KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Everyone wants to integrate their access request processes into ITSM, but what is the reality behind this?
What kind of integrations are required, what are the pros and cons of requesting access through the ITSM solution instead of the IAM solution.
This talk is based on several (long) discussions with several clients
Everyone wants to integrate their access request processes into ITSM, but what is the reality behind this?
What kind of integrations are required, what are the pros and cons of requesting access through the ITSM solution instead of the IAM solution.
This talk is based on several (long) discussions with several clients
So like I said, hi, my name is Klaus Nati. I'm working as an IME expert in the IM team at the PWC Denmark. And as an Im a consultant, I very often hear from clients that they want to, to use their ITSM solution as what we call a one stop shop solution, including request for for access rights.
Of course, this would normally be performed in the IM solution and there are pros and cons for using ITSM for requesting access rights. Hence this slightly provocative title of the session. Are we working with or against our ICSM colleagues? So many of your stakeholders think that an one stop solution using the ICSM solution is just a natural thing and and seen from the end user perspective. It makes perfectly sense. But as you know, there lies in the detail. And this is also true for this matter.
In this presentation, I will use experience from practical work with clients, but I will not mention any specific ITSM or IM solutions, but the experiences are bound to certain products. So before going to this, let's start by looking at this process framework. We normally use this when we talk to clients and start IM projects. As you can see, it covers the main processes going from identity lifecycle to access management, enforcement and VM operations and support. And you can see that I've highlighted access request management as the main topic of course that IC SM will be able to take over.
But also the account lifecycle management being the provisioning which ICSM partly can take over. This will normally mean that it's systems like we just heard from queer with limited integrations, meaning all changes are carried out using tickets to the system owner. Sometimes we even see that the roles are defined directly in the ITSM solution. I will not recommend that model though, so be aware of that.
Let's, let's look into how do we actually have the access request process in the IM solution. And remember that even what I've on this board here is a very simplified model of an access request process. Of course it can be made in very different ways in different vendor products. So I'm just using this to highlight the intelligence that lies within the IM products and which is being used during the access request process. So I have two different models. The first one is a manager searching for access for an employee and we could say it's an AI like request.
So which accesses do you typically have in department A? The IM solution can do so because it knows all about all entitlements and roles for all onboarded application. Does the ITM solution know that further? The IM solution knows on behalf of which employee the request is made. So it can look for other employees in the same department and suggest what is common accesses for those employees or using the same job function or any other available attribute that you have on the employees or the number two below.
The manager can simply ask for relevant rule catalog for the department, for the job function or any other relevant attribute. Of course, using that kind of search, the manager is in risk of getting quite a lot of roles to scroll through. If the IM solution has a software interface that you have enabled, the employee of course can basically do the same access request type as mentioned here.
The only difference being that there will normally be an approval step included, performed by the manager or the application owner or both and the IM solution will know all about these information, where to send the approvals. Will the ITSM solution be able to do that? You can question that. So the next step in the request process, when the manager has selected the relevant accesses, they are sent for further processing in the IM engine.
First check is typically for segregation of duty rule sets and Im knows which other accesses the employee have and can report any violations back to the manager for approval or decline. As a part of this, the manager can write the reason for approving an SOD and eventually this can be sent to the approval for the, with the application owner. Will ICM be able to do all all of this? So Im checks whether or not there are further approvals that has to be carried out. How would that be done?
In IGMI am sent vacation to the manager and to the employee if there are more approvals and they do not react within a set timeframe. Im can send now reminders ITSM and if the approver is on vacation, there might be an approval forwarding rule, meaning that Im sent the approval to the substitute approver or the approver has set a permanent substitute for approvals.
Again, ITM question mark. So next step in my presentation will be to look at the different integration types that you have within between IM and ITSM. The first one on the left side is what I would call the basic integration like for any other application that you need to maintain the joint move leap processes for accounts as well as access rights and to be able to perform the governance processes, the IM Solution Plus also be able to read back the access rights and the account from the ITM solution, which is why you can see I have arrows in both end. It's a double two way integration.
The second integration of course is what we call the the catalog integration, which is required that the ITSM solution needs to know which access rights or entitlements should be requestable within the ITSM product. And this normally requires that the whole catalog from the IM solution is synchronized between IM and ITSM. The IM solution will know who the application owner is and whether or not this is meta data on the role itself or it's done in any other way is of course interdependent and implementation dependent.
But ITSM will, will have a hard time to do the SOD check and also to send approval to the application owner. So for the IT solution to be able to know the relation between the manager and the employee, like I talk about, it might also be required to synchronize the organization hierarchy from IM to ITSM. So can you feel that the complexity in the integration is growing? Now the last integration that we have, the third integration is the, so-called ticket integration or provisioning of accounts and the access rights.
So the tickets will typically present from the IM solution, which in turn will pass on the tickets to the IM provisioning engine. If you're not doing it this way, then the IM solution will not know which roles has been assigned to the employee and the access governance process will fall apart because you don't know who Access which Access has, and it will require another form of data flow back from the application to the IM solution. So be very careful when you write in your RFP or your change requests that you need an ITSM integration. We see that very often.
ITSM integration, it can be very many different ways. So you need to specify what you are actually looking for. Which kind of integrations do you need? Now let's look into how can you actually make these integrations. So on all the slides I have the ITSM on the left side and the IAM on the right side. And I will show you three different ways of integrations. This is what I call a lookalike interface and I will not show the basic integration. The first one i I talked about because we, we see that as a standard integration, right?
