A Global Manufacturing Powerhouse
These are an instantly recognizable global manufacturing powerhouse. Electricity, gas, power, digital, financial services, you name it; the list goes on (and on, and on). Though they ‘only’ have over 350,000 employees in more than 200 regions/countries, they have a business-related presence (office, warehouse, facility, etc.) in almost every country in the world. It’s fair to say that many other household names [likely] aspire to be this household name! Naturally, with such size and presence, from an IAM perspective, it’s not going to be without issues.
Initial situation
This client’s existing situation saw their identity lifecycle being manually or semi-automatically managed by over 140 external service providers. All of whom had direct access to Active Directory. Consequently, they had struggled to enforce any agreed standards and conventions for object management in Active Directory.
Because they lacked a consistent identity management process, 2 major problems existed:
- lengthy account creation processes
- idle time for affected employees.
As part of our initial phase, a variety of time-consuming clean-up activities were conducted.
Unique differentiators of the solutions
The outcome was:
- to implement a solution that allowed for a fast turnaround time of IT requests
- adoption and enforcement of a single global identity lifecycle process
- day 1 readiness for new employees joining the company.
In addition, it should also be:
- flexible—to enable delivery a variety of services to targeted user groups, such as individual countries, without affecting others
- adaptable—to respond to constantly evolving business requirements.
To support future expansion, a more robust and less cumbersome platform was needed. One that would be more efficient in managing the ever-changing number of OUs, products, new countries and users, as well as increasing number of on premise and cloud applications.
Implemented solution
Phase 1
Focused on building the necessary infrastructure for future expansion of system capabilities and establishing an interface to their corporate directory. EmpowerID configured a data synchronization process for identities based on their corporate directory data as the golden source, and implemented a logic to detect joiner-mover-leaver (JML) events. This will provision a fully and securely automate JML process, allowing users access to the necessary resources from day one as well as revoking access when they leave the organization. In addition, EmpowerID delivered customized reports that help this client to analyze data quality and effectiveness of governance processes in the world’s largest AD.
Phase 2
Phase 2 introduces fine granular permission management. This is done using EmpowerID’s polyarchical RBAC combined with ABAC authorization model, UI customizations and custom identity dashboards for admins and OSPs. Furthermore, EmpowerID is being configured to automatically update accounts in Active Directory based on data coming from their corporate directory. This will ensure data quality in the Active Directory and adhere to the organization’s specific identity management standards.
Phase 3
The next stage of the project will include the following:
- Office 365 mailbox permissions removal enforcements and custom reports about permissions in violation of policies
- custom mobile usage reports that include detailed information about mobile clients used to access O365 mailboxes
- as well as Office 365 license management, including request fulfilment and Service Now integration.