Herr Hinnemann berichtet über seine Erfahrungen während der Implementierung und des Betriebs eines IPM-Systems bei E-Plus. Dabei fokussiert er sich auf das Rollenkonzept, das in Anlehnung an die Aufbauorganisation und Aufgaben einzelner Abteilungen modelliert wurde. Des Weiteren werden folgende Aspekte des IPM System näher betrachtet:
Short description of biCube IPM in general
IPM is an abbreviation of “Identity and Provisioning Management” and is deployed at E-Plus (named “ZUM”) for the assignation, modification and deletion of access rights. The system is used for all internal and external employees as well as subco´s like SNT (callcenter services) and Atos Origin. Access rights are managed as far as possible by the E-Plus users themselves via web-frontend. Request for access rights have to be approved by different deciders in a pre-defined workflow processes. Approx. 50% of all access rights are managed automatically by automated scripts.
Role concept – possible content of a role
All access rights at E-Plus are summarized within roles. There are two types of roles used in biCube. The first type of roles contains only one application that consists of multiple components (e.g. frontends, servers, databases). The second type of roles contains different applications and is a role in its theoretical meaning. This second type is used when numerous users need the same access rights, for example a callcenter-agent that needs access to Windows, Lotus Notes, several customer care applications etc.
Role structure for E-Plus and subcos
Within the presentation the structure of roles is shown. The structure consists of 1886 workflows. 389 of these workflows are type-2 roles (see above).
Automated provisioning of access rights
Windows accounts can be created and deleted by an automated interface in two independent AD Domains. Global Groups can be added or deleted as well. This helps the administrators to focus on more qualified tasks than user management in AD.
Limitations and capabilities of a role model
A role model can not describe 100% of all access rights. The daily routine shows that employees that work on the same job in the same organizational unit can need specialized rights that differ from their colleagues. Beside the defined roles nearly all access rights have to be requestable for the users. This fact helps to understand why “only” 389 of 1886 workflows in biCube are roles in the strict sense of the word. A role often can only be the basis of the needed access rights.
A role model helps to keep the overview over a complex structure of access rights for administrators and users as well. This fact allows a strengthening of IT security and enables consistent support for compliance requirements (e.g. ISO, Sox). Users profit from an easier way of requesting access rights which reduces the range of possible errors. Rights of employees are grouped which makes modifications of access rights for several users easier. Considering this a role model is mandatory needed to manage large amounts of different access rights for a high amount of users.