When and why would you need such a system?
Identity management what is it?
It is a tool to manage corporate identities, thus defining and removing access and respective profiling. Throughout their life cycle, hiring, job change and termination.
The terminology
Beginning to navigate this field, one hears various acronyms, for example:
- IM Identity Management system or IDM Identity Management software or solutions
- IAM Identity and Access Management
- IAG Identity and Access Governance or versions thereof
- Identity and Access Intelligence
- Identity Analytics & Intelligence or Governance Risk & Compliance
In the latter guise, for those familiar with SAP systems, somewhat ambiguous compared to the SAP GRC system, which is called just the same.
So can an IDM system replace a Governance tool? Perhaps this is a bit too generic question. Simplifying, beyond the various terminologies between IDM and IAG, we could say that:
- IDM refers to the more operational management of identities. So their technical definition and profiling in the various environments connected to the Identity Management tool
- By IAG we mean all those functionalities of control and best use of the available data (in terms of identities, logs etc) in the Identity tool
The ultimate goal of the above is to reduce manual access management as much as possible by improving what is control of the system. Thus focusing more on governance.
Nice, no?
But it is not always so easy to do.
Which companies need an identity management tool?
There are obviously no limits. Any company could benefit from an identity management system. In this case, we cannot consider only core corporate systems (e.g., ERP).
All systems concur in an Identity project, so for example, Active Directory (cloud or on premise, see later sections), management systems (SAP or non-SAP), other third-party systems, cloud applications, and more.
Suppose we are in a small company with 20 employees. How much could the complexity/numerosity of the various systems be?
- A management system (usually present, more or less complex, perhaps "homemade")
- The mail system (let's assume Microsoft) so Active Directory/Office/Exchange maybe in the cloud
- A ticket management application, perhaps also in the cloud
- The system for viewing pay rolls online
A company of 20 people actually gets to manage 80 accounts (on different systems and with different ways of profiling). Probably more since other systems and additional complexities are surely present.
What is the management of a company with 100 and more employees?
Also, for GDPR compliance it can definitely be an important help in terms of management and saving time on access control.
Can there be confusion among these systems?
Sometimes it happens. One of the main causes is generated by the ticket management systems already in place in the company. These are often misused as access management tools.
In fact, not everything always has to be handled through a ticket in the ticket management tool.
The use of identity solutions makes it possible to generate unique requests that are perfectly re-constructible in terms of audit logs of activities.
But then what are really the difficult points?
There are several aspects to consider. Some examples, related to each other.
- Will it be used by IT or also by the business?
- Will there be a connected HR system that will trigger events?
- Is profiling in the target environments properly handled?
One of the main weaknesses of Identity tools today is their usability, in two forms:
- The user struggles to use the tool, we could say it is not user-friendly (case one above)
- The user does not know what to ask for (case three above)
The latter is perhaps the main problem and cause of failure of identity management projects.
If profiling in the various systems is not clear to the users who will have to make requests, this issue is not solved by introducing a new business tool.
In most cases, moreover, this issue arises precisely during SAP systems integration.
Therefore, due to their complexity and business presence, it becomes critical before starting an Identity project to verify the profiling in the system.
Read here how to define an authorization concept or authorization concept in SAP.
Topics: idm, workflow security SAP, IAG, identity management system, User Access Management