KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Role management remains a pivotal challenge in many companies. Regulations (such as BAIT and VAIT in Germany) require companies not only to implement an IGA solution (Identity Governance & Administration), but also a uniform authorization concept and its regular review, including the assignment of access rights to the individual authorized persons.
Role management remains a pivotal challenge in many companies. Regulations (such as BAIT and VAIT in Germany) require companies not only to implement an IGA solution (Identity Governance & Administration), but also a uniform authorization concept and its regular review, including the assignment of access rights to the individual authorized persons.
Good afternoon or good morning, ladies and gentlemen, wherever you are. Welcome to this webinar, regaining control with IGA solutions, how to easily model optimize and govern your role and entitlement structures. This webinar is supported by nexus the speakers today. This is me. My name is Matthias I'm directory director of practice. I am at a Cole and I will be later joined by Dr. Lu he's CEO at nexus. Before we start some information about a Cole, the obligatory housekeeping notes, and a look at our today's agenda. First of all, a few words about a call.
A call is destined to provide content and services on identity and access cybersecurity and artificial intelligence. And we do this in a variety of formats to get in touch with you as our customers. First of all, the most important part for many of us is the research. We provide research documents in various formats, starting with the leadership compass that provides an overview on a tech market segment, where we identify leaders and where we can compare solutions with each other.
And this goes down to smaller and more concise and compact documents like executive use looking at products and leadership briefs, looking at strategic and technological trends and advisory loans who are more elaborate and who that provide more information about topics, vendors and product services in more depth. A second part that is of importance for Cola is our advisory where we help end user organizations and vendors through different products. When it comes to a strategy definition, portfolio, design technology decisions, and also the execution of projects.
So we can help you with our advisory. And the third part very important for many of us as well is our events where we have different events coming up next week, there will be combined the digital finance world and the blockchain enterprise days jointly and Frankfurt. And later this year in Berlin, there will be the cyber security leadership summit and the cyber access summit, where you can be where you can meet both. Both of us, both speakers from today, Dr. F will be there from nexus and I will be there as a moderator and doing some, some speeches there as well.
So I'm looking forward to meeting you there in person, the housekeeping, first of all, all participants are muted centrally. We are controlling these features, so there's no need for you to, to change any of these settings. This webinar will be recorded and there will be a recording made available as a podcast in the next days. And we will also provide the slide decks as PDFs for download. So you don't have to take notes. You can just download all the material available and can even real listen to the recording. Very important for you as the participants.
We are eager to answer your questions later in this webinar, in the third segment. So there will be a queue and a session by the end of the webinar, and you can enter questions at any time using the go to webinar regarding my part or the presentation and the demo of Dr. Fox. So if you have any questions, please type them in and we will follow up on them in the Q and a session. A short look at the agenda. The first part will be my part where I will have a look at role of roles for access governance. So a short, more Analyst view part in the beginning, then Dr.
Lu folks will take over and he will give his insight into tool support for the overall process of role and entitlement, maintenance and governance. And he is especially focused on integrating business expert knowhow into that. So that will be interesting. So it'll be less slides, more demo. So you can really look forward to that. And then the third part, as already mentioned, there will be the Q and a. So please at your questions so that we have a, a good basis of questions to start out right away when the Q and a session starts.
So that's it for the, the housekeeping for the introduction and everything before the actual story begins. And it begins now with my part. And first of all, I want to start with one important aspect. That for me, as an Analyst is of high importance because access risk is nothing that is so limited to an IM team or to a system. Access risks are always to be considered as something that are business risks and every access should be considered as critical as it represents potential negative impact on the it of the organization.
So we usually start at looking at this from an IAM perspective, from the identity and access management, and, and then we see access risk. And we see examples below that fraudulent access.
And, and we often run into problems when it comes to financial risk regulatory risks and the risk of leaking data such as intellectual property, but it is not to be looked at as something isolated. This is something that we should consider as something that is in a complete enterprise context. So it is an access risk of course is also an it risk. And then that influences the overall it, because IM is nothing that runs for itself. It always supports infrastructures, applications, systems, cloud systems that handle these information.
