Authorization management

workflow
A Bull Evidian White Paper

Workflow-based identity and access

management
By Jean-Louis Glas

Version 1.0
May 2006

Summary

ACME uses workflow to manage identities

and authorizations.

The solution implemented at ACME.

Speeding up and making identity management
more reliable.

 2006 Evidian
The information contained in this document represents the view of Evidian on the issues discussed at the date of
publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a
commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after
the date of publication.
This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
IN THIS DOCUMENT.
We acknowledge the rights of the proprietors of trademarks mentioned in this book.

Authorization management workflow

Contents
ACME uses workflow to manage identities
and authorizations ..................................... 4
A single, centralized identity-management directory .....5
Administration fully based on a web interface ...........5
The 3 major events in an employee's "lifecycle" .........6
Scenario 1: Recruiting a new employee ...................7
Scenario 2: A change in an employees function ..........9
Scenario 3: Departure of an employee ...................10

The solution implemented at ACME ...................... 12

The main functions of a workflow .......................13
Providing connection information
(login and password) ...................................19
Departure of an employee ...............................20
Measuring the return on investment .....................22

Speeding up and making identity management

more reliable ......................................... 23

39 A2 60LT Rev00

Authorization management workflow

ACME uses workflow to manage identities and

authorizations
ACME has set up a corporate
directory for the management of its
human resources. This computer
tool is used by the Human
Resources Department to manage
the organizations employees.
However, as at last year, certain
tasks were still being performed
manually on paper.
For example, paper forms were still
being used to update the
application- access rights of newly recruited employees, promoted employees, or
employees leaving the company.
In fact, this led to the creation or modification of user access rights for various
computer resources, such as accounting or messaging applications. These rights were
generally based on function (accountant, computer technician, etc.) or hierarchical
position (director, system manager, etc.).
The said rights were updated manually, upon reception of the paper forms, for all the
systems to which the user needed to have access. It could take several days to enter
the information into the corporate directory and to update user rights. Furthermore, the
paper process was not controlled, and the departure of some employees was not
recorded.
Therefore, due to poor-quality-of-service-related costs and the security risks
inherent in information system accesses, the company's management asked the
IT Department to reduce implementation time and make these operations more
reliable.

39 A2 60LT Rev00

Authorization management workflow

A single, centralized identity-management directory

The IT Department, has thus implemented a solution that updates user
accounts from the information contained in the corporate directory.
This solution manages an employee's application-access rights:

Based on his/her job attributes,

Automatically, without increasing the IT teams

workload

According to an access-security policy fully negotiated and

formalized between the IT Department and the user departments.

Employee identities and the associated attributes are now managed from a single
1
point and trigger all the associated provisioning operations.

Administration fully based on a web interface

All the administrative, identity and authorization management functions in the
corporate directory are performed from a user-friendly web interface.
This interface is accessible not only to administrators but also to the end-user who can
view his/her existing authorizations and, if necessary and depending on the security
rules, request for new ones. This request follows an approval cycle, configurable
according to the level of validation (line manager, application manager, IS security
manager, etc.), with (permanent/temporary) delegation of administration rights. The
parties concerned are notified by e-mail about the processing of their request.
Thanks to this flexibility, unplanned situations are easy to handle within the standard
process and the system can respond immediately to any identified threat.

A provisioning operation is an operation that creates, modifies or deletes user

accounts on the target applications and systems.

39 A2 60LT Rev00

Authorization management workflow

The 3 major events in an employee's "lifecycle2"

There are 3 main reasons for updating an employee's application accounts:
1. Recruitment
2. Change of function, promotion, or change of organization
3. Departure from the company.
If you take the IT user aspect into account, you have to add all the operations or lostpassword related helpdesk requests.
These events constituted a heavy workload for the IT teams. In fact, they concerned
just one employee each time but generated a lot of specific account management
tasks and occurred randomly and unexpectedly.
Automating them was, therefore, a big challenge for the IT Department.

A user's lifecycle: within the context of an identity and access management

project, the expression "lifecycle" corresponds to the different stages in the
management of a users identity and rights within the Information System.

39 A2 60LT Rev00

Authorization management workflow

We will now look at the scenarios associated with each of the
events in an employee's "lifecycle"...

Scenario 1: Recruiting a new employee

George Martin has now joined the company.
When a new employee is recruited, one of the first things to do is to
register him/her in the corporate directory.
After validating the various screens used to enter the new -the
HRM creates the record in the corporate directory.

Figure 1. Registering a new recruit, George Martin

His function entitles him to an Active Directory resources and Oracle resources
(accounting applications) account.
Previously, the accounts and associated rights creation request had to be submitted in
paper form to the Active Directory resources administrator and to the professional
applications administrator.

