Assignment and Control of User Rights

FSP Software & Consulting developed and owns the Identity Governance & Administration Suite ORG which supports processes for the appropriate IT authorization assignment and the regular recertification of permissions, as for example, demanded by the current MaRisk AT 7.2 and MaRisk AT 4.3.1. This is explained below using the IGA lifecycle.

Identity Governance & Administration (IGA)

IGA Lifecycle

Explication IGA Lifecycle

Request

The application for new, to change or to withdraw user rights is often initiated by an HR system. Alternatively, the authorization assignment can be done by using the ORG Process Manager - in a configurable framework as a self-service. Workflow systems already used by a company can be connected and integratedused for the application process via interfaces.

Policy check / approval

As part of the process, the software ensures that managers can review and approve the requested permissions.

The ORG Process Manager organizes the whole process; this includes the authorization assignment, the review and the approval process.

Administration

After completing the approval process, the requested rights are entered automatically into the central access management system ORG.

The ORG database includes attribute- and role-based rights information which are provisioned in the following step.

Provisioning

Provisioning is the automated distribution of user account information and permissions to all target systems, no matter what technical platform they run on.

Depending on the target environment, either fine-grained attribute-based authorization information, or, in case of role-based target stores, information about the user and their roles is transferred via connector technology.

Audit / Reporting

Regular auditing of the company's whole authorization memory (ORG, RACF, LDAP, SAP, individual systems, ...) makes it possible to identify operational risks associated within user permissions. To create the reports, business intelligence priciples are applied. Inspection reports are sent to managers, e.g. to verify accounts, authorization rules and personal permissions.

Compliance / Verification

The audit results are verified by the responsible officials regarding timeliness, internal company rules, legal requirements and other compliance requirements.

After the audit can arise new requests.