So it requires an approach that mark ask access risk to the overall it risk perspective. So we, we are getting up one step in on the ladder. So we get to the it risk perspective. And there we add something like cloud risks and business continuity management. The next level of course, then is business. And you see the C X O on the top.
So this is the level where it risks really become, or they, they always have been, but here they become visible as business risks and they must become visible because they have a direct impact and they do have their direct impact, not only on the organization, but also on the shareholders of an organization. And when an IM excess risk becomes an it risk becomes a business risk. It might end up in cost in, in fines that need to be paid or just money that is not earned. And that puts the overall enterprise and it's value at risk. And that might even lead to bankruptcy.
So access risk, when you look at access, governance is something that is really tangible, it's really business critical. So what we are talking about today, access governance and role management and role design and role reification is something that is very, very much business related and should be considered as such.
So quite simple, then the question why access governance, of course, if we understand risk and access and management as being the control of risks, and at that point, then we can easily get to the point that we can answer that question, because we need to make sure that the following items of on this list are just not happening, that they're not in instantiated. So first of all, that would be the prevention of illegal transaction. That could be something like violations of S OD rules so that some somebody can approve their own requests.
And of course, also something like illegal transactions when it comes to, to embargoed companies or countries and having trade with them, that should be, that should be prevented. And that should be managed in the access management and in the access governance of course, fraud needs to be prevented. And that includes fraud in a broader sense. So it's really the AB use of data, of, of information of processes due to the excessive use of entitlements are due to excessive entitlements.
So that entitlements are too large, too big and, and, and enable the assigned persons with too many individual entitlements information. Leakage is something that is getting more and more attention and it's happening all the time. I don't know how many such leakage or breach notifications you, you receive on a weekly basis. So it's really important to make sure that access management and access governance takes care of informational leakage to make sure that sensitive data is only accessed when really required. And that is access here. Not common challenge.
It is, is not only leaking data is of importance. Also modified manipulated data change data is something that needs to be prevented. So nobody should have access to data, especially not right access or modify access. That's when it's not required from a business perspective because changing business critical data can be the basis of fraudulent actions, especially when it comes to critical data. And it often goes unnoticed. That is mainly a challenge. So making sure that it cannot happen is a good first step to prevent changed or manipulated data.
And manipulation of course can also lead to data loss. So it's really the deletion, the vandalism, when, when a, an unhappy employee leaves the organization and has access rights, right? Access rights to systems, deleting data is something that you really want to prevent them from doing. So this is something where access governance comes into play.
Of course, external attacks. Of course, this is something that we read in the news that we, that we read in the top line of the news ticker when it comes to cybersecurity. And of course, external attackers are after the accounts with critical access, again, access. So access management and access governance has to make sure that we understand and even detect UN unjustified access via accounts that are valid in any other way, but they are taken over by somebody who uses them in an unexpected manner. That is also the role of access governance, access intelligence.
When it comes to understanding who is really using an account, when all this happens, that can immediately lead to reputational damage. So when PII personnel personally, identifiable information leaks, or other sensitive data, be it the blueprint of your flagship product that can cause severe reputational damage. And that needs to be prevented and here comes access governance into play. And of course, when it comes to external attacks and reputational damage, the final point of course is, is industrial espionage.
When it comes to really nation states or, or other organizations trying to get hold of your sensitive information, intellectual property, that also is something that access governance has to take care of. So access management needs to be as restrictive as possible. So only the access that is required access governance has to make sure that that is already monitored. That it's audited, what is taking place, and that unexpected behavior is identified.
So access governance together with the slide we had before is really something that is business critical, and that needs to be, needs to be understood as something that organizations and it's IAM, who does it take care of and the business should be involved. And that is something that way that we typically model access rights are roles.
And I've, I've told you that the, the part of this webinar is called the role of roles for access governance, and it is important. So this slide is about what can actually go wrong and where you should take care of when it comes to role management. First of all, many organizations overestimate their organizational maturity to put politely. So usually roles are derived from an organizational structure, from a location, from a, from a company, from a country, maybe a branch where it's located, but often these job descriptions are not well defined.
They are not fully reliable because they're based on a, not very much stable organizational structure. So that leads to clearly specified business rules being missing. So improving the organizational maturity to have the quality of data available to derive roles from that is one crucial point that organizations should take care of when, when they have roles. And when they maintain their roles, experience is of importance when it comes to role management, because end user organizations, of course, they are somewhere in the learning curve when it comes to using role management.