This integration here uses deep links from the ITSM via what you could call a, a custom built ITSM application to the IM solution access request. API, meaning that you are mimicking the IM processes, but within the GUI frames of the ITSM product. The the user experience is of course that access risk can be selected within the ITM solution and hence giving you a one-stop shop effect. But all the further processing will be performed within the IM solution access.
We linked from the I ts m as you can see below when a ticket has been started, we need some way to to understand should we just fire that ticket to the, to the IM solution or should we have feedback That's another complication in in the integration. But this basic type here is what we call the catalog integration and use the IM API. So the next integration type that I will show you is also a lookalike integration. I would call it this, the cheating integration because what we do here is that we use iframes to show the IAM GUI web pages.
Meaning that the user gets a virtual one-stop shop experience since the user only needs to have the ITSM app on the desktop. But as soon as a user chooses to request accesses within ICSM user is kind of transferred to the IM solution, which handles all the functionality. This is of course by far the simplest way to integrate IM and ICSM, but of course you, you might end up with different graphics in the two solutions. Different way of working with shortcuts. So it's not a perfect way to to make integrations.
However, our experience show that this integration type requires the least effort and still gives the end user the wanted one-stop shop experience. There is one more option, I haven't made a slide for that, but that's simply to place a link in the I TSM solution that just brings the user over to the IM solution of course. So the last one is the full featured integration and it means that you basically program everything that is required to make access request.
You program that within the ITSM solution, again using data of course from the IM solution, but the functionality is placed within the ITM solution. The user will experience a true one-stop shop for access request, but it might be will limited functionality compared to access request direct in the IM for the reasons that I mentioned in the beginning of the presentation. And of course the more functionality EIM functionality you want to have in the ITM solution, the more complex the cost and programming gets and the complexity of integration is highly increased.
So always remember to ask your IM vendor, which kind of I integration is available for which IGM products and what kind of functionality is actually delivered through that integration. So if you look at the competitors and considerations, always consider what was the actual purpose of requesting access within ITSM and how far do you want to go in terms of functionality and what is the cost of doing so should approvals be performed in ITSM or in im? And if it is within ITSM, as I said, you need to have a knowledge about the organizational hierarchy in the ITSM solution.
Like I said, will the role composition take place in ITSM or in IAM and how is the tracking of tickets fed back from the I am to the ITSM? So the I TS M could close a ticket.
Again, alternative, consider what we call fire and forget just send a ticket and close the ticket at the same time. Of course, upgrading either the ITSM or the IM product can lead to malfunctioning integration. So you need to consider this as well. Access requests via AI or SOD checks require knowledge about any existing accesses that the user might have. And you do not have that by native of course in the ITSM solution.
So you need to be aware of that and remember to ask your I AM software vendor, like I said, what depth of integration they actually have in their integration types and possibly how many clients are using it because is it probably maintained when there are new releases of the IM product? But but also remember that the more mature the IM solution gets, the more birthrights as well as specific accesses for the employee individual will be assigned automatically through rule sets. That is what we want, right?
And this means that the manual access request process in the IGSM solution will be fewer and hence the ITSM integration will be used less. So where do you want to spend your time and money to mature the IM solution or to make a complex and expensive and perhaps short term integration between IM and ITSM? This actually leads to my rev ops slide. You need to map all your access request processes in detail. If you do not do that, you do not know what should be transferred to the ITSM solution. That is very paramount. And always consider the complexity that you have in such an ITSM integration.
Like you've seen in my presentation. Consider the business value of actually requesting access in ITSM. Is is just the ITSM team that wants this or is this a really business need? Always ensure back up from management level if you do this and make ITSM system owners your best friends because you'll really need it. That's all for my Thank you Klaus. We have a question from the audience. Thanks so much. So first of all, it, it seems to be one of the best received and well attended talks here.
Very, very important. So would it be okay if I quote you that you rather prevent doing all the access request and approval workflow as one of the priorities because assigning entitlements and accounts in an automated way through birth rides and through roles is the better way to do it?
Yeah, I think Thanks so much. That's what I wanna out, I say I, I agree. Don't Do it. So we have maybe for yeah, a couple more questions.
Yeah, we have some in the app. So let's see. Here's a good one. Our fulfillments are near to real time. What would you recommend to integrate with our ITSM or let it stay in IAM in that circumstance?
Can I, can I read it? Yeah. Near To Real time so I can't Yeah, sorry, Sorry, which one was The middle one Here?
Oh, fulfillment. This one? Yeah. Yeah. What do you recommend?
Yeah, Yeah. I would again recommend it to, to come direct from the IM solution because I mean if you start to have integration between the ITSM solution and the the applications that you have, you need to have multiple integration because like I said, for the governance processes you need anyway to feedback the access and account data from the applications to the IM solution or the IGA solution. So I will for sure say I am. Okay. I think we have time for one more quick one. There's a known issue with fire and forget means the ITSM is unaware of failures or at least partly.
So how should we plan for auto retry or self remedy in that Case? Good question. I think this is again back to to the I AM vendor and how they have made the, the integration between the ITSM and the IM solution. How well is this done and how good is the ITSM solution Actually to, to understand in we the API to understand the request that can come to back from the IM solution. So back to your vendor asking about how good is your IT TM integration actually and see it work live, that's always a good thing to do. Thank you cla Okay. Thank you much.