Mission Possible or How to Implement Automated Identity Lifecycle in a 200 years old Enterprise

Yes. So my name is Rina I'm business Analyst and the Swedbank digital identity team. And thank you all. And hello guys there on the other side of the screen. So agenda is not that big. I will first introduce myself digital identity team and SW bank, and also SW bank. Then I will introduce a bit of our architecture pattern that we implemented during the identity life cycle automation project, and also some takeaways that I took with myself while being Analyst in a big project. So yeah, here on this picture, you can see my nice colleagues two years ago, just before Corona started. We had a nice team event. We have also our, our precious team lead and service owner on this picture. So we can count. We have only eight persons implementing in fact, active directory, Azure active directory, single identity management system, and authentication authorization.
So we have very compact team providing a lot of services and I'm working in almost five years in Swedbank in a digital identity team. And previously I had 10 years of experience in quality assurance and also as a business Analyst Analyst Analyst in a different project. Swedbank for those who, who doesn't know, it was really established in 1820, it was born from one of savings banks in Sweden. So you can imagine how much legacy we have for those 200 years. We treat as a whole market, Sweden and Estonia, a lot 2020, which I will call later as a Baltics. And we also have international subsidiaries in Shanghai, United States, Lux, Denmark, Norway, and Finland, and our precious digital identity team is providing services for whole Swong group for 60 savings banks in Sweden. And in total, it's a bit more than 26,000 human users, which are registered in four different HR systems.
So we have HGM fusion and Swedish side to host Swedish employees to host international subsidiaries and also some of savings banks. And in BICS, we also have Oracle HRMS, but I would say that they're kind of silo. So in Estonia own Oracle HRMS and LA their own and lit their own Oracle HRMS. So if person would be moving from Estonia to Laia, it would be like a totally different person registered in, in the system with, even with a different national identifier, because in Estonia, they registered Estonia national identifiers and Laia they registered LA national identifiers. And even more complexities that the consultants, that third parties that were just discussed here also on presentation ago, third parties are not registered in HR systems and also few savings banks having their own HR systems. That is why they are not even an HTM fusion for, for such cases.
We decided to implement self-service form in our project, and we use the self-service form as implemented in sale point. We are using sale point as identity management system. Well, this is amazing slide. I can talk about it about two hours, but I don't have two hours, unfortunately. So the major thing that we did in this project is that we introduced person identity and user identity. Also person is reflecting the real human with date of birth, national identifier, first name and last name. And we also aggregate assignments from different sources to this person, identity and assignment, as they're coming from different sort of for, for systems, HR systems and one self-service form, they have different attributes. Well, they, I mean, they, they have different structures. So attributes are mainly like first working. They lost working, they department manager, but the structure is really different. So, and also assignment is depending on legal entity, that where person is working.
So in our case, it would make a problem that one person is moving from lair to REIA legal entities is changing. So like new user accounts and username. So it's not acceptable because they still need to use the same, the same access rights, the same account, the same mailbox. So that is how the idea of organization and employment was born. So we define that employment is relationship to, with the organization at the like limited period of time. And for each employment, we also created the user ID and user identities hosting application accounts, which I used for fulfilling working tasks when you are working for, for this organization. So for this bank, for, in this case, it could be working for state bank or working for sale on three screen compliance or working for Healthland spar bank. So yes, this is extremely good example that I found in our production, that person had multiple at multiple assignments and multiple in multiple systems like this.
For example, this HR, a here it's representing the representing this self-service form and HGM is the Swedish HR system. So here, yes, you can see the three employment, sorry, three employments in different organizations. And for each of those employments, there is a user identity created withs username, which I hide here. So, and you can see that the C bank employment is already closed. So person left Redbank, and two, two are still select active with different user names. So that person would have different access rights in different organizations. And then next very important thing that we manage to deliver in this project, as I mentioned, is this self-service form, which is dedicated for savings banks, which are not using our HR systems and consultants. So this, this form has like very trivial fields, nothing special. I think you all know that it's like first names and managers and departments, and almost very similar form.