So they heavily rely on vendors on integrators, on consults, sometimes on Analyst. And at least the first three tend to fail when it comes to providing specific role management experience. So it's really of importance that these processes are executed in a stable, in a reliable, experienced manner. And that is often an issue. Complexity can be underestimated because role management is an inherently complex challenge by nature. And that is true because we have many dimensions I've mentioned a few before. So it's really location the organization type.
The, maybe there are some projects that need to be taken into account as well, not only the usual line organization. So dealing with complexity is really an issue and should be done in a top down refinement approach. Then this is often not fully understood or it, it really shows up later in the process process to understand, Hey, it's really complex and we need to take care of that. And then also requires an, an adequate level of abstraction.
So unclear role definitions, make it difficult for people to order the right role, to, to identify the right role to use, and to make sure that the technical, the it role is well understood on the business level and IC versa. And that is something that really ends up in the next point. So a common language for all participants is really of importance because it, people usually don't speak business speak, and the same is true for business people that usually don't speak, it speaks.
So there needs to be a translation layer and interfacing layer between business and it, and maybe other involved participants say legal or, or data protection or the, the, there are many aspects and many teams that need to be involved, and they all have to agree on a, on a common language. Cause business context is crucial, but in the end, it's it systems that support the business. So there needs to be an intersection here. And of course there needs to be well defined downstream processes because all the subsequent processes rely on a consistent well-documented role management.
And if an organization does not understand the prerequisites for these processes, be it in business and directly, or in other processes say audit, then there are problems ahead. It comes to dealing with role management and when role management goes wrong, there are clear indicators for that. And I guess some of the participants of today's webinar will realize, or will identify some of the issues that they have come across. Of course they have solved it afterwards, but there are some list of many, many indicators that show that there's something not fully perfect.
And when it comes to role management, I won't read them out all, but there are many of the, of good examples in there. So too many roles too granular, the role explosion, so that there's a role for every job description or even a role for every person. So the role concept is totally gone wrong at that point when you have too many roles. And that is usually if, when you want to make things too good, too perfect, too granular, old roles, incomplete set of roles, not well managed, low level technical roles. Yeah. There was not business was not involved when it comes to modeling the roles.
And that usually ends up with our, with the staff members, with employees, looking at the role shop at their, at their request tool. And they don't really know what to order at all because they don't understand the role name, the role description, if any. So that is usually a big problem, more complex, but still out in the, in the wild of course, as they management failures. And there are many more of these, another ex another extreme is the two big roles issue. So if you say, okay, let's, let's get away from these too many roles.
And from these roles, explosion thing, get to more basic, more standard to more, yeah. Basic roles that can be assigned to many people. These tend to be too large and to give too much access. And that of course is a violation of the least privileged principle when it comes to, to big roles. Yeah. Roles without owners.
Final point that I want to look at here is really something that we usually put our fingers on because roles should have an owner or role groups should, should have an owner because these are the people that have to take care of the life cycle of a, of a role, not of the assignment of role to a person, but actually of the role itself to make sure that it has an adequate life cycle over time and is retired at the right time when necessary. My, my final slide is some recommendations.
Now that I've pointed out what can go wrong in very much detail, really, we want to make sure that role management is executed in adequate manner. So the first thing is really to understand that the, the real scope of role management, and that is something that is what in the, in the slides before to really understanding that we use it for managing risk for, for managing enterprise scope, strategies, roles, need processes, and the life cycle. And that is of real of importance because we need to make sure that these roles are the basis for access management and access governance.
And that can only work if you involve all the required stakeholders within an organization, it's not enough to have an IAM being done by it. You have to involve business and audit and maybe other teams as well, data security, to make sure that these teams also contribute their expertise when it comes to role management. And the final part is really to say, embed your role management, your access management, your access governance into your architecture, but also into your processes in your daily workspace, so that you can really integrate it into every user's daily routine.
So that processes and implementation are really at the fingertips of all people involved. And that is not only it, not only the IM team, everybody who requests, who approves and who recertify roles, access, who works in access management and access governance. And that should be business. And that's it for my part here. I want to hand over to Dr.
