Merkur Versicherung AG Relies on Garancy® Identity Manager as Their Central Authorization Administration Tool

When Merkur Versicherung was founded in Graz in 1798, the Holy Roman Empire under Emperor Franz II was in its final stages. This makes today’s Merkur Versicherung AG, headquartered in Graz, undisputedly the oldest insurance company in Austria. Nonetheless, in terms of technology and organization it has always been a frontrunner. With the IAM solution from Beta Systems, the insurance company now has complete control over who accesses which systems and when. It thus meets all the requirements of the financial supervisory authority, while benefiting from streamlined internal workflows at the same time.

While other companies were still pondering how best to distribute paper inboxes during the pandemic, Merkur already had an “eWorkplace” – an electronic workplace where correspondence is received exclusively digitally and forwarded to the right employee via workflows. “Many similar applications have been added to our IT landscape in recent years,” reports certified insurance brokerEva Kainz-Kaufmann with the Information Technology – IT Management department of the insurance group. For all of these applications, the insurer must define who can access any given system in what manner and for how long. Up until recently, these permissions had been assigned via a ticket system (Jira). In this system, the specialist departments had to create tickets to submit their requirements as to who may use which software and to what extent, and the administrators of the individual target systems then implemented these for the individual user in the respective systems.

An internal IT audit performed in 2017 uncovered the actual effort associated with this approach. Authorizations used to be based on individuals rather than roles. As a consequence, an individual ticket was created for each authorization request and there was no general transparency on who had which authorizations at any given time. “When the financial supervisory authority made inquiries, we always had to find this information in the individual tickets,” says Eva Kainz-Kaufmann. For security reasons, in particular, it is essential to know at all times who has what rights for which systems. It is equally crucial to be able to assign or revoke these rights without delay.

Therefore, the insurance company decided in 2019 to introduce a central authorization management tool. The market was sounded out together with an external consulting firm. Three vendors were shortlisted out of an initial selection of ten. Beta Systems ended up on top with its Garancy® IAM Suite. In addition to the MIS (Merkur Information System), Lotus Notes, eWorkplace and Microsoft Active Directory (including other systems connected via these, e.g. an automatic mail generation solution) had to be integrated with the IAM software.

First step: Implement the role concept. Merkur Versicherung AG started to create a new role concept alongside the introduction of the Garancy® IAM Suite. Existing systems and IT authorization structures were assessed and cleaned up from the ground up.

With the introduction of the Garancy® IAM Suite, now new authorizations are only granted based on defined roles. The insurance company creates the roles in the Infoniqa HR system. Information such as the date of entry of employees, the department they work in and the position they hold there are of interest. Based on this data, each employee is assigned two basic roles: an organizational role and a business role (corresponding to the job profile). The organizational role basically defines the department of the employee, while the business role describes their activities in detail. This classification was decided by IT in consultation with the system owners as well as with the division managers of the respective department.