Identity management with shortcomings
The situation that emerged from internal and external audits of SJ’s information and business systems revealed tangible shortcomings, including:
- Employees and consultants had access to information and business systems long after they had finished work/assignments.
- SJ was unable to account for current identity data, who owned it, whether there was an active relationship with the person or whether there was consent for registration, which was in breach of the Swedish Personal Data Act (PuL).
- SJ could not account for who had access to which IT systems.
- Dependence on individuals and manual administration created long lead times and quality problems in connection with on-boarding and off-boarding personnel and consultants.
- SJ was dependent on one external supplier for the issuing of an “SJ signature”, a unique identifier that had to be created and paid for in respect of all employees and consultants.
SJ thus had an urgent need to achieve a comprehensive overview and full control over access rights and identities within the organisation. There was also a need to streamline the system accounts, where systems have to interact with one another without people being involved.
New platform with the right functionality
To meet these needs, Enfo introduced the centralised management of identities and access rights on the technical platform IBM Security Identity Manager (ISIM).
These measures reduced the degree of manual handling while at the same time the more or less arbitrary administration of accounts and access rights stopped completely.
“The right person has the right access rights to the right system at the right time”
Enfo’s solution produced a number of tangible effects, partly through close collaboration with SJ’s HR Department. Employees are now given an SJ identity and access rights based on a start and end date in the HR system. The employee’s access rights are enabled on the first day at work and then disabled in the same way on the final day at work.
Each employee is automatically assigned ten or so basic access rights, for example AD account, personal email address and inclusion in the correct distribution lists. The account is updated automatically using master data from various sources.
A corresponding procedure was set up for consultants, in which the consultant is registered via a self-service function by the authorised orderer. A responsibility relationship is set up, which creates ownership of the consultant’s SJ identity. Just as for employees, the account is enabled on the first day of an assignment and disabled on the final day.
“Self-service” functions increase personal responsibility
SJ’s IAM program has been expanded to include, among other things, a digitised application for access rights. 25 forms have been replaced by a digitised and partly automated process. This is in line with SJ’s strategic objectives: faster, simpler and better. Responsibility for access rights is also being transferred to employees in a self-service function. Each function (e.g. train drivers) can bring up the access rights required by their job and apply for them.
“We engage Enfo for their expertise in the field of identity management and IAM. We want to offer modern technology and service to the organisation, and Enfo tells us what we have to do. We feel that Enfo has modern, up-to-date knowledge, that we can rely on them and that they know and understand our organisation,” says Camilla Odenteg, Compliance Manager at SJ AB.
“We’re very satisfied and look forward to good effects from the self-service project, which is now in its final phase,” concludes Camilla Odenteg.
The case in brief
To reduce the manual handling of access rights and identities, to gain control over who has access to which information at what time, and to gain control over system accounts.
The identity management platform IBM Security Identity Manager (ISIM), designed and implemented in accordance with Enfo Best practice.
The solution provides centralised, largely automated handling of identity data, user accounts and access rights.
ISIM integrated with the HR system Personic provides full control over identities and access rights, as well as start and end dates for them. An in-house SJ signature, independent of any external supplier, was implemented.
The right access rights to the right person at the right time, reduced manual handling with a digital approval flow, shorter lead times, reduced costs with an in-house SJ signature, better compliance with rules and a reduced workload on managers.