P, but I want to remind you to add your questions to the questions panel in the go-to webinar software on your screen. So if you have any questions for my part, and then later to Dr.
F part, please enter your questions there. And now would like to hand over to Dr. F welcome to Dr. Hello from my side. My name is Lodi F I'm very happy and pleased to meet you all in this webinar. Thank you dear, for the nice introduction for the next about 20 minutes, I'm gonna talk about role analytics and role governance or entitlement governance in practice. And before I start, I'd like to stress two points in my presentation.
And later on in the, in the software demonstration of practical use cases, as materials already introduced the topic of access governance or role governance or entitlement governance, whatever you might call, it can only be tackled. If you have specific analysis and tool functionality that allows you to analyze your access data, your existing access data, your future state of access data in detail functionality, which is not standard IM system functionality, especially when it comes to communicating with your business experts or business units.
And on the other hand, I'd like to stress that even though you might end up with a tool that supports you, that heavily supports you in that process, it still remains an organizational challenge which cannot be solved by a pure tool based approach. Just a quick word about nexus nexus originally has been a university spinoff in Germany. We are active for more than 10 years now. We're only active in the area of IM and within that area in specific, we are focusing on role modeling, role management, role, life cycle management, maintenance, and access governance.
So we're in our daily projects, always dealing with creating roles, ensuring that role models or entitlement models are up to date, analyzing critical entitlements, doing cleanups and all those things. We do our job with our product nexus control. Nexus control is an analytics and role modeling and maintenance engine. And later on in two slides, we're gonna see how that works together with an existing IM solution. The software itself is not limited to any industry sector or any application system like SAP active directory or what you might run your infrastructure.
It typically works together with any IM system that you might have in place, or if you probably even might have in place more than one IM system, I'm gonna show you how that works in a minute. Following up Matthias presentation, I would argue that access governance within organizations, most of the time is still at very low maturity level. You might find many, many companies which already set up manual detective approaches for access governance, which could, for instance, be companywide access re-certification or role model re-certifications could be manual cleanup processes driven by it.
However, this leads to a lot of work. Plus if you have millions of access privileges and you do manual access re-certifications every year, every six months, for instance, or even more often, it involves many business experts. Plus our practical experience shows that in most of the cases, actually all the business experts click on everything's okay, so we have less than 1% of the business people, or 1% of the existing assignments that typically are removed or revoked in an excess re-certification campaign, at least within our customers.
So what the companies all try to do, they try to climb up the ladder of excess governance, maturity by introducing automated detective approaches in the very first place to automatically figure out which entitlements are not correct any longer, which roles might be is insufficiently modeled, which roles could be optimized. Imagine situations that you onboard new applications to your existing IM system and those new applications, they deliver thousands of entitlements within that local application. And those entitlements need to be, or could be bundled in already existing roles.
It would make sense to come up with new roles just for that application. So what you'd like to do is you'd like to have an automated mechanism that tells you which of the existing roles could be a good fit for the existing entitlements. Coming from that new application, that is an onboarded to your IM in the long term, most of the organizations would like to end up with an automated preventive approach. So no longer detecting necessary changes in roles. Imagine a simple situation that there's a huge restructuring in your organization.
If you model departmental roles or any roles that are related to your organizational structure and organizational structure and changes, then you have to rework the roles that have been affected by those changes. And you can do that in a detective manner after the changes have been executed, or you could do it in a preventive manner.
Obviously you need intensive tool support to do that in a large scale while it still remains an organizational challenge in terms of tool support, the functionality that you re that is required for executing access governance on a higher maturity level, or on the one hand, you have to be able to analyze millions of data sets. You have to be able to simulate role structures or entitlement structures before you actually model them. You have to know in advance, is it necessary to remodel roles?
And you know that by automatic recommendation mechanisms by data visualizations, as we're gonna see in a minute, you can do remodeling. You need some sort of business expert communication. So you have to display very technical data to business experts without confusing them. You have to integrate access governance into role life cycle processes. Matthias just a minute ago, mentioned role shouldn't be without an owner. So every role should have a role owner.
