Governance for services and entitlements

Safe, automated, reliable

Consistent

Automated check

Not everyone likes to end services. Use IT not only to manage services, but also to authorizations, accounts and accesses in particular.

Some access or account can certainly be assigned for a limited period of time. SavvySuite not only enables automatic terminations, but also supports regular checks of the assigned accounts and authorizations, our so-called recertifications, based on sets of rules with cyclical or triggered by organizational changes.

Either an employee himself confirms that he still needs an account, or a responsible person determined on the basis of the context confirms that an employee may continue to use a service, an account or an authorization.

A service catalog is not always just about status symbols

Who is actually allowed to order an iPhone and are there then also approvals. A service catalog is not always just about status symbols, technical dependencies or organizational conditions in the company. Aspects such as data security and costs often also play a central role. And it is not only the service catalog that is relevant as a central entry point; changes to the employee or time requirements can also mean that the further use of a service by an employee requires rules and, for example, further approval.

Not every employee may order every service or authorization
Service processes depend on the organization in which they take place
The context of an employee includes not only who he is, what positions he holds in the company, but also what service he already uses or has already ordered. This determines what he sees in the catalog
Even if an employee cannot order a service, he must be able to understand why this is not possible. An intelligent catalog will only help him if it explains why something is not available for him to order, for example
Governance takes place not only in the catalog, but also in the processes. What conditions something else, what may also have to be terminated or who releases it
Not all services and authorizations may be used indefinitely; many must be actively renewed after a certain period of use. In addition to costs, security also plays a decisive role when accounts or authorizations have to be actively extended. (see SavvySuite recertification)

Manage employee entitlements

Who has what authorization, since when and why? Who can answer this question and who cares at all as long as nothing happens?

Niemand will sich darum kümmern, dass er Passierschein A38 braucht. In der modernen IT Welt, müsste man zusätzlich vermutlich noch angeben, Passierschein A38 für Account B65.C (Quotas see Movie Asterix in Egypt)
No employee who is supposed to do a task understands this, only IT
Solutions must be created that either automatically assign the access, right or service, or the employee must be enabled to find and order the appropriate authorizations themselves

Reconciliation – The target/actual comparison and making the right decision.

When it comes to permissions, directory services or other services, the question often arises as to what is actually available and is it even true. The classic inventory. In every enterprise resource planning system there is a target status, what should be in stock or in use, and an actual status, what is actually still in the warehouse. The same is often true for IT. What should be is determined by the identity management system. Because only here are the sets of rules and automatisms mapped and the releases made. If the actual state in a target system, such as a directory service, deviates from the target state, there is a problem.

There are accounts that should not exist. They are not assigned to any employee and are not known in the IDM system. These must be identified by means of a target/actual comparison
If a deviation from the target state is detected, there may be different measures to be taken
A deviation can be approved subsequently, thus the actual state is transferred to the target state. From this point on, the use of the service can be managed regularly.
A deviation can be reported, presumably a defined process was violated here. If necessary, it can be ensured that such a violation is no longer possible in the future
The target state can be established by correcting the target state via regular processes. For example, an account’s membership in a group is automatically removed. Of course, combinations of the scenarios are also conceivable

Recertification – Is this still needed?

The trainee goes through various departments in the company and diligently collects authorizations and services in each department. Who has never heard of this example. In reality, it’s often not quite as bad, but a collector mentality, often referred to as “a lot helps a lot,” is actually quite pronounced. However, no one likes to quit something on their own and not everything can be sensibly taken away automatically. Therefore, it is important to question the need for an authorization or the use of an expensive software from time to time and, based on this, to cancel it automatically. This can be done either by the user or by someone who is responsible for a service or area.

Recertifications confirm that a user can or may continue to use a service
Recertification of service usage can be done on a time basis. External employees are often only registered for a limited period of time, which is a classic case in identity management. Authorizations or IT services, such as expensive software, are also recertified after time intervals
A recertification can be initiated, for example, by the person responsible for a service in order to check who actually still needs his service
Recertification can take place in the event of a change of employee in the organization. Often, one does not want to map all organizational rules and regulations in detail and lets a person decide in the context of a recertification which services the employee may continue to use
Of course, there are many other situations that can trigger recertification of service usage. Importantly, recertifications help cancel services that have been ordered but are no longer needed and proactively avoid security breaches

Why IDM with SavvySuite

Because SavvySuite ensures that security gaps caused by orphaned accounts and permissions are closed
Because SavvySuite ensures that costs for unneeded IT services are reduced
Because SavvySuite finally bridges the gap between HR/HCM and the IT service processes
Because SavvySuite offers the user a modern frontend for the self service that he likes to use and in which he finds his way.
Because it works and we don’t just promise it. IDM has been part of the SavvySuite DNA since 2006. Governance cannot work without Identity Management

Our Success Stories

Deutsche Telekom

Before implementing the SavvySuite, Deutsche Telekom IT GmbH faced significant challenges.

EnBW

EnBW Energie Baden-Württemberg AG faced inefficient and time-consuming processes in providing IT services to its employees.

T-Systems

T-Systems faced the challenge of finding a unified solution for the complex ordering and management processes of application access for its employees.