Fully Automated Identity and Access Management

[CAS3721]
Oracle OpenWorld 22.08.2016
Tuomas Lahdelma, HUS IT
Tommi Vainio, Leading Security Architect, CGI
CGI Group Inc. CONFIDENTIAL

#oow16

#OracleIDM

Welcome to our session!

Tuomas Lahdelma, HUS IT

Tommi Vainio, CGI

Product manager of HUS IDM solution

Leading Security Architect, IAM Builder

while not working he:

grows hot chilis
plays and coaches floorball
improves his house
constructs interesting electronics solutions

while not working he:

drives adventure motorcycle
goes out for mountain biking or
snowboarding
explores Russia
listens fast music..

We are small but fast..

Session content
Hospital district Helsinki and Uusimaa (Finland), employing more than 22,000
professionals, chose Oracle Identity Manager and Oracle Access Manager.

In this session learn how the organization ensured deep process and technical integration
for multiple Oracle Fusion Applications modules.

Hear how extended HCM master data was used for very high-level automation of finegrained provisioning and authorizations across Oracle Fusion Applications and the most
critical patient systems.

11/9/16

22 364

12 519 nursing staff

2 891 physicians
1 060 other specialists
5 894 other employees
11/9/16

Lnsi-Uusimaa Hospital

23 HOSPITALS
11/9/16

Aurora Hospital
Children's Castle
Children's Hospital
Department of Oncology
Eye and Ear Hospital
Herttoniemi Hospital
Ktilopisto Maternity Hospital
Meilahti Tower Hospital
Meilahti Triangle Hospital
Psychiatrycenter
Skin and Allergy Hospital
Surgical Hospital
Tl Hospital
Western
Eye Hospital
8
Women's Hospital

HUS Meilahti Campus

11/9/16

HUS IT Environment
Simultaneous
users in Patient
Information
Systems

User
Accounts

Printers

Phones
Mobilephones

Workstations

tablets &

Smartphones
11/9/16

10

Servers

10

Project Compass

HUS main challenges

Replacement of old Oracle eBS ERP system in use ~10 years with Fusion Applications

modules (Financials, Logistics, HR) by enhancing internal processes and moving into
Fusion
Migration of old OIM and OAM to 11gR2 PS3 level
Enabling Taleo cloud services securely for HCM onboarding, recruitment and eLearning
processes
Providing convenient and secure interface for end-users with single-sign-on capabilities to
all connected applications
Use a high-performance identity and access management system for staff user and access
rights to numerous internal data and patient data systems automaticallyimproving
efficiency and security and to meet regulatory requirements

How does it look like: example of end-user desktop

How does it look like: example of end-user desktop

So Why it was built?

HUS IT Headquarters

14

HUS eIdM (Enterprise IDM) fact sheet

Employee information master

data flow is the baseline for all
automatically created role based
access and entitlement grants

78000
Work contracts and
commissions in a year

1
and only save of person and
assignment data

67000
Job applications /year

28000
Different people working during a
year (daily 23000).

72000

480000

Password changes in a year.

These are synchronized 2-way
automatically across systems
and directories

Changes in employee / user

information and work
assignments in a year. These
changes effect user rights
across various systems. User
right changes are handled
automatically (by eIdM) with no
human interference.

30
Minutes from entering the
information to reach all systems
managed by IdM, including
cloud services.

Why CGI?
Hospital District of Helsinki and Uusimaa (HUS) chose CGI because of good and
long experience of building successful HCM integrations + Identity and
Access Management solutions with very high automation level into
production use.

CGI supports over 2,000 government organizations around the world in reducing
costs and improving the efficiency, quality and accountability of public services,
all while increasing citizen engagement. For more than 40 years, we have
helped clients manage complex security needs.

CGI IAM and Cyber Security

Threat Vulnerability & Risk Assessment

Incident Detection & Response

Detection / Clean Up
24x7 Monitoring
Network Intrusion Detection
Intrusion Analysis
Forensics Real-Time
Recovery

Risk, Identification, Class.,

Assessment
Baseline Protection Profiles ICS/CI
Risk Management
Security Audit
Advanced Analytics

Protect
the
Security test
and
evaluation
business

Managed Security Services

Security Operation Centres
Security Controls Information
Assurance
Staffing OS Hardening
Patching
Penetration Testing Firewall &
IDS
Management Access Control

Secure Critical Infrastructures

SECURE-ICS Cyber Security

Secure Systems Engineering
Crypto Management
VPNs & Encryption Design
IA Architecture Development