So what you'd like to do is if you notif notice, there's an been an event that a role owner left the organization, you automatically want to trigger role update processes in a business understandable fashion. You might ask the substitute owner for a new owner. You might ask some group in the it department for a new ownership definition, and then reroute that through workflows that you, that you defined prior to that event, what we deliver is we deliver such an analytics and role engine, which fits your IM system by extending its functionality. So we work with every IM system.
We are typically responsible for a strategic entitlement enroll governance. So all the functionalities that you've seen slide before that we don't do any provisioning. We rely on your existing IM solution to do all that, to do the password services, every other IM services that you might have in place. And for the remainder of this webinar, I'd like to show you two demo use cases, namely at the one on the one hand, how can you understand complex authorization data and manually detect and process role changes?
So basically the lower level of excess governance maturity, and then the second use case will follow up and talk more about the higher levels of maturity by automatically detecting and simulating role structures and role changes based on a recommendation system that we modeled. So at this stage, I like to jump into our analysis software, which is called nexus control, and I prepared the screen. So I'm not gonna click too, too many, many points or buttons in the software in order not to confuse it.
But for the first example, for the first use case, imagine organization, which are already defined roles years ago, partly, or for the full organization, they defined internal employee. They defined location roles for the locations. The employees work at departmental roles and functional roles. They still have remaining direct entitlement assignments, which have been initially loaded into the IM. They might have never been cleansed or new entitlements might have been created that haven't been added to the existing roles properly.
So in my example, right now, you see a very small controlling department in my demo organization, which comprises of 35 employees. And what you see on the right side is you see the employees depicted as single roles and you see the access privileges those employees are assigned to in blue squares or colored squares, colored squares represent all the entitlements that are already covered via the existing business roles. Blue squares represent entitlements from any system, which are not yet modeled in roles.
And if I look at one specific role, the controller role, you see that I colored the rose and it's colored by the function attribute of an employee. And there's lots of controllers working in that department. There's some support staff down there with less privileges, but the controllers are here. And remember the first step on, on, on the maturity level stairs was the manual detection of necessary changes.
And in the right side of the picture, you see manually, you're able to see that there are entitlements, which are not yet bundled into the role controller, which could be bundled in that role. So manually this visualization would give you the opportunity to add those entitlements to a role. And prior to this webinar, I defined a workflow saying if I do so I'd like to ask the role owner for approval. If it's okay to add this entitlement, if he or she doesn't respond this and substitute owner escalation.
And if it's a critical system entitlement that you want to add to this role, then there's a second step of approval in my defined redefined workflow. So if I would click add entitlements to role and select the controller role, then basically I would end up with, if I'd use the approval workflow executing this workflow, I'm not gonna do that for now. I just wanna tell you, this is how it would work. If you manually do this.
However, imagine you are working for a large corporation with hundreds or thousands of roles. Just imagine you have 200 functional roles defined. You would actually have to click through every role every day to figure out whether it's still valid. If there's optimization recommendations that you could well realize. So what we did is instead of offering you just a pure manual approach, we also offer views that automatically detect for each function role right now in this picture, you see roles in the rows. And again, entitlements in the columns automatically detects.
According to the function of employees are their access rights, which are assigned to 100% of all the 31 controllers. In my example. And now I see the controller role, which earlier has been displayed here. And I was able to see there's three access privileges that are assigned to every single employee, which is assigned to this controller role. You see that in this picture, in this one role, it's the same three entitlements. What this picture helps us is it automatically shows you for many, many roles, whether there are assignments of entitlements, which could be added to this role.
This allows you to analyze hundreds of roles in a very short period of time. However, it still is a manual task.
You, for instance, could say, I'd like to highlight the entitlements that have been identified according to the criticality. And then I could sort this visualization and say, there's high critical entitlements. I don't want to bundle them into roles. I just want to bundle the medium critical entitlements. So I could exclude the high risk entitlements, just as an example, however, still a manual task. And in order to further improve that we additionally came up with a recommended system, which can use to automatically detect such necessary or potential changes to your roles or any entitlement.
