Case Study –
Sappi Fine Paper Europe

About Sappi

Sappi Fine Paper Europe is the leading European producer of coated fine paper used in premium magazines, catalogues, books and high-end print advertising. Headquartered in Brussels, Belgium, Sappi Fine Paper Europe is recognised for innovation and quality. Sappi Fine Paper Europe is a division of Sappi Limited (NYSE, JSE), a global company headquartered in Johannesburg, South Africa, with over 14,900 employees and manufacturing operations on four continents in 9 countries, sales oces in 50 countries, and customers in over 100 countries around the world.

Customer Review

“Before introducing tenfold, we used a self-developed solution for managing our user accounts. This solution was only partially automated and provided no self-service system for end users. Creating users or changing access rights in different systems was a tedious process prone to errors. With tenfold, these tasks now only take a few minutes to complete, thanks to automation; at the same time, all system activities are automatically logged and documented.”

Karl Liebich
Manager IT Applications Sappi Fine Paper Europe

Countries
Implementation for users in over 100 countries

Industry sector
Pulp and paper

Client
Sappi, manufacturer of high-quality coated paper, with 14,000 staff members across four continents

Initial situation
User accounts and access rights were initially managed using an application that did not incorporate all company systems; it did not provide a self-service function for end users, was mostly not automated, and did not comprise all user groups. The aim of the project was to implement a new solution that would eliminate all of these shortcomings.

Product

tenfold Enterprise Edition

Test tenfold, free of charge and without obligation

It has never been so easy to manage users and access rights in one central hub. tenfold reduces administrative efforts to a minimum and makes managing your users and access rights a walk in the park by providing a clear and transparent overview of all access rights. tenfold will aid you in complying with standards, such as ISO 27000, BSI, as well as the demands of the GDPR.

Start free trial now

Advantages

  • Centralized management of user accounts and access rights
  • Automation of processes saves time and money
  • All activities are automatically documented to ensure compliance with regulatory demands
  • Clearly structured reports allow current and past assignments of access rights to be transparently displayed
  • Approval workflows represent decision-making structures of the company

Project Launch

In collaboration with employees from IT departments in Gratkorn (Austria) and Maastricht (Netherlands), we spent several workshops analyzing and documenting relevant user and access management processes. At the same time, we installed a basic version of tenfold on a Sappi system.
The results obtained from these workshops were then incorporated into the tenfold software, step by step.

Corporate-wide Access Rights

The general goal to establish a company-wide, automated and role-based access rights management system was implemented in a number of steps. tenfold’s scope of delivery includes several plugins, e.g. for common directory services, applications, help desk solutions and HR systems. Despite its complex structure, we were able to fully integrate the Active Directory using the Active Directory plugin. The integration of SAP ERP was accomplished through tenfold’s integrated SAP plugin.

Integration of HR Systems

Philipp Straka, Regional Applications Manager at Sappi, was responsible for implementing an automated interface between the HR system and tenfold.
The aim of providing this connection was to ensure that tenfold would always be informed promptly if anyone joined or left the company and about internal fluctuations (e.g. department or location changes), in order to adjust user accounts and access rights based on this information automatically.

tenfold implemented the interface for HR within a short time by using a number of best practice templates. This standardization did not require any additional implementation efforts; it was merely necessary to adapt the interface to the processes and exceptions of the HR system.
User accounts for new employees are now created automatically and assigned the appropriate rights. When employees leave the company, their user accounts are locked in all systems; if they move to a new location or department, their access rights are adjusted accordingly. tenfold can also implement temporary employment contracts (e.g. for interns), where users are locked automatically on the defined leaving date.

Access Concept To Include External Persons

One particular problem that existed, prior to implementing tenfold, was the question of how to handle external persons (e.g. suppliers) who had access to Sappi systems. Karl Liebich describes the issue: “We often received tardy information about staff who were no longer actively working for our suppliers (and thus for us.)”
Thanks to tenfold’s best-practice templates for human resources, this problem has been eliminated: External persons are now saved in tenfold as part of a certain person type and their access rights expire after a pre-defined period of time, unless actively extended.
Sappi is satisfied with the new solution: “Department heads and other persons in charge are now regularly informed about which external partners currently have access to the system; furthermore, they can determine whether access should be extended or if the person concerned should be locked.“ In the same way, access for customers and suppliers who interact with Sappi’s IT systems via the e-commerce portal is now also controlled.

Legacy Systems and tenfold

In the paper production and quality systems sectors, Sappi uses two self-developed applications that encompass a vast range of functions and complicated access structures. These applications are very critical as they have access to highly sensitive data.
Once both systems were analyzed, it was decided to implement the tenfold interface using the Groovy plugin. This is a component that works independently of platforms or manufacturers and is used for integrating third-party systems into company-wide identity & access management structures.
The implementation was carried out by Sappi with the support of tenfold. “Connecting our information systems with tenfold has significantly helped us to reduce the time and efforts spent on user and access management. The quality was also significantly improved because manual input is no longer required. Thanks to the integration with tenfold, we are able to meet all compliance demands without any problems,” says Michael Samastur, Application Manager responsible for information and quality systems.

Provisioning in Seconds

At Sappi, many applications are provided to users via Citrix. In order to cover this form of provisioning as well, the relevant parts of the Active Directory that control access were made accessible via the tenfold Active Directory group assignment plugin. All that is required now to request and authorize user access to certain applications are a few mouse clicks; no more manual input is needed.

Central Maintenance of User Master Data

The central administration of user master data is done in tenfold. When modifications are made, all systems in the company are updated with the new data. Every change is logged in order to be able to trace which person changed which data at what time and who approved these changes. tenfold also records in which systems these data were updated. Basic user master data are transferred from the HR system to tenfold and passed on to other systems from there. However, the HR system is not the main system for all user data. “One of tenfold’s greatest advantages is that it allows you to determine specifically which system should be responsible for a person’s individual data,“ says Philipp Straka.

External Hardware Management

At Sappi, computers, laptops, mobile phones and other components are stored in a configuration management database. In order to establish the links between users and hardware (e.g. PCs, laptops, mobile phones) for tenfold, an interface to the CMDB system was implemented. Based on these links, (i.e. assignments) we can tell immediately what IT services any given user is using. Based on the data derived from tenfold, the cost allocation is made at department level.

Audits for Monitoring Compliance

“Due to various legal and internal regulations, we are obligated to abide to certain compliance regulations. These regulations dictate (among other things) that user accounts and access rights must always be managed in a transparent manner. We had regular visits from auditors asking questions about how certain access structures came about. In the past, we invested great amounts of time into retracing our steps, and yet were often unable to offer comprehensible answers. Thanks to tenfold, we are now able to answer all questions promptly. Since all activities are automatically logged, we can deduce our access structures immediately and see exactly how they came about, at any given point in time.“  Karl Liebich on improvements achieved through tenfold.