tenfold Case Study: Sappi Fine Paper Europe

The general goal to establish a company-wide, automated and role-based access rights management system was implemented in a number of steps. tenfold’s scope of delivery includes several plugins, e.g. for common directory services, applications, help desk solutions and HR systems. Despite its complex structure, we were able to fully integrate the Active Directory using the Active Directory plugin. The integration of SAP ERP was accomplished through tenfold’s integrated SAP plugin.

Philipp Straka, Regional Applications Manager at Sappi, was responsible for implementing an automated interface between the HR system and tenfold.
The aim of providing this connection was to ensure that tenfold would always be informed promptly if anyone joined or left the company and about internal fluctuations (e.g. department or location changes), in order to adjust user accounts and access rights based on this information automatically.

tenfold implemented the interface for HR within a short time by using a number of best practice templates. This standardization did not require any additional implementation efforts; it was merely necessary to adapt the interface to the processes and exceptions of the HR system.
User accounts for new employees are now created automatically and assigned the appropriate rights. When employees leave the company, their user accounts are locked in all systems; if they move to a new location or department, their access rights are adjusted accordingly. tenfold can also implement temporary employment contracts (e.g. for interns), where users are locked automatically on the defined leaving date.

One particular problem that existed, prior to implementing tenfold, was the question of how to handle external persons (e.g. suppliers) who had access to Sappi systems. Karl Liebich describes the issue: “We often received tardy information about staff who were no longer actively working for our suppliers (and thus for us.)”

Thanks to tenfold’s best-practice templates for human resources, this problem has been eliminated: External persons are now saved in tenfold as part of a certain person type and their access rights expire after a pre-defined period of time, unless actively extended.

Sappi is satisfied with the new solution: “Department heads and other persons in charge are now regularly informed about which external partners currently have access to the system; furthermore, they can determine whether access should be extended or if the person concerned should be locked.“ In the same way, access for customers and suppliers who interact with Sappi’s IT systems via the e-commerce portal is now also controlled.

In the paper production and quality systems sectors, Sappi uses two self-developed applications that encompass a vast range of functions and complicated access structures. These applications are very critical as they have access to highly sensitive data.
Once both systems were analyzed, it was decided to implement the tenfold interface using the Groovy plugin. This is a component that works independently of platforms or manufacturers and is used for integrating third-party systems into company-wide identity & access management structures.
The implementation was carried out by Sappi with the support of tenfold. “Connecting our information systems with tenfold has significantly helped us to reduce the time and efforts spent on user and access management. The quality was also significantly improved because manual input is no longer required. Thanks to the integration with tenfold, we are able to meet all compliance demands without any problems,” says Michael Samastur, Application Manager responsible for information and quality systems.

At Sappi, many applications are provided to users via Citrix. In order to cover this form of provisioning as well, the relevant parts of the Active Directory that control access were made accessible via the tenfold Active Directory group assignment plugin. All that is required now to request and authorize user access to certain applications are a few mouse clicks; no more manual input is needed.

The central administration of user master data is done in tenfold. When modifications are made, all systems in the company are updated with the new data. Every change is logged in order to be able to trace which person changed which data at what time and who approved these changes. tenfold also records in which systems these data were updated. Basic user master data are transferred from the HR system to tenfold and passed on to other systems from there. However, the HR system is not the main system for all user data. “One of tenfold’s greatest advantages is that it allows you to determine specifically which system should be responsible for a person’s individual data,“ says Philipp Straka.

At Sappi, computers, laptops, mobile phones and other components are stored in a configuration management database. In order to establish the links between users and hardware (e.g. PCs, laptops, mobile phones) for tenfold, an interface to the CMDB system was implemented. Based on these links, (i.e. assignments) we can tell immediately what IT services any given user is using. Based on the data derived from tenfold, the cost allocation is made at department level.