Advanced Analytics
Vulnerability Assessments
Insider Trends
Threat Trends

Cyber Security Strategy

Security Test & Evalution

Security Test & Evaluation
Secure Operations Planning
Incident Response Planning
Disaster Recovery Planning

Business case development

Roadmap
Training
Policies and procedures

Identity & Access Solutions

Identity Management
Access Management
Identity Governance
Single Sign-On
Biometrics

18

Project Compass
Solution key figures

Full stack implementation of Oracle Identity and Access Management Suite

Automated rule-table based solution for three Fusion Application modules (HCM, SCM,
Financials), Taleo Cloud applications, ActiveDirectory, email and most critical patient systems
utilizing both OOTB and customized connectors and Taleo integrations

Operational excellence for support provided with customized BI reporting capabilities

Efficient conversion of old user rights from EBS and external Financial applications into Fusion
Business continuity proofed with Full Disaster Recovery exercise with live production
system

Process automation end-2-end

AD
Email

Automation > 99%:

To All users
Distribution groups
Access rights according to
Organisation
Requestable rights < 1%

1-time save
0,5 million
changes/year

Welcome
to Work!

IDM

Patient
systems

Automation > 99%:

Access rights
Occupation class
Certificate fee
Requestable rights < 1%

Compass
Fusion Apps
Taleo Cloud

Automation > 99%:

End-users desktop+SSO
Managers desktop+SSO
HCM access rights
FINA access rights
SCM access rights
Taleo access rights
Requestable rights < 1%

Provisioning automation
architecture end-to-end

Fusion
HCM

eIDM

AD /
Email

Patient
Systems

Fusion
OID

Taleo
Cloud

Other
systems

Fusion
IDM

Onboarding
Learn

Fusion
SCM

Fusion
FINA

Fusion
HCM

Recruitment

Efficient rule tables for provisioning

Easy to maintain:

Amount of business roles needed in OIM keeps small

HCM process is totally managing all automated user rights, not IT

department/helpdesk
Even major organizational changes are very quick to implement without
headache
Common rules and methods across multiple target systems
Extendable
Very high automation level achievable with small effort
Customer top management has approved automation rules in their policy

Efficient rule tables for provisioning

Rule parameters for automation can be one of the following (or combined value):
Business Unit based
Manager/non-manager position
Combination of title/business unit (example below)
Direct mapping to HCM vacancy data
Jobtype (e.g. Trainees can have minor rights)
Is approval needed or not for entitlement provisioning

Taleo Cloud integrations

Taleo
Recruiting

Fusion
HCM

Taleo
Onboarding

eIDM
Taleo User data +
Taleo Access rights
automatically > 99%
and additional rights
by request

Taleo
Learn

TCC Integrations and

OAM / Identity federations
Security solutions
Centralized
authentication
services
(Enterprise
OAM)
Identity
Federation
Fusion
OAM
Fusion
Application
s

End users SSO

to applications

Fusion certified environment

Project Compass
Benefits delivered

Fully automated and HCM process controlled Identity management across multiple connected target
applications, including three Taleo cloud applications and critical patient systems

100% of user IDs provisioned automatically, 99% of user rights provisioned automatically
Day 1 all end-users have user accounts and correct business roles in all systems
Only exceptional user rights need to be request-based, audited and re-certifiable
Single-Sign-On to end-users for all connected target applications on Compass Workspace
Reduced IT help desk workdays
Cut annual HR and IT management costs through better productivity
Efficient BI reports provided both to IT and Fusion module persons in charge

Oracle technologies/ products used in the solution

Cloud applications integrated
Taleo Recruitment
Taleo Onboarding
Taleo eLearn

Fusion Apps:
Oracle Fusion HCM module
Oracle Fusion Financials module
Oracle Fusion SCM module
Oracle Fusion Access Manager
Oracle Fusion Identity Manager
Identity and Access:
Oracle Identity Manager+connectors
Oracle Access Manager+webgates
Oracle Identity Federation
Oracle Internet Directory

Other:
Oracle Weblogic
Oracle Exadata
Oracle Exalogic
Oracle Business Intelligence
Oracle Enterprise Manager/Cloud Control

Our next steps and plans

New O365 connector implementation ongoing
Utilizing certification processes for exceptional rights
Extending solution to utilize software robotics solution
(RPA) for non-connector / not integrable in-house
applications

Starting to utilize IDCS, Security monitoring and

analytics and Compliance services from cloud
New target systems running in cloud integrations from
IDCS

By utilizing same methods and processes efficiently

Integration of new major patient system and other

systems
More integrated external user management

Thank you for attending our session!

Our commitment to you

We approach every engagement with
one objective in mind: to help clients
succeed