I have spent a fair amount of time recently, ruminating on compliant provisioning and what comes after it. It is a fascinating mental exercise and if it remained as such, it would be useless. Yesterday, I got to see it in action.
I was at a customer, watching our integration with their provisioning system get installed and configured. It was, as all good software installs should be, quite boring. But what did captivate me was the business case and drivers for compliant provisioning. Though our customer has a mature provisioning system in production, they have yet to achieve fully automated provisioning. Why? Certainly not for lack of trying. Because their SAP environment is large, complex, and ever-changing, they cannot implement a comprehensive set of automated provisioning rules for fear of SoD creeping in.
They already rely of Approva BizRights to do “What If” analysis. It verifies on an ongoing basis that role definitions do not generate separation of duty problem as well as make sure accounts don’t contain any SoD problems as well. Currently, their outsourced help desk fields access requests. They gather up the roles being requests and use BizRights to perform What If analysis on the proposed account changes and then route the request on for provisioning.
Instead of an access request flowing to the help desk then into BizRights for analysis, they plan on automating the access request via their provisioning system. By using our “What If” analysis within the provisioning system they can cut out the help desk all together, eliminating that manual step. A handful of their SAP systems generate the vast majority of their ticket call volume. By implementing compliant provisioning, integrating BizRights with their provisioning tool, they are looking to cut that call volume down to 0 and save a bundle in the process.
A couple more of these kinds of deployments and compliant provisioning will be the norm in the provisioning market… and then I’ll be talking to you about what comes next.
Hello,
I am about to implement “what if” analysis at a client – any advice?
Regards
Paul
Paul –
Damn good question. The answer is, and I cringe as I write this – it depends. Implementing compliant provisioning directly depends on how far a long the client is with both provisioning and controls monitoring as separate projects. For example, if the customer is just starting a provisioning project, I would hesitate to make compliant provisioning a phase one type activity. The hesitation is not due to any technical hurdles that compliant provisioning could put up, but is more due to the fact that the first few phases of a provisioning project are critical to the success of the overall project. Those first phases are typically the place where you are looking to show quick wins with basic connectivity, self-service password management, and provisioning to a few target platforms like AD and email. This being said, starting to plan for compliant provisioning from the beginning is an excellent way to gain more supporters for the provisioning project and show your customer a clear roadmap for achieving further automation via provisioning.
i