"To connect our existing Identity Management System to all SAP systems we have implemented SAP Identity Management (IdM). Not only are the authorizations now transparent, but the management costs are also reduced. The administration doesn’t need to manually assign rights individually for the different systems,” says Berry Denekamp, project manager at the Dutch Tax authorities. In this blog you can read how the Tax Authorities ‘control’ authorisations using Identity Management.
Berry Denekamp, Project Manager at the Dutch Tax Authorities
Within the Tax Authorities project HIL was set up, which stands for redesign logical access security (HerInrichting Logische toegangsbeveiliging). The goal is that all authorizations within the organization are transparent and can be managed centrally. Berry Denekamp is project manager of the team that is responsible for the authorizations of SAP systems. He will tell us how the Tax Authorities regulates authorizations and what path was taken to achieve that.
Why do we use SAP Identity Management?
“The reason that the HIL project was created is that our audit department said they are not ‘in control’ of the authorizations within the organization. We had already had a look at SAP Identity Management (IdM) and so realised that this project was a great opportunity to use IdM. Managing authorizations is done centrally in our IMS system. SAP IdM now enables easy connection to all SAP systems.”
“Generally we use SAP for support services, such as the approval of timesheets and visitor registration. The right people don’t always do these tasks. A management assistant, for example is not allowed to approve timesheets. This isn’t a part of their job, but is instead a job for the manager. Nowadays the authorizations are role specific, providing us with a clean authorization system,” Berry explains.
“We know now that employees have the appropriate rights and that these do not conflict with one another. This allows our policies to be followed. The administration no longer needs to manually assign individually access rights to different systems. Consequently operational costs are lowered.”
“The integration of IMS with our SAP system offers several advantages to the tax authorities. Due to the fact that permissions are clear, there is certainty in saying that we are 'in control'. Authorizations no longer need to be manually entered for the different systems. This process is now automated by a link to our HR system. Employees with the same function now have exactly the same rights. Authorizations are now transparent, making discussions unnecessary. Employees aren’t able to access systems that they don’t have the authorisation for and so they can’t accidentally make any mistakes,” says Berry.
How long does the implementation of SAP IdM take? What steps have been made?
“So far the implementation has been a very technical project. Half a year has been spent on the project and we can now provision our own development systems with SAP IdM. The first two weeks we ran a Proof of Concept (PoC) to examine whether the system could run on our systems. The next step was the purchase of the necessary software, after which we were able to install IdM.”
“The previous three months André Jansen, SAP IdM specialist at The Next View, has linked the systems to SAP IdM. We’re dealing with 50 systems and one line too many can been fatal. André is a good craftsman, and he really knows a lot. He is advising the Tax Authorities on how to implement IdM, together with Wim Dausy, Architect & Senior IdM specialist at The Next View. They have a lot of experience, so I have always followed up their advice. I believe that they must have had a good reason to advise us to first do A and C and only after this to do B. When implementing IdM you have to do it right the first time and in such cases you just need someone who has done it before,” said Berry.
“We are now at the stage in which we are almost ready to provision our own development systems with SAP IdM. We plan to fully utilise IdM in about 15 weeks. Three weeks before fully utilising the system we will release a part of it for the first test users. Until then, we will clean up the system, draw up an implementation plan and design some reporting and provisioning for the employees.”
Our lessons learned
“An important lesson that we learned is that the implementation of SAP IdM is not only a technical implementation. Features are also present. As an organization we had not recognised this. Not only does the implementation have implications for the management organization, it also has implications for a number of the employees. SAP and IMS have a different interface. To integrate both some aspects will have to be changed. For example SAP may, in a few places, may contain new fields, or these may be moved. Sometimes these processes need to be adapted.
A concrete example can be found in the question ‘How are we going to provide e-mail?’. Our E-mail addresses are from Lotus Notes and don’t run through the HR system. IdM expects an email address, so we will have to add a link somewhere. All of this is not difficult, but you shouldn’t underestimate it. During the process various functional questions had to be answered. A year ago we had to take a look at all of the inputs and outputs, and so we had faced these functional problems before,” says Berry.
The Tax Authorities are using IMS and SAP IdM to remain ‘in control’ of authorizations within the organization. Authorizations become role specific and can be managed. This helps to ensure that employees have the appropriate rights and that these do not conflict with one another. This leaves you with a clean authorization system. Another advantage is that fewer authorizations need to be manually entered. And remember: SAP IdM is not only a technical implementation. The employees will experience a different way of requesting authorizations and should, therefore, be included in the process.