Skip to Content






Identity Management – Plug and Play

Provisioning, Managing and Revoking Access








Identity Management – Plug and Play

Provisioning, Managing and Revoking Access

Organizations have a complex task in transitioning employees to new roles and responsibilities with minimal overhead and cost. This is applicable to new hires as well as the tenured employees. One of the key challenges in such transitions is Provisioning, Managing and Revoking Access to various Business Applications with an audit-proof trail. Identity Management – Plug and Play helps you address these risks and achieve the desired levels of security with least overhead.


Business Process Evaluation


The best exercise to begin with would be to spend quality time with the Business Process Owners to understand the various Roles the employees interplay and at what stage in each of the Business Process. For instance it could be a Survey conducted by the Human Resource Department for a Trainer taken by the employees trained by the Trainer. So for this Business Process we need a Trainer, the concerned Human Resource Department Personnel, the trainees, the Supervisor of the Trainer for sharing the results of the Survey. In this manner all the Business Processes which needs to be covered under the Identity Management Process can be evaluated for the required inputs. Depending on the complexity and maturity of the process, the time taken for collating the inputs would vary. A sample template to collate the inputs for the Business Process is shown below in Table 1.1


Business Process

Business Sub Process


Actor/Business User Type

Activity Performed

Identification of Business User

Tenure/Business Event


Trainer Evaluation

Initiation of Survey

Human resource Personnel

Identifying the Trainer who needs to be Evaluated

Human Resource Personnel mapped to the Trainer

As long as the HR Personnel is mapped to the Trainer. Assignment of the HR to the Trainer


Table 1.1 – Sample Template to Collate Business Process Evaluation


(This evaluation can be more elaborate and could also be an opportunity for Business Process Re-engineering)


Business Process to Application specific Access Mapping


The next activity is mapping the Business Process wise evaluation done to specific access in the Application(s) on which the Business Process is executed. This would require an exact one-to-one translation of the Business Functionality broken down into Application specific activities/features. Continuing with the Business Scenario discussed in Table 1.1, Initiation of Survey could mean, access to survey Application, provision to see relevant Trainers for Evaluation, access to Trainer related information to make an informed choice, choose a the duration for the survey and so on. Refer to Table 2.1 to see more.

Business Sub Process

Activity Performed

Application Specific Activities



Trainer Evaluation

Identifying the Trainer who needs to be Evaluated

1. Access to Survey Application

HR Personnel to have access to the Portal where the Survey Application is hosted

This could be a part of the Enterprise Portal accessed by all employees or a stand-alone Portal.



2. Choose the Trainer

Based on the Mapping of the Trainer to HR personnel only those Trainers should be available for initiating Survey

This can either be brought in as part of Identity Management purview or can be taken care at the Application level



3. View the Details of the Trainer

HR Personnel to have access to the relevant records of the Trainer like Date of Joining, Course Details, Years of Experience, Previous Survey Ratings etc.

However not all details like Salary and other confidential details of the Trainer to be accessed at the time of Initiation of Survey


Table 2.2 Mapping Business Process to Application specific Access


The elaboration can be done at a more detailed level to collate the Technical details like the specific Tables/Clusters/Infortypes/Transactions/Reports/Views/Methods/Classes etc. to which the access needs to granted and with what validity.


Strategy for Grouping

Now that the mapping for the Business Process steps to the Apllication is done, we need to create Roles and Profiles. However, we need to use the right strategy for Grouping these Roles. Either we can create all Roles and Profiles without any Grouping. This would allow is change and manage any further enhancements easily at a Sub Process level. However, the drawback in this is the volume and maintenance overhead. Hence depending on the inputs collated from the above activities, the below proposed grouping can be used to Group the Roles and Profiles. The need for this grouping would be appreciated from the management of the Roles and Profiles perspective  post  implementing the Identity Management.