39 A2 60LT Rev00

Authorization management workflow

Today, thanks to the authorization management validation workflow, the following
processes are used:
Figure 2. Workflow associated with the recruitment of George
Martin
Registration in the
companys directory
Assignment
of a job profile
Validation of the profile
by management
Application
of the Policy

- WORKFLOW -

Creating the identity

Creating the associated accounts

Initializing the Active Directory

provisioning procedure

Initializing the Oracle

provisioning procedure

Creating the account in

the Active Directory
resources directory

Registration validation
by the ISSM

- WORKFLOW -

Creating the
Oracle account

The new solution implemented by the IT Department is first used to create a valid user
identity then, in a second phase, to create user accounts on the target systems and
applications, while respecting the control procedures for the most sensitive
applications.
After validation, George Martin's accounts are automatically created in the Active
Directory resources directory and in the professional application used to manage
customer accounts.
The user's identity and all his authorizations were managed via a web interface. The
process followed an approval and notification workflow that ensured compliance with
security standards and request follow-up.
Thus, George Martin can access his applications and become operational very
quickly.

39 A2 60LT Rev00

Authorization management workflow

Scenario 2: A change in an employees function

Following a general reorganization, George Martin's function in the company has
changed.
His new assignment entitles him to new Windows resources, a new role in the
accounting application and to access a new application. Previously, in order to create
new rights and delete the old ones, the different application administrators had to be
notified on paper about the new function. These administrators then had to connect to
each application system via a different administration interface. The security manager
did not have a centralized view of all the user authorizations.
Thanks to the new solution, accesses to old resources can be modified or deleted, and
access rights for new resources created from a single web interface. Furthermore, this
interface gives a centralized view of all the authorizations.
The authorization management process is as follows:
Figure 3. Workflow for George Martin's new function
Function modification
request by the user

- WORKFLOW -

Modification of job
profile
Validation of the new
profile by management

Application of the
Policy
Deleting the Oracle
account associated
with the old profile

Notifying the
ISSM
- WORKFLOW -

- WORKFLOW Modification of the identity

Modification of the associated accounts
Initializing the Oracle
provisioning procedure

Initializing the Active

Directory modification
procedure

Modifying the account in

the resources AD

Validation of the
registration
by the ISSM

- WORKFLOW -

Creating the
Oracle account

The resources associated with the Active Directory account are modified. On the other
hand, the modifications in Oracle correspond to a change of job: the initial Oracle
account is deleted, and a new one created and then validated by the ISSM.
George Martin can access his work environment for his new assignment. Furthermore,
all the accesses to the resources of the previous assignment are automatically
deleted.

39 A2 60LT Rev00

Authorization management workflow

Scenario 3: Departure of an employee

When George Martin leaves the company, all his Information System access
rights must be deleted.
After the different screens concerning his departure have been validated, the record is
deleted from the corporate directory.
Figure 4. George Martin leaves the company

The process associated with an employees departure is used to delete his or her
resources access rights.
Figure 5. George Martin leaves the company
Report from the HRM
about the user's
departure

- WORKFLOW -

Deleting the user from

the directory
Notifying the ISSM
Applying the Policy

- WORKFLOW Deleting the identity data

Deleting the associated accounts

Deleting the accounts

associated
with the old profile

39 A2 60LT Rev00

10

Authorization management workflow

George Martin's rights must be deleted when he leaves the company. Previously, the
administrators of the different systems should have been notified so they could delete
his accesses manually. Unfortunately, the procedure was not applied, and user
accounts remained valid until an annual account cleaning operation was performed.
The new solution automatically suspends George Martins application access rights,
almost in real time.
Henceforth, once an employee leaves the company, all his or her application accounts
3
are immediately disabled . After a configurable period, these same accounts are
4
deleted. Therefore, there are no so-called dormant accounts any more in the systems
and applications.

When an employee leaves, his/her accounts are first disabled. They are then
present in the system but are unusable. Then, after a configurable period, they are
deleted. This mechanism allows traces of user accounts to be kept for a legally
specified period of time, for example.

A system or application account is said to be dormant when it is not used but

still present, generally because the account owner has left the company.

39 A2 60LT Rev00

11

Authorization management workflow

The solution implemented at ACME

The solution is based on the AccessMaster software, which natively integrates (without
duplication or synchronization) the users defined in an LDAP directory, in particular
that of a corporate directory.


AccessMaster automatically provisions the different application systems and

includes a secure SSO.

AccessMaster offers a workflow environment in order to automate the accessauthorization approval circuit.

Figure 6. Architecture
Provisioning

Identity management (Workflow)

AccessMaster
server

HTTP

Windows
Systems

Web
Interface
Unix
Systems

Administrators
via
web interface

Administration
console

Mainframes

User
directory

This solution can handle the 3 scenarios associated with the major events in a user's
lifecycle. It also enables you, among other things, to:

39 A2 60LT Rev00

Take into account a user created in the directory

Have the administrator assign or modify a user profile
Report validation requests
Report a change of request status
Display the statuses to the administrator or user
Create or modify accounts on the target applications
Supply connection information (login and password)
Delete all the accounts of a user removed from the directory

12

Authorization management workflow

The main functions of a workflow

Taking into account a user created in the directory
Figure 7. Declaring a user in the corporate
directory
When George
Martin's record is
created in the
corporate
directory, it is
immediately taken
into account by
the AccessMaster
software.