It's not just limited to roles. It's not limited to static roles. It's not limited to dynamic roles, which you might already operate in your IM system. For instance, saying every internal employee in that department should get an access, right? A to zap. We also call roles what you might call attribute based access. So we would call it dynamic roles. It also works for your attribute based rules. You can do the same for them, but what we did, we came up with a recommended system, which allows you to not operate on the level of single roles. It allows you to operate on a concept meta level.
That means you define your role concept. And this role concept might look very similar to, or very familiar to many of you, you might have defined some sort of basic roles, and then below them, you might have defined some location roles, very generic company, area roles, then departmental roles, functional roles you might have remaining direct entitlements. You might have entitlements that have been correctly ordered by your IM system.
For instance, one identity would, would you, if you operate one identity as IM system and you order entitlements via the one identity shop or AADA system or say point system, it doesn't matter. Then you might like to differentiate the ordered entitlements from the remaining direct initially loaded entitlements that never have been cleansed. In my example, we are gonna look at, for instance, the basic roles.
There's just the three basic roles for externals, internals, and trainee, and the software already generated automatically generated recommendations, saying I found seven suitable system entitlements for, for instance, those basic roles. And if I click on the internal role, you'd see I identified three potentially valid entitlements for this business role, going down that three to our functional roles.
Again, you might find the controller role and it already identified the suitable system entitlements for the controller role. The point is it's not limited to suitable system entitlements. Our recommendation system would recognize if roles are missing or if there are excessive roles, if roles are empty, if the assignment rules are wrong. So we have a bunch of use cases that we are able to automatically detect, detect, and provide recommendations to. On the one hand year, it modeling staff. So imagine there's two or three employees responsible for the role concept in your organization.
They might be fed with input saying, I only wanna show roles with recommendations in the normal data view. You could limit the, the data view to please software just provide me roles where you think I should do some, some update or some changes. They also obviously allow you to automatically process those recommendations according to redefined workflows. So you could say every time I identified a missing dynamic role, or as we've seen in our controller role suitable system entitlements, I like to automatically process process that to the role owner, to some it group. I wanna send out emails.
I wanna trigger my IM system or even my service now, or remedy system that I might have connected to our software. This would then further automate the process because what the software is able to do, EV every time someone directly orders or assigns entitlements to employees, even though they should, instead of doing that order business roles that already exist, the softwares are, is detecting.
That is generating recommendations and tells you that there's an employee who has been assigned many entitlements directly, even though he or she should rather be assigned to a certain pre-defined business role. So you automatically are able to detect misconfigurations. Plus you can do simulation exercises within your role concept. As you see here, the software automatically detects 17.1% of my existing assignments could be bundled in basic roles. And I could also add the current view. Currently only 8.6% of my entitlements are bundled in the basic roles. Why?
Because their suitable system entitlements that still are not included in the roles, even though they could be included and the same holds for location roles and for other roles, you actually, if you look at the location, location role role, you see that right now, 10.1% of the assignments are assigned by other location roles in the future. It will get less why, because many of those entitlements could be bundled in the more generic, basic roles already.
If you look at the lowest row in the table, the remaining direct entitlements still count up to 43.6% at the moment, and they could be reduced to 33.9%. If you come up with that roles. And if you'd like to define team roles below that, you can easily enter a new, new role.
Say, I wanna define team roles, simulate the effect of team roles, and then try to model or not model this layer of roles. This basically already brings me to the end of my 20 minutes. I hope that you understood that this is a powerful tool, which can support you during all the entitlement modeling role modeling and governance processes.
However, it is still a tool it's still an organizational task for you to talk to your business guys, to use that visualizations, to use analytic filters and saying, I just wanna look at the assignments not assigned via roles. I wanna look at the assignments assigned via roles. I wanna talk to the business guys by showing him this picture, or I want to look to the bus, talk to the business guys by highlighting things differently, by changing views in general, by sorting things different.
And from our practical experience, this actually, it looks like it would only be a very small part of the game. However, it's a very huge key success factor for, for the projects with, even though you have all the tool power in your hand projects still fail because it fails to talk to the business guys in the language that they understand. What we try to do is we try to ease the process, come up with recommendations, come up with simple visualizations.
