tenfold Case Study: HWA AG

In their search, HWA circled in on two auspicious products. Both providers promised they could simplify permission assignment processes by delegating responsibilities away from IT to other departments/managers. Both also affirmed their products would provide admins with a good, clear, and structured visual overview of existing permissions. In other words, both products promised to cover the basic requirements as outlined by HWA.

After examining both options in depth, HWA finally opted for tenfold, an Austrian-based software developer and product of the same name. The final push toward tenfold was made because of its user lifecycle management (ULM) feature, an aspect that had initially not been on HWA’s radar at all, but proved to be of great value.

While of course better reporting options and simplified access management workflows are indeed an enormous improvement for any business, they are in the end mere plasters on an open wound. They do not grasp the problem at the root. If you properly want to optimize IT security in your company, you must be able to adequately model user and permission processes. Also, granting and revoking permissions should be largely rule-based and automated processes.

tenfold’s approach to solving HWA’s problems was to tackle said problems at the root – the root in this case being their chaotic user management strategy (if you can call it a strategy). tenfold’s user lifecycle management feature served as the basis for deployment at HWA. If you want to manage users and their accounts and permissions correctly, it is absolutely essential that your IT and HR departments work very closely together. Information needs to flow continuously and smoothly from HR to IT: who will be hired and when, whose account needs adapting, who is planning to leave the company? Relaying this information in time and without mistakes is not an easy task.

With tenfold, HWA’s HR department are now able to create new users independently using the web interface. This requires no administrative IT privileges whatsoever, as tenfold allows for granular control even on a basic user level. A service account with the necessary system authorizations then takes care of the technical implementation. All other joiner-mover-leaver processes that are part of the user lifecycle can also be handled independently, as no specific IT knowledge is needed for such operations in tenfold.

There are some extra settings available for events like parental leave or sabbaticals, where people leave the company for a specific timeframe. For such cases, resources like distribution groups, for example, are automatically removed when the leave begins and later automatically reassigned when the user returns to work.

Automating the provision of necessary standard accounts and permissions helps save IT resources. While that is a great thing, of course, there is another process that is often neglected, but absolutely essential in ensuring data security: permissions that have been assigned must be removed again as soon as they are no longer needed (e.g. when an employee switches to another department). tenfold employs a rule-based profile system that automatically detects when users change departments and also allows you to set a transition period for such events. This stops users from accumulating excess permissions that are never removed, also known as a “privilege creep”. HWA is not the only company that once found itself caught in the vortex of a privilege creep.

Regarding HR processes, HWA deliberately chose not to tap into tenfold’s full potential from the get-go. Once a new user and/or their contract data have been entered into the HR system, all associated IT processes are automatically taken care of. HWA has been able to maintain good control over the current level of employee movement using this strategy. Should the level of joiner-mover-leaver processes increase in the future, HWA will reconsider using the automated data import option offered by tenfold.

Sooner or later, every user requires additional rights on top of the standard set they were given upon joining the company. They may be working on projects that involve multiple departments and need access to data from those departments. At HWA, there previously was no other way than to go through IT to get additional rights. And the IT department then had their hands full trying to stay on top of every single of those requested rights manually.

With tenfold, users and managers can now simply request extra rights directly using tenfold’s built-in self-service portal. For this purpose, Active Directory and SAP ERP were integrated with tenfold’s services. The reason this did not completely blow the budget is because tenfold can be very easily integrated with most third-party systems. tenfold has plugins available for SAP and many other common and widely-used systems, which can simply be connected via standardized interfaces.

The self-service portal works as follows: first, you must appoint “data owners” for each object or resource. A data owner is usually a department manager or someone of equal authority. The data owners are then in charge of “their” resources and for controlling access to these. To make sure nothing slips under the radar, the approved and assigned access rights can be subjected to a regularly recurring process known as “user access review” or “recertification”, as tenfold calls it. In this process, data owners are prompted to re-approve or terminate access to their resources.

tenfold’s self-service screen is held as simple as possible and works much like an online shop. Experience has shown that even users who are not tech-savvy get the hang of it quickly. A self-service portal lives and dies with the user experience. If users aren’t happy, the service will not be accepted and therefore have failed its purpose. When a request has been made through the portal, the associated data owner is automatically informed about it by email. The email contains a link the data owner can use to either approve or reject the request. It really is that simple! Only if the request has been approved by all concerned parties (you can set multiple data owners for an object or resource) will the requested permissions be distributed automatically via the interface the concerning program is connected to.

The benefits for HWA are first off that their human resources in the IT apartment are freed from having to complete redundant manual tasks, like updating changes in user permissions across multiple systems. It’s a huge time-saver in that respect. Moreover, communications between IT, HR, managers and employees are now entirely automated, which again is a big time-saver and therefore a benefit for the entire organization.

One aspect HWA was significantly able to improve by introducing tenfold was the level of transparency with regard to permission assignments. Prior to tenfold, HWA, like many other companies, simply used emails and tickets to handle permissions and requests – an approach that is not just very time-consuming, but also highly prone to errors. There’s hardly a way of keeping a good overview of who has what permission, who granted it and for what reason. A complete lack of transparency was a central issue HWA were struggling with.

Now, every change is documented as part of the request workflow and all important information can be instantly retrieved. The logs show exactly who made the request, who approved or declined it and when. Also, every user must supply a reason for making a request and data owners must provide a reason for their decision (approval or rejection). This allows companies to retrace all decision making processes.