Simplified User Provisioning

By Gary Kirkwood

Have you ever joined an organisation and had to wait weeks to get the correct access to all the systems you require to enable you to perform your duties? I know I have and I’m sure that I am not alone. The delay isn’t just that you’re waiting for all the systems to be set up, it is also the fact that multiple teams need to approve the access, which is often time consuming, frustrating, and unnecessary.

This has been an issue in my many years of experience in SAP Security and Authorisations. I started in User Administration creating users, provisioning roles and incident management using SAP Workplace (formerly Central User Administration or CUA) to assign SAP systems to users. But in some instances, CUA could not provision users with all the systems they required as some were standalone solutions that required maintenance in them as well.

Furthermore, each system had its own authorisers and approvers so I would have to wait for all the authorisations before the user was created. It could take literally take weeks to create a single user with everything they needed.

Then came SAP Identity Management (IDM) which was a major improvement with the concept of Business Roles. It combined SAP systems into one role which had a better approval process utilising Workflow, rather than an incident ticket or email chain.

Again, this process only facilitated SAP access. Users could still be kept waiting for their email account or a remote worker could be waiting for VPN access or a remote desktop for example, continuing to require several approvers across multiple teams. Incident tickets could sit in a team’s queue for weeks or sit in the wrong queue.

User Management processes can be convoluted and unnecessarily complex. Sending multiple separate access requests to IT Helpdesks, one system at a time is very time consuming, as well as costly to the business in lost productivity and revenues while a user waits to be granted access. Even SAP GRC Access Controls cannot truly streamline these processes and align all provisioning (SAP and non-SAP) under one solution.

As part of Winterhawks’ commitment to deliver solutions to enhance client environments in Access Management, I was introduced to the Hitachi ID Bravura Identity application, and recently undertook an extensive training and implementation course. I could instantly see its benefits – it is a fully-automated and centralised user provisioning tool which can be tailored to a business’s requirements to ensure the right access to all systems is assigned and ready for the day the user starts with your business.

All requests are workflow-controlled and raised by the people who know what access levels should be provided. Access can also be amended automatically when users move roles or teams to avoid potential segregation of duty issues. If prior authorisations are not removed but simply added to, this can lead to potentially fraudulent activities, and affect compliance with legal requirements etc. Automation provides reassurance that that violations due to excessive authorisations are managed and restricted.

Hitachi ID Bravura Identity can be aligned to other applications, controlling access to these systems via its automated provisioning tool. It’s helpful that the solution is able to manage different user ID formats if these are not standardised. For example, some applications use email as the ID, and some (SAP for example) could use a different format. Again, this centralised and automated process saves time, effort, and costs to businesses.

Similarly, the process for offboarding users is managed more efficiently. We often see user accounts which have been left dormant or even used by other team members until they are removed (after multiple requests to the IT Helpdesks or notifications to HR). Instead, managers can schedule terminations, with automated processes disabling accounts as and when needed.

We here at Winterhawk are certified implementors of Hitachi ID Bravura Identity and many other solutions through Identity Access Management, privileged access management and password management, which we can deploy in relatively small timeframes. We have years of experience in Identity Management as well as Cybersecurity, Fraud Protection and Data Protection for SAP systems.

Get in touch to learn more about simplifying and gaining control over User Management processes in your organisation.