With the above activities done you would have broadly the following sample possible groupings as shown in Table 3.1


Possible Groupings

Business Process

Business Sub Process

Business User Type

Business Activity

Access Type


Table 3.1 Sample Possible Groupings


The Roles and Profiles for giving access to Business Applications can be grouped as shown in the above Table 3.1. We will see the each of the Groupings in a more detailed manner.

  • 1. Business Process: Each Business Process can be treated as a Group for preparing a mapping of the Roles and Profiles which needs to be assigned to Business Users who need to access the Application. This would mean mapping the Roles and Profiles for a Process to a Business User who needs access. This is based on the assumption that all the Business Users for the Process have same permissions.
  • 2. Business Sub Process: In case within a Business Process the Access to be provided varies based on the Sub Process, which is usually the case, the Roles and Profiles can be grouped at the Sub Process level. In this case the identification of Business users for Provisioning, managing and revoking would be at the Sub Process Level.
  • 3. Business User Type: User type could be trainer, HR, Manager etc. where each of the user types have a spectrum of permissions to do certain activities. However, a Trainer in Alaska or a trainer in New Jersey would have the same permissions as a Trainer in Ohio. Within that premise it is possible to group all the user types together while creating the Roles and Profiles to be assigned. With this strategy any employee who becomes a Manager would get permission to all Business Applications which they need to access as Managers.
  • 4. Business Activity: Activity wise grouping requires all Roles and Profiles for initiations across Business Applications to be grouped together. With this design, if any employee needs to gain access to a certain application for Initiation alone, then, for that application the Role created for Initiation needs to be assigned to the user with the validity period.
  • 5. Access Type: This involves aligning the Roles and Profiles based on the access type like – Review Access/Change/Approve/View etc. In this approach the Roles are created with further categories to allow various types of access as needed by the Application.



The above mentioned Groupings can also be aligned to the various frameworks which may be applicable for the Organization. This would make the Role Mapping more audit-proof.


Alignment to the Business Events


The next step would be to align the Business events which would link the above Role and Profile assignment/revocation/modifications for the users. This would ensure a seamless integration between the Business Event and the Transition planned. In other words, by virtue of a becoming HR personnel for a Trainer- the access to the Survey and the application to initiate a Survey should be provisioned. This would align the Business Event of the HR Personnel taking charge to trigger the needed assignment of Roles and Profiles required in executing the tasks.

This is the critical part of the Plug and Play technique where there is a seamless integration between the Business event and the assignment of required Roles and Profiles to perform the needed tasks in various applications automatically.


Plug and Play


 Once the Roles and Profiles are mapped we are ready to use the Plug and Play approach for Identity Management.  The Master switch to control the Entire Plug and Play is ascertained. Now these are the steps which the Governance team for the Identity Management Team needs to incorporate to use it effectively.

  • 1. On new sub process being included in the Process, review the additional generic bare minimum access which needs to be given in addition to the existing Roles.
  • 2. Evaluate periodically if the Business Event alignment to Role assignment is the latest. The Business Process could be changed, and in such an event the mapping of Business Event to the Role assignment needs to be altered
  • 3. There could be addition/removal of Business User from a process; in such an event a re-evaluation needs to be done at all levels
  • 4. During the course of time there could be changes to the Business Events in which case again the re-evaluation needs to be done ascertain the changes


In all the above scenarios, whenever there is a change, implementing the change is only Plug_and_play. You need not redesign the entire Mappings and Alignments, only the changes needs to be plugged. The entire machinery of the Provisioning, Management and Revoking Access continues to work seamlessly.




The Plug and Play technique for Identity Management allows the Organization to ensure minimal transitioning time and cost in terms of access and controls. It also allows auto assignments, updates and de-provisioning without any manual interventions. Moreover the centralization and alignment of the entire Business Processes and Events to the Assignment of the Roles and Profiles to the users allows better Governance and Control. Further, it eases Change Management for any of the Processes.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply