IT-project vs organizational change
Initially, we identify to which degree the project is an IT project or an organizational change.
Limited IAM projects focusing on Single Sign-On are often more technology-driven and involve fewer organizational elements. On the other hand, introducing a comprehensive IAM solution requires much more understanding of the organization and the way it works. Because of this, we know how to adopt our methodology to the scope and objectives of the project.
Main principles behind our methodology
Early involvement of the customer in mapping roles and processes, often organized as a separate subproject. In general, we strive to work closely with the customer through joint project teams and steering committee consisting of key stakeholders from all parties involved.
Value creation for the organization as early as possible. This is especially important for larger implementation projects. The solution should simplify the daily life of the company long before the project is completed. Our projects are therefore more like sprint iterations than traditional waterfalls.
Modular division of the project into several phases. Each phase consists of 3 parts:
1. Planning: Clear definition of objectives and acceptance criteria, for example in the form of user stories.
2. Implementation: Installation, configuration, development, and continuous unit testing.
3. Test and handover: Acceptance test, handover to operation and management.
Roles in the project
Project manager: Responsibility for planning, coordination, and follow-up of progress. Provides reports for this as well as on quality and finances
IAM Advisor: Advises the client and ascertains functional needs. Clarifies the consequences for the organization
IAM Architect: Responsible for solution design and project implementation
IAM Solution Engineer: Sets up and configures the solution
IAM Developer: Responsible for developing integration components
We adapt the project team to the needs of the client and the project. In smaller projects, the same consultant can fill several roles.
Role-Based Access Control (RBAC) - establish the role model
Roles are one of the foundational concepts of Identity Management and Identity Governance. Roles are used for creating hierarchies that model the distribution of rights within the organization. Users are made members of roles and thus get the roles' application rights. The purpose of RBAC is to simplify access management, especially with regards to automation.
A simple RBAC role model consists of a handful of business roles such as "employee", "accountant", and "project manager". An advanced role model often consists of hundreds or even thousands of roles that are in a hierarchical relationship to one another. The more roles, the more granularly the access management can be controlled.
Mapping existing roles and associating these with applications and access is a key task in an IAM implementation. We use various tools to provide an overview of existing accesses and analyze concurrent access patterns, called Role mining. If existing accesses prove unsuitable for use as a template for future allocations, we will design the role hierarchy in close co-operation with the customer.
Digitalization of the identity life cycle
We customize the IAM solution to automate key events within the identity lifecycle such as user creation, relocation, or termination. The events usually start outside IAM, in the HR system, a CRM database or directly in Active Directory, and govern what should happen to the identity. The update often involves establishing or removing user access but also adapting the previous access profile, e.g. when a user moves internally within the organization.
Interesting challenges arise when the same person can act as both employee and customer (or member). The employee identity comes from the HR system, while the customer identity has originated from the organization's Ecommerce solution. Without an IAM solution, this creates challenges because these two roles appear to be two separate users. When introducing the IAM solution, we then ensure that the user's different identities are combined into one user object and that access is controlled depending on which "hat" the user is wearing in a given context.
The portal is used for everything from resetting passwords to requesting and approving new accesses. We adapt the request process to the needs of the organization. Certain requests may need to be approved by different people depending on the person's position, his/her department or the requested access. In some cases, it might even be needed to have several people collectively authorize the request.
It is also possible to extend the portal with several features. For a shipping company, we have adapted the request process so that the customer can specify which port the access request applies to. In this instance, the portal needed to be integrated with a third party system that contained information about the ports in question.
Integration with source system and other systems
We integrate the IAM solution with existing systems, such as HR applications and Active Directory, but also applications that the IAM platform should control access to and authenticate users for. Depending on the application, integrations are done based on the IAM platform's included integration modules, or programmed by our developers.
Our numerous implementations are a great benefit in this work, since with each one, we expand our portfolio of available integrations that can be re-used and adapted for other organizations.
Test and quality assurance
Quality assurance ensures that project processes produce predictable deliverables of good quality, and it is based on the following key processes:
Predefined quality controls frequently verified during the project.
Standardized approach to entitlements and policy definition processes.
Data quality verification and rigorous solution tests.
An Identity Governance solution is a tool to support business processes related to user management, support and security management:
- End users should be able to order access and update the selection of profile information
- Managers should review roles and orders and be able to set up a substitute during periods of absence
- The security officer shall carry out access audits and follow up deviations
Therefore, for a successful introduction, it is crucial that the organization becomes familiar with relevant functionality, in the simplest way possible. We solve this by providing good information to the organization at all stages of the project, as well as facilitating user-friendly training:
- E-learning in the form of short videos tailored to the customer's solution
- Technical courses (on-site or remote) for support and system owner