The IT infrastructure of the company includes dozens of information systems that use both Active Directory credentials and local systems credentials for authentication and authorization of users. Designated officials administer access rights and audit existing rights. Requests are made via Service Desk. These requests are processed in accordance with current regulations. However, it became harder to maintain existing automation mechanisms and implement new ones due to the growing numbers of users and information systems. Other prerequisites:
- No single electronic catalog of information systems was available;
- The user’s access rights audit was time-consuming and required access to several distributed data feeds;
- Staff information synchronization tasks were partially automated;
- Dismissal of a staff member required too many manual actions.
The project aimed at automating the access requests processing and at providing centralized management of user credentials.
The solution proposed by Digital Design was aimed at reducing the time for creating and processing user requests and minimizing the number of human errors in managing access rights. Based on the licensing model used by the company, Microsoft Forefront Identity Manager 2010 R2 was chosen as a main solution.
It linked employees, information resources owners and IT specialists, and provided access to the following modules:
- catalog of information and material resources with automatic updates;
- tools for making requests for access to information systems;
- means of access coordination and notification of responsible employees;
- a repository for history of changes and current status of access to systems and resources.
Access to the system’s functionality is provided through a web portal that has user interface level for access rights management and administrative audit and monitoring tools.
The new system combined staff information systems, corporate directory services, help desks and individual information systems into a single metadirectory. It automated managing HR department activities (employee hiring, leaves, transfer between departments or positions, dismissals) for employees in more than 100 cities.
The system is available to 3000 employees for use in daily activities. On average, 1000 requests for changing the access rights is generated per month.
In addition, the process of making requests has been significantly simplified and streamlined (a user can select a system from the catalog instead of filling out a form and looking through several lists of information systems). It has been taking less time to process such requests as it needs one button to be pressed to get approved. The user and system action detail is saved as a model of current distribution of access rights and a change log for possible audits in the future.
The following processes were automated:
- initial preparation of accounts, sharing access rights and generating notifications for hiring an employee;
- conducting an audit of existing rights for HR activities;
- blocking, notifying and removing employee access rights in case of dismissal.