We have also for changing assignments. So if for example, manager is changing or department is changing, or I don't know, it's, it is necessary to set set end date, and this end date should be tomorrow. For example, to register liver, it would be the same form. And it, when we had the first rollout, we did one big mistake. In fact, we did, we didn't have this very nice field national identifier type. So we rolled out, we did checks for main. We did checks for main national identifiers, not valley 20 Australian Sweden. And then we marked the requesters tend to cheat about national identifiers. So we decided that we need to make it more strict check for national identifiers. So in agreement with HR system, we implemented a new field, which is called the national identifier type. And for each type for each country, we now check, or we validate the national identifier so that they could not cheat about nationals because it's just not possible to do identity management without national identifier. So when you do the same project, don't do our mistake because the getting this initial identifier, bringing them to later in the database, it's really painful activity. I can say you from my experience.
So this form also helped us to implement one very important business case. You also probably have experienced it, that managers, they tend to do their work late. So currently our process is working this way, that manager is registering assignment in HR system. And then the next day we get it, we work on it. We create accounts and so on. So we run our identity cycle processes, but sometimes managers are late and HR payroll has their own processes. So if managers send the inquiry to register employee, they do it on the two, three days. So it's delay. And that is why manager is very angry coming, Texas management saying, well, I need those accounts to be created right now. And then what, what happens next? When they come then no access management creates, fulfills this form, no approval as because we trust Texas management. And then they have specific button where they aggregate employment exactly for this assignment.
And then accounts are created like in one, two hours, like all mainframe account ad account mail, mailbox, home directory, like everything that should be created, certificate provision for smart card. And when in two, three days, finally, the HR assignment is arriving. Then everything is fine there. This manual manual ordered or sales service order assignment is overwritten by HR assignment because we, we trust HR assignment. It has a, a bigger priority than manual assignment. So then there was more interesting things during our rollout. So we knew even before the rollout that organizational three and HR three, they are not equal. So we knew that HR long time ago, 10 years ago, they took this organizational three as a basis for them. And then they adjusted it during those 10 years for their needs to share goals and so on. So finally, I would say that those three organizational three and HR three, no, they are not equal.
And, and that is why we had a problem that after rollout, we find out that for around 10, 10% of users, we cannot really, we cannot really allocate them into organizational tree, know the HR department, but we can't find for this HR department, we can't find the, unfortunately the organizational unit, the department and organizational tree. So then we ask from our access management, what would you do if you get this request and you don't know where department is, and then they answered, well, we would search for similar colleague, check the metadata there. And then we would put this user into the same organizational cost center. And we said, well, this is what we need. And we really implemented this logic and quite a lot of suspicious places where we couldn't find the organizational data. So we checked the colleague and took this organizational data from, from the colleague, another different, good thing, or I don't know, very interesting thing that turned out well.
We knew also that not all users, which who are registered in HC fusion, not all of them should have accounts or should have access to set bank infrastructure. We agreed before rolling out with HRT and that they would change their business process. They will mark those users specifically. And then it's all started. It turned out that managers are not informing, not informing HR admins that in reality, this user will not need username. They will be just managed the HR. So we needed to at one extra step to onboarding process. We now, what, what we are doing when we get this assignment, we know that we need to create username. The first ask for confirmation from a manager. So in this confirmation form manager can say, no, I don't need the new username. The user will not be using the infrastructure or the other second is yes, the user will be using infrastructure and really need this new username.
And third option was born from another reality is that as I mentioned, we, our consultants are not always registered in HR system. So we have, I think around three, 4,000 of consultants who are not registered, and then they are starting as employees, but we have never seen them previously in HR system. So we would start onboarding and the managers were also angry at why, well, we don't need, I want still to use this old P I D because I have all accesses and email and so on there. So we don't need new P I D. And this was the third choice here that they can provide existing username to, to be immigrated. So they don't need a, have a new one. They will reuse existing. And now, yes. Now a few few, you think that I learned from this project, one is that if you talk about onboarding to our part is creation of account and time enabling.
