UMT Case Study
07 June, 2023, by Natasha Free
Introduction
Madigan Solutions User management Tool (UMT) helps organisations to manage third party users who do not fit into the normal HR process. Most organisations have an identity and access management tool for handling workforce and consumers. However, very few have an effective means of proficiently managing all those other users who do not align with the established tool and processes. These users are often then dumped in the “awkward use case” category and are managed by a spreadsheet like it’s 1999. For most organisations a third-party user is often a contractor, but they can also be visitors, tenants and even non-human entities like car park passes.
We developed UMT to have highly configurable attributes that allow an administrator to:
- Create identity records for third parties, with approval processing
- Update, suspend, and restore identity records
- Support multiple identity types, i.e., contractors, guests, tenants, and custom types
- Provide reporting capability to report on third party service providers, user types, and users
- Automate the life-cycling of third parties
- Provide integration into third party identity governance/management tooling
- Provide a full audit log of all actions, exportable to a SIEM tool
The tool can also be configured for delegated administration allowing other employees or third party managers to manage your third parties, freeing up your time to prioritise something else.
The following case study gives an overview of how UMT was used by an institute of further education to effectively manage the lifecycle of identities that sit outside both the HR System and the Student Management System.
The main challenge was handling identities that sit outside of the HR feed. The organisation also had cumbersome and error prone systems for shared mailboxes and management of security passes. UMT has been proven to effectively manage these use cases.
Third parties challenge
The organisation needed to ensure that all third parties were assigned a manager for their lifecycle, and that the start and end dates were in place in order to onboard or relinquish access as quickly as possible. In addition, they needed to be able to assign the identity to a particular cost centre or purchase order and have the ability to renew without creating another identity (which had previously been the case).
Solution: Identities can be created in UMT and managed there. If identities are created in AD they can also be managed from UMT. All identities were assigned an employee manager (taken from the organisation’s HR feed). UMT was configured to allow delegated administration of these users. Clear start and end dates were set. An attribute was configured to allow administrators to track to a cost centre.
Benefits: The tool has given the organisation greater control and accountability. They now have one window through which they can see all third-party users, whether they are active or not, and who is the employee manager responsible for them. This “ownership” of identities ensures that there are no orphan accounts. This reduces security risks as there will always be an active employee manager responsible for periodically recertifying if the user is still legitimately active. The ease of report creation has also been a huge benefit, saving time and increasing the confidence of key stakeholders.
The organisation was able to ditch numerous scripts and is now compliant with the board mandated best practices for user management. The possibility of human error in the process has been greatly reduced and the IT team has more free time that would have been taken up by the administrative burden of the old processes. Now service desk can easily manage the identities and the approvals are routed seamlessly to an appropriate manager.
Shared mailboxes challenge
The organisation had to provide a significant number of shared mailboxes for a variety of uses. From student administration needs (like management of accommodation services) to recreation services. How do you ensure that shared mailboxes always have an owner, and that ownership is reassigned easily and efficiently?
Solution: The organisation’s service desk is now able to log into UMT, create unique shared mailboxes, and assign an owner from the organisation’s user community. The owner can then control the mailbox from a simple user interface. The administrators or the owners can also set a trigger for when the mailbox owner is leaving the organisation and nominate a new manager. This will prevent orphaned accounts; if not done then UMT will alert the service desk that a mailbox is without an owner.
Benefits: Simplification of the process with fewer interactions/emails/paperwork for the mailbox creation process, making the life cycle administration more efficient. UMT’s ability to be configured to set alerts when mailboxes are no longer used means that the organisation has saved on licencing costs. The ability to reassign licenses as soon as they are freed up means that the organisation will secure a better deal on renewal, due to a more mature grasp on the licenses in use. Ensuring there is always a mailbox owner provides peace of mind to all users and stakeholders, and the ability to check for uniqueness means greater administrative efficiency.
Security passes challenge
The organisation needed to manage identities who do not require an IT account but do require physical access. This is centred around visitors to campus, for example tradespeople or guest speakers. The solution needed to be simple as the administration is delegated to the on-site security team who are not required to have IT skills. They needed to be able to create, update, suspend, and restore identities without an IT account. In addition, other administrators (service desk, managers, etc.) also needed to be able to create and approve identity records and notify security when passes need creating. Crucially, an auditable approval process was required for risk compliance purposes.
Solution: Using UMT’s user-friendly interface managers (as defined by the organisation) are now able to create and administer third-party identities and forward any request for building access to the on-site security team.
The on-site security team are now able to easily administer those requests in order to create security passes as and when required. They can also create and modify identities when no such request exists (for example when a manager has forgotten to make the request, and the visitor needs quick access). These can then be approved almost instantaneously by sending a notification from UMT to the managing approver.
Benefits: Now there’s greater efficiency in administering access, as systems have been streamlined to save time when requestioning guest passes. The risk is greatly reduced by having clear approval processes and by configuring user start and end dates. These need to be fed into the building security system, so no one has a usable security pass if they have not been appropriately approved. This access can be removed quickly and efficiently when required.
There’s greater clarity regarding access to buildings for third-party users, due to the auditable approval processes. This can be seen through the simplicity of reinstating identities. When a visitor arrives in a hurry there’s no need for laborious form filling. After physical identification the security team can simply update the identity via the UMT UI. An approval request is sent, and the identity can be reinstated as soon as approval is received. This makes the security team more responsive to requests and overall greater efficiency in guest access facilitation.
Results
Overall, the introduction of UMT has given the organisation greater visibility of and control over identities outside of their existing HR and Student identity feeds. Since there’s been a reduction in time spent on user management, there’s been an increase in efficiency and a reduction in human errors in the process. The built-in reporting functionality allows decision makers to understand the status of identities, who is responsible for those identities, and has allowed further efficiencies, particularly for user licencing.
This experience has also been a learning curve for Madigan Solutions, following customer feedback that the software is almost “too configurable!” This led to the organisation enlisting the help of a business analyst to ensure they could exploit UMT’s full potential and get creative with finding new applications for it.
Conclusion
UMT is provided as a service, is highly configurable to suit organisational complexity and has been demonstrated to deliver greater visibility and efficiency during the user management lifecycle. In a short amount of time the organisation in the case study above were able to radically improve their management of third parties, reducing security risk, administrative burden and providing peace of mind to all stakeholders.
About Madigan Solutions
Madigan Solutions UK Limited is a leading provider of IBM Security Verify solutions. Whether your needs are access management, identity management & governance, or privileged access control & monitoring, Madigan Solutions can help you satisfy those needs.