FSP Software & Consulting developed and owns the Identity
Governance & Administration Suite ORG which supports processes for
the appropriate IT authorization assignment and the regular
recertification of permissions, as for example, demanded by the current
MaRisk AT 7.2 and MaRisk AT 4.3.1. This is explained below using the IGA
The application for new, to change or to withdraw user rights is often initiated by an HR system. Alternatively, the authorization assignment can be done by using the ORG Process Manager - in a configurable framework as a self-service. Workflow systems already used by a company can be connected and integratedused for the application process via interfaces.
As part of the process, the software ensures that managers can review and approve the requested permissions.
The ORG Process Manager organizes the whole process; this includes the authorization assignment, the review and the approval process.
After completing the approval process, the requested rights are entered automatically into the central access management system ORG.
The ORG database includes attribute- and role-based rights information which are provisioned in the following step.
Provisioning is the automated distribution of user account information and permissions to all target systems, no matter what technical platform they run on.
Depending on the target environment, either fine-grained attribute-based authorization information, or, in case of role-based target stores, information about the user and their roles is transferred via connector technology.
Regular auditing of the company's whole authorization memory (ORG, RACF, LDAP, SAP, individual systems, ...) makes it possible to identify operational risks associated within user permissions. To create the reports, business intelligence priciples are applied. Inspection reports are sent to managers, e.g. to verify accounts, authorization rules and personal permissions.
The audit results are verified by the responsible officials regarding timeliness, internal company rules, legal requirements and other compliance requirements.
After the audit can arise new requests.