And so, but in fact, onboarding in the organization, starting from this moment, when person said, yes, I will join your team and finishing in the morning of first working day, when you are really getting smart card, logging into computer and getting first welcoming email at hello and welcome. So you need to know this process. You really need to know so that you could align your activities, the things that you are automating in the whole process, which is onboarding process. Next thing that we did, and we really good that we did it are really happy that we did. It's getting description and explanation of data fits from HR system or other integrating system. Because during putting those descriptions while describing it with our HR partners, you find out that, in fact, for example, we don't before that we didn't get them future data. So we need future assignments to know that this person is starting in one month and we need to start creation of accounts.
And before this project, we didn't get it. So we started to work with, with HR partners actively so that they would send this information to us. And by rolling out, we really get it. And, and this was valuable. Other thing is trust by verify. So when you describe some integration, ask for example, files in production so that you could really check what is there, and you will not get surprises in production finally. And very important thing here is just acknowledge the rollout of new processes is not one day activity. This can last for multiple months and must be treated and described as a separate process. So I did separate descriptions and user guides and a few meetings for access management saying to them, well, here we have old identities. They are not yet immigrated. You can detect them this way. Here are the new identities.
They are now managed by new process. You don't need to touch them. And we also changed our old script this way, that it would keep the, the ones identities that are already immigrated to new way of working from development. It would be really valuable to mention that it's business Analyst think to control the scope and drive team to do characterization. What I mean by that, I mean, that developers knows their components very well, better than Analyst, but Analyst knows whole puzzle have whole view of, of this activity. So if you're talking about identity, lifecycle processes, I knew that our access management also sometimes need to rename accounts. And if you roll out automat generation of user names, then we need also to provide somehow automatically renamed accounts, or at least the having the user name automatically. So here, the second thing is coming to discuss the native solution.
So when we need to rename account, we can go the simple way. Like we also would create a mix file for them. Then they would get from that file, the new account names and just do the rename. But the other option is, yeah, it can be something more, more advanced and really, really valuable. So, but if you are time limited, you can really discuss the solution with your team. And from testing perspective, reverse immigration rollout. If you have a time and if testing resources limited verify major business cases and prolonged piloting period to business cases in production. So this is how we did the, what was important for me also in the piloting period is that I learned to point Java bit before rolling out. And I managed to write my custom reports. It gave me opportunity to check them not only concrete cases, but I could in percentage say, okay, we be created 90% of users, but those attributes are wrong for them.
So we either need to have a batch job to fix it, or we need to fix them one by one, if it was less. So we could make, we had the data, we had the statistics to make decisions this all about communication. It's not a secret for everyone will communication to the proper. And from rollout perspective, the define different scopes and rollout in small scopes to keep incidents Q managed. We literally did two things in two places. One place was then we started immigration for particular group of users. We thought, well, now everyone from this legal entity, everyone from this country should be treated new way. Or for example, the users having termination date in two weeks should be all now immigrated to new way of working. But the second place where we did this is, was this automatic processing. So we, we also wrote there that now all those users are having termination date and two weeks now, all them should be automatically processed or all the users appearing in legal entity, complet, legal entity.
They all should be automatically processed. So we accepted that this is a process and we just described it as a separate process, all those roll out things. And yes, start roll out from the process that has smaller impact on active employees. And we started with liver because yes, this not disabling user is bad, but if you're disabled 23,000 users just by mistake, it it's really, really bad. And the key takeaways here that we, we were doing this project really long. So you need to know that everything is possible, but you find viable medium that should live this sentence. I really hate because I heard that every in every, every success story, but yes, you need to involve the management and they should work for you. They should really prioritize. We could not finish this project until we really get management involved. And one thing how to do it, it is for example, to open a risk. Well, it can hit you. You can get done for a while. You need to be creative to close this risk by 30th of June. But from the other hand, you will get like motivation and per person should be involved to close the risk. Still start roll out from the end and find a way to analyze your data, to make sure that everything is okay. Not only with concrete cases, but overall, thank you.
Thank you. A Catarina giving us a very deep view into your project. I think now we can work at Smith bank also. So if you have any questions left, please.