Figure 8. Taking a user into account in

AccessMaster
The organization
displayed on the
AccessMaster
console
corresponds to
that of the
corporate
directory.

39 A2 60LT Rev00

13

Authorization management workflow

User profile assignment or modification by the administrator
From the web administration interface, the administrator requests for a "Standard
Profile" type authorization for the user. For George Martin, this Standard Profile
corresponds to Windows resources access rights and an Oracle application role.
Figure 9. Requesting for George Martin's authorizations

39 A2 60LT Rev00

14

Authorization management workflow

Sending validation requests
User-profile-validation and application-account-creation requests are sent by e-mail.
These e-mails contain a URL that points to the request-processing screens.
Figure 10. Request-processing by the application manager

Reporting a change of request status

Users are informed by e-mail about the status of their authorization requests.
Figure 11. Notifying George Martin

39 A2 60LT Rev00

15

Authorization management workflow

The administrators view of the statuses via the user management console
The administrator can display user rights by simply clicking on the person object.
Figure 12. AccessMaster Console: displaying George Martin's
authorizations

39 A2 60LT Rev00

16

Authorization management workflow

The administrator or user's view of the statuses via the workflow interface
The user in question (or an authorized administrator) can view his/her authorizations
via a web interface.
Figure 13. Web interface: displaying George Martin's
authorizations

39 A2 60LT Rev00

17

Authorization management workflow

Viewing the request-processing phases
The person making the authorization request can also display the request-processing
phases.
Figure 14. Monitoring the processing of George Martin's
authorizations

The AccessMaster administrator has a view of all user authorizations, especially those
of George Martin.
Creating or modifying accounts on the target applications
At the end of the process, the Provisioning Manager module will create, modify,
disable or delete the users accounts on the target systems. This provisioning module
provides status reports that, in a case of success, can be used to close an
authorization-management process and, in case of failure, can be used to notify the
different players (administrator, ISSM, users, etc.).

39 A2 60LT Rev00

18

Authorization management workflow

Providing connection information (login and password)

When an account is created for an application, the associated user must be able to
retrieve his or her connection information.
AccessMaster makes this information available to the user in 2 ways:

Through the "password management" interface, which can be used to know

and synchronize logins and passwords

Through secure SSO, which enables the user to use these logins and
passwords without knowing them, thanks to the enterprise SSO "WiseGuard"
and "SAM SE", web SSO "SAM Web"-, or SAML management "SAM J2EE"
modules.

The use of these solutions depends on the company's security policy and the level of
security required for the target applications.

39 A2 60LT Rev00

19

Authorization management workflow

Departure of an employee
The departure of an employee is a particularly sensitive issue that MUST be handled
within the framework of authorization management. When a user leaves the company,
all his/her application-access rights must be suspended on all the target systems.
The AccessMaster "Provisioning Manager" module automatically deactivates all the
user's rights for the target applications once it detects the deletion of his/her reference
in the company directory.
Figure 15. Departure of a user

39 A2 60LT Rev00

20

Authorization management workflow

Figure 16. Declaring a users departure in AccessMaster

For example, once the user George Martin no longer exists in the LDAP directory, his
accounts on the different systems are suspended. There are no longer any risks of the
use of dormant accounts, and the procedure has only taken a few minutes.

39 A2 60LT Rev00

21

Authorization management workflow

Measuring the return on investment

The project was launched after calculating the return on investment.
Here are some examples of the potential savings calculated for 1,000 users, each
using an average of 5 applications:
Users

A new user or a user changing his

or her function is granted access
rights immediately. He or she no
longer has to wait several days
for these rights to be granted.

Potential annual
savings: 80,000

Time is saved by no longer

having to enter multiple
passwords.

Potential annual
savings: 172,500

Help desk

Lost passwords typically

represent 30% of calls to the help
desk. Installing an Identity and
Accesses Management solution,
such as AccessMaster, can
considerably reduce these costs.

Potential annual
savings: 63,300

System
administrators

The procedures for declaring a

new user are automatic. It takes
just a few seconds to delete all
the accounts of a user leaving the
company.

Potential annual
savings: 160,000

5
The total potential annual savings were estimated at 475,800. This return on
investment calculation was validated by the company's finance department and was a
key factor in the decision to launch the project.

For details of a Return on Investment calculation, please contact Evidian at:

info@evidian.com

39 A2 60LT Rev00

22

Authorization management workflow

Speeding up and making identity management more

reliable
The introduction of an authorization management process has sped up and made the
user-account-management processes more reliable.
These optimizations have resulted in cost savings, which in turn have been used to
finance the project:

The efficiency of the company's employees has been improved thanks to the
decrease in the time spent waiting to obtain user rights or user right modifications.
The time has dropped from several days to just a few minutes.

Accessright-management functions have been centralized, and the associated

workload reduced thanks to the use of a single console.

The access security policy is now applied, audited and optimized.

39 A2 60LT Rev00

23

For more information go to www.evidian.com/

Email: info@evidian.com