However, it's still is a technical organizational process. And that would bring me to the end of my part of the presentation. And I would hand over to Matthias at this stage again, thank you for your attention. So many thanks to Dr. Fox for this great presentation and for the insight into the software for our participants. We are now entering our Q and a sessions. So please make sure you have add added all your questions that you want to ask. Dr. Or me through the questions panel. We have already have some, some questions, which is great. So let's directly start with these questions.
First of all, very quick question. Look like you mentioned that there are critical roles within the, within the critical entitlements to be added to a role. How do you identify criticality? Is there some automatic automatic mechanism behind that, or is this something that needs to be added by the role owner, the entitlement owner? We can typically do two things. On the one hand, you might manually have a criticality value set by role owners or the it staff. So on the one hand, you can manually import criticality information. If you have that information, you could root your workflows.
Accordingly. On the other hand, we have automated risk detection mechanisms, which try to identify outlier entitlements, try to identify entitlements that in terms of modeling look misconfigured, we also are able to activate policies that come with the software, which for instance, define a role can never have a lower criticality than the highest criticality of the entitlements that are included in the role.
So we would automatically be able to detect in case someone would model a high criticality entitlement in a low criticality role, and we could prevent them from doing so, but yes, two answers you can either man manually manage that, which is actually a very typical scenario in our customers. Typically role owners have to approve the, the criticality. Plus on the other hand, we could support that process by automatically generated risk value. Okay. That would also mean that you can integrate with an overarching enterprise risk management if IM is well integrated with that.
Yes, yes. In, in general, we have open interfaces. So you could use our API web services or database views or whatever, even file based export. So in our experience from the last 10 years, we didn't have any system, which we were not able to integrate.
However, Matthias, we talked about that the point is that we can provide this data. The, the receiving system has to deal with how is that map to its own data model.
Okay, that's perfect because I have this question already here on my list from another participant, how do you connect your tool with a given I am solution? Do you provide connectors, reflecting the two specific data model and functionality? So the answer is no, it's an, it's an, it's a rest API thing, right? Basically we have standard connectors to the, to the systems that are most popular in the market. So we are working with, for instance, one identity Ohada sale point beta systems, Microfocus, whatever systems you might have in place, many Microsoft implementations.
And we do integrate with, with them in a very quick period of times, you'd have to use, be able to use our standard connectors. If you want to. Most of them actually are connected via database views. So we can read and write view IDs or whatever you might have in your one identity solution. We can connect to Microsoft Mim via web services or database, whatever you'd like to do.
Typically, to be honest, it's a matter of one to maximum five days of work, depending on the level of integration. If you just wanna exchange role master data and role definitions, it's less, less effort compared to, if you also wanna do re-certifications access governance optimization recommendations and write them back to IM Okay, the next question perfectly fits in here. So the question of course is how long does it take the system to analyze a large ad or a SAP E R P system? So how long really does the analytics process take?
So it depends on what you'd like to analyze our largest customers operate more than 55 million user privilege assignments, more than a million access privileges, for instance, ad groups, a typical, if you, if you look at a typical customer with 10,000 employees and 50 to 100,000 groups, the pure data import probably would end up with about 30 or 25 minutes. And if you wanna do analysis work on that, it depends on the depth of the analysis, the automatic analysis mechanisms, they run pretty fast, but they just give you recommendations. You can have that recommendations in less than an hour.
However, there needs to be some manual input to analyze whether this department should be restructured or whether you wanna look at a different department, a large department, whether you want to add other filters. Okay. Yeah. I think that helps students to get impression of how quickly this can be deployed. Can you share experiences, how quickly organizations adopt your role management processes into their processes?
So how, how this is just a matter of experiences, but, but how can you, how, how do they really leveraged this, this, these changed processes? Does that typically work out quickly? Typically every of our customers started with a, we call it an initial health check.
It's a, it's a one time analysis of the current state and the generation of recommendations and a way of how can this be improved in what parts of the software would they, what kind of workforce would they need to be implemented? What do they already have? And after that, actually it depends on the current situation.
If, if the company doesn't have a role management in place at all, and we have several companies being that situation, it's very simple to, to operate the new processes. If companies already have very complex role environments, obviously there has to be a migration plan because if they use different interfaces for role modeling, typically they, most of our customers that didn't have any data visualization, they created their own Excel sheets and analyzed roles with ex Excel sheets, where they had the role history stored in Excel sheets.
