% of all access rights are managed automatically by automated scripts.

Role concept – possible content of a role
All access rights at E-Plus are summarized within roles. There are two types of roles used in biCube. The first type of roles contains only one application that consists of multiple components (e.g. frontends, servers, databases). The second type of roles contains different applications and is a role in its theoretical meaning. This second type is used when numerous users need the same access rights, for example a callcenter-agent that needs access to Windows, Lotus Notes, several customer care applications etc.

Role structure for E-Plus and subcos
Within the presentation the structure of roles is shown. The structure consists of 1886 workflows. 389 of these workflows are type-2 roles (see above).

Process description from the entry of an employee to exit
biCube has an automated interface to SAP HR to import user data. The new employee is imported into biCube this way and gets first access rights (e.g. Windows / Lotus Notes / biCube access) on basis of his user attributes. This automated request is approved by the responsible department manager. The logon information is sent to the department manager. After that the new user can request special rights or (if defined) a role for his area of responsibility. This can be done throughout the whole duration of his employment. When a exit-date is captured in SAP HR an automated exit process is started and after different approvals all access rights are deleted.

Automated provisioning of access rights
Windows accounts can be created and deleted by an automated interface in two independent AD Domains. Global Groups can be added or deleted as well. This helps the administrators to focus on more qualified tasks than user management in AD.

Accounts can be created or deleted on approx. 450 UNIX Servers in several networks. As this task was done by an external company before biCube saved approx. 500.000 Euro between 07-2002 and 12-2004 by using this interface.

Limitations and capabilities of a role model
A role model can not describe 100% of all access rights. The daily routine shows that employees that work on the same job in the same organizational unit can need specialized rights that differ from their colleagues. Beside the defined roles nearly all access rights have to be requestable for the users. This fact helps to understand why “only” 389 of 1886 workflows in biCube are roles in the strict sense of the word. A role often can only be the basis of the needed access rights.

A role model helps to keep the overview over a complex structure of access rights for administrators and users as well. This fact allows a strengthening of IT security and enables consistent support for compliance requirements (e.g. ISO, Sox). Users profit from an easier way of requesting access rights which reduces the range of possible errors. Rights of employees are grouped which makes modifications of access rights for several users easier. Considering this a role model is mandatory needed to manage large amounts of different access rights for a high amount of users.

Roles, Process Model and Automated Provisioning  at ePlus
Presentation deck
Roles, Process Model and Automated Provisioning at ePlus
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Jörg Hinnemann
Jörg Hinnemann
Atos Origin
Ich bin seit 2002 für Betrieb, Wartung und Weiterentwicklung des Identity Management Systems "biCube IPM" für unseren Kunden E-Plus Mobilfunk GmbH & Co. KG zuständig....

Podium: The Art of Defining a Role Model that works

Since the first attempts have been made to model an individuals relationship to the organization and express this relationship in roles, role modeling has faced several challenges. Not surprising several role modeling project failed. Some people even state, that the failures outnumber the successes.

The experts panel will give some insight in state of this discipline, the driving forces towards more formal model based entitlement assignments, the critical factors for success and failure, some quality metrics of good results, the necessary re-requisites for successful role modeling projects, the tool support available and finally some real world examples.

Michael Gerlach
Michael Gerlach
Siemens AG, Corporate Information Office
Michael Gerlach (33) ist im Siemens Corporate Information Office, verantwortlich für die Definition der Strategie und der Implementierung von Vorgaben im Bereich Identity- und Accessmanagement...
Paul Heiden
Paul Heiden
BHOLD COMPANY BV
Paul Heiden (1967) is BHOLD Company’s founder and CEO. Paul started his career as an officer of the Royal Netherlands Marine Corps specialized in mountain and arctic warfare. Having obtained...
Jörg Hinnemann
Jörg Hinnemann
Atos Origin
Ich bin seit 2002 für Betrieb, Wartung und Weiterentwicklung des Identity Management Systems "biCube IPM" für unseren Kunden E-Plus Mobilfunk GmbH & Co. KG zuständig....
Dr. Martin Kuhlmann
Dr. Martin Kuhlmann
Omada
Dr. Kuhlmann plays a key role in the continued development Omada’s solutions, including the award-winning Omada Identity Manager solution that is built entirely on the Microsoft platform and...
Prof. Dr. Dr. Gerd Rossa
Prof. Dr. Dr. Gerd Rossa
ISM
Prof. Dr. Dr. Gerd Rossa ist Geschäftsführer des Instituts für System-Management mit Sitz im Nordosten von Rostock. Seine 20 Mitarbeiter entwickeln technische Lösungen, wie...
Dr. Ron Rymon
Dr. Ron Rymon
CA Technologies
Dr. Ron Rymon serves as Vice President for Strategy, in CA Security Business Unit since 2008. Prior to CA, Ron was Founder of Eurekify, the pioneer and leading provider of role & compliance...
Subscribe for updates
Please provide your email address