Success Story

In the Fast Lane to Introducing a Proper IAM Solution at IFB Hamburg

Thanks to Garancy® Identity Manager, IFB is now able to make their cross-application specialist roles available in a centralized manner. The solution also automates and accelerates the assignment of authorizations for new/departing staff or when changing the tasks of individual employees.

The Beta Systems software is technically mature and runs extremely reliably. We are also highly pleased with the excellent cooperation with the consulting team. Whenever we had any questions or problems, competent information was provided promptly.

IFB Hamburg Logo
Volker Loebel
Deputy Head of the Finance and Accounting Department & Team Leader for Balance Sheets/Reporting, IFB

Initial Situation

“BaFin’s banking supervisory requirements for IT provided the impetus for looking into the acquisition of an IAM solution,” explains the responsible sub-project manager Volker Loebel, Deputy Head of the Finance and Accounting Department and Team Leader for Balance Sheets/Reporting at Hamburgische Investitions- und Förderbank (IFB). That’s why IFB commissioned PWC with an audit to find out how well it was doing in terms of meeting these provisions. Authorization management emerged as the largest subitem on the to-do list for achieving compliance. A well-defined structure was already in place.

Previously, the bank had handled authorization via authorization concepts, Excel lists and manual processes for IT applications. Authorization requests were processed using templates that were printed out and signed; Windows authorizations were dealt with in Active Directory, where groups, or “pseudo-roles,” had already been configured. Things looked similar in SAP, where certain collective roles existed for departments and teams.

And while IFB had defined roles for the various applications, this did not mean that all employees automatically had the same permissions. The actual roles were put together individually. Whenever an employee received a new assignment, his or her authorization was essentially based on the individual rather than on their role. This also meant that various individual and group authorizations existed side by side. However, BAIT defines that rights must arise from employee duties. Therefore, the roles should be defined and assigned in the departments themselves. At IFB, authorization concepts had previously been the domain of the IT department for the most part.

Challenge

One requirement of BAIT is the assignment of authorizations based on specialist tasks. IFB had followed the MaRisk regulation that allows for combining rights into roles to the letter. However, the roles must be derived from the tasks, and certain constraints regarding how rights may be combined into roles – such as the separation of functions – must be observed. Owing to this approach, the bank was able to provide the Beta Systems team with a complete rule set for the segregation of duties.

Implementation

The project team was also very fast when it came to implementing special workflows for critical authorizations. Under MaRisk, different rules apply to these as opposed to normal authorizations; for example, they must be processed separately and are subject to tighter control cycles. In its set of rules, IFB defined critical authorizations in advance and also specified whether they should be managed at the individual rights level or the specialist role level. The financial service provider finally opted for the latter. Consequently, the individual critical authorizations were bundled into a single critical specialist role.

“Taking this approach allowed us to avoid having to add additional processes and authorization roles to the identity management software that might not be needed after all,” explains Jochen Schneider. The introduction of the software was the third and final leg of the journey. The Beta Systems team was given 103 ready-made specialist roles, including the specifications as to who may request and approve authorizations for a new employee – essentially the entire rule set. The only task that remained was to store this information in the Garancy® Identity Manager. Because of the deliberate decision to keep the processes simple, they could be mapped using Garancy®’s standard transactions.

As an additional benefit, this enabled the team to work with and test the real processes right away. Consultant Jochen Schneider: “That’s precisely what makes this project stand out. Most other banks first pick a technology before getting their internal processes in order. In this case it was the other way around.”

That’s precisely what makes this project stand out. Most other banks first pick a technology before getting their internal processes in order. In this case it was the other way around.

IFB Hamburg Logo
Jochen Schneider
Consultant, IFB

Outcome

Solution went live after only 5 months: Beta Systems did the customizing itself and delivered the configured software to the customer a few weeks later. This also kept the project costs within reasonable limits, because hardly any travel costs were incurred and very few internal resources were tied up at IFB. On 28 June 2019, IFB was able to take its new identity management system live. The total duration of the IDM implementation project was only five months – this may be a record in the industry.

Over the course of the project, IFB also defined a new function: The authorization manager, who is a member of the technical operations department, acts as a go-between for this and the specialist departments. He also oversees the release of authorization concepts and serves as a secondary reviewer in some release processes when it comes to role assignment or changes.

In early September 2019, the first recertification campaign was launched with the Garancy® Recertification Center, another component of the Garancy® IAM Portal from Beta Systems. During the three weeks of the campaign, several workshops were held to generate a lot of attention. The workshops explained how to release specialist roles and employees assigned to them in SAP and Windows, and, in a second follow-up round, also in the order-to-admin systems.

So the new era of IDM has only just begun at IFB, but an initial opinion has already been forming after the first few months: “The Beta Systems software is technically mature and runs extremely reliably,” says Volker Loebel. “We are also highly pleased with the excellent cooperation with the consulting team. Whenever we had any questions or problems, competent information was provided promptly.” So the bank is more than ready for the next audit: when it comes to authorization management, IFB is now a step ahead.

Customer

IFB Hamburg Logo
Year of foundation
2013
Number of employees
260
Head office
Hamburg
Sector
Financial service provider
Hamburgische Investitions- und Förderbank IFB
Besenbinderhof 31
20097 Hamburg
Germany

Tags

IAM

Share

Further Resources

Blog Article
it_operations.jpg

Empowering Non-Technical Users: How IT Democratization Drives Business Success

Empowering non-technical users is becoming a game-changer as enterprises across industries embrace hybrid IT environments. This shift presents exciting opportunities and unique challenges, from managing disconnected on-prem systems to orchestrating complex cloud-native solutions. By leveraging centralized orchestration and automation platforms, businesses can drive innovation and efficiency, underscoring how IT democratization fuels success in today’s competitive landscape.
Blog Article
soap-blog.jpg

What Is SOAP?

Unlocking the Potential of Service Orchestration and Automation Platforms
Blog Article
automation.webp

Maximizing Efficiency with Event-Driven Automation

Automation is becoming increasingly indispensable in modern organizations, driving efficiencies across departments and fields from infrastructure to DevOps. However, while most companies recognize the potential benefits of automation, many still struggle to make the most of it. Fragmented processes, disconnected tools, and poorly defined objectives often prevent organizations from reaching full automation potential. Here, we’ll explore a strategic approach to building a mature automation framework that enables seamless, efficient, and scalable operations.