This is all available in a digital format, audit, audit proof in the software. So the modeling staff needs to well change or adapt their daily processes because they no longer work with Excel sheets. They work with, with the software regarding the business workflows, even though we come with our own built in workflows, we are also happy if companies already operate approval workflows via their IM via their ITSM system. We can also call those systems within our workflow engine. That means we don't have to execute our own workflows.
We could rely on a third party approval and just trigger that third party, like a mobile approval app, like an ITSM software. And in this case, integration becomes easier if you already have those established processes and wanna reuse them. Okay. Thank you. Another question. I think that is almost a generic question, but it's so, so important. How many different types of roles does a typical organization need? Do you have any figures about that? Yes. I can give some, some experience.
Talk on that, but here in, in your role in your, one of your last slides, you mentioned that there's a misconfiguration happened. If you have too many roles, something many customers are scared of.
However, I would like to comment on that and answer that question based on this. It's not necessarily a big problem. If this huge number of roles is automatically controlled via a structured maintenance process, if they are manually controlled, then obviously it's a, it's a big burden and lots of administrative work customers of ours typically model a structured role model that typically consists of two or three to five to six to seven layers. The is the point is you don't have to start with a full blown role model. And that's what makes this approach interesting for our customers.
You could start with very basic roles with location roles and most of the companies that we work with, they start with roles that can be defined by the it staff that don't require that in depth business communication, because they want to get used to the new workflows, to the new approach. And then later on, perhaps one year later, they start and say, I wanna come up with departmental roles in our Germany branch. And they add a layer to their role concept with only department roles for this Germany branch.
And basically in our language, it still means an additional layer probably relating to that question. It's still departmental roles, whether it's Germany department roles or whether it's Austria or Switzerland or whatever departmental roles answering this question in, in a short manner, two to seven or eight layers is the typical approach. Okay. That's quite substantial. Another question from the, from the audience is can you describe the process to define the scope of the certification campaign? So how do you trigger specific certification campaign?
I think I can share my screen so you can see it. Otherwise I would do it within the software, but in general you say I'd like to create a new re-certification. And I'd like to do that for the externals, for the internals only for critical entitlements for non-critical entitlements and within our software, you would configure the user interface that the business expert is presented. So you would be able to configure all single buttons. You could configure the tool, tip information, the description, information, the roles, or columns that are displayed matrix based or table based.
And then you would be able to either execute that in a manual fashion, in a scheduled fashion, let's say every year, every six months, or based on an event trigger in event, trigger that for instance could be, if an employee changes the company or changes from one country to another one, then there's an event based recertification for his or her access privileges that are critical. And this re-certification is done by the previous owner and by the new owner or by any it staff in a one, two or three or whatever step approval process.
Okay, great. Thank you. So it's very, very, yeah, fine granular that you can decide what, what really to re-certify there. Yeah.
To be, to be honest, to just a quick remark, creating the re-certification within the software is a matter of about five minutes. However, testing that testing that the interfaces that are displayed to, to the business users are perfectly fit to their needs is something that takes you more hours after that it's quickly defined. And then you would, would probably want to test with business users, whether they understand what's displayed there, whether which kind of help information they want to be presented within the software during the re-certification process.
And now practically experience that again takes you some more hours, not just the five minutes of adding a new recertification, But then this would be another requirement so that you have these friendly business users supporting you in these processes before they actually rolled out. Exactly. You need that because otherwise you would confront confront hundreds of business experts with an interface that is probably not pretty well configured.
Okay, great. Thank you. So then we would take that as the final question. So that's it for today's webinar. I would like to thank you Dr. Fox for this, for this insight into your experience and into your solution. If there are any additional questions from the audience, please get in touch with Dr. Fs or with, with us. So we will handle these questions and get back to you. We would be happy to welcome you to another webinar soon. And of course I would be very happy to meet some of you in real life at one of our next events, maybe in Berlin, where you can meet Dr.
Phillip and me both at the same time. So that's it for today. Thank you very much for your time for your participation to the audience and to you Dr.
Phillip, and that's it for today. Byebye. Thank you very much. Thank you for attending the webinar and see you soon. Bye-bye.
