How a Service Automation Solution Helps Your Organisation
In our blog “Why Do You Need an Identity & Access Management (IAM) Solution,” we identified three categories of challenges: enhancing efficiency while reducing costs, compliance with laws and regulations, and protection against data breaches. In our previous blog, we explained how User Provisioning technology is capable of automating over 80% of user and authorization management tasks. But what about those cases that don’t fit the mold? Or how do you manage external individuals who are not even in a source system? In this blog, we explore how the Service Automation feature within IAM technology assists organisations in these and other areas.
In this article
How does an IAM solution help?
We have previously identified various drivers that can lead to the formulation of an IAM strategy. These are challenges that arise in manual user, authorization, and access management. In summary, these challenges are ‘efficiency and cost reduction,’ ‘compliance with legal and regulatory requirements,’ and ‘protection against data breaches.’ The three IAM technologies that address these challenges are ‘User Provisioning,’ ‘Service Automation,’ and ‘Access Management.’ We have committed to exploring each of these technologies in a blog post, in relation to the challenges of manual management, with the focus now on Service Automation.
Service Automation
An automated User Provisioning process based on a source system can automate a lot, but unfortunately not the entire user and authorization management. A job change can be found in the HR system, but temporary participation in a project group often can’t be. However, this may require temporary access to a project folder, application, or shared mailbox. Then there are “incidental” and completely random events like forgetting a password. Without a Service Automation solution, these kinds of changes are manually handled by expensive helpdesk staff or functional administrators. For employees themselves, it’s not always clear where they should go. Or they haven’t yet received approval from the responsible manager. While waiting, they’re left twiddling their thumbs. And if you do have a clear and relatively smooth process, it’s still a challenge to meet compliance requirements and to actually prove this to relevant authorities.
Service Automation offers a way to handle those tasks that are not easily or efficiently automated based on a source system. In other words, it covers the remaining 20% of user and authorization management activities. Service Automation brings together people and technology so that these tasks can be performed in a simple, controlled and uniform manner. It thus contributes to a better user experience, increased productivity and more accurate record-keeping, while also reducing errors and unnecessary costs. The most well-known aspect of Service Automation is undoubtedly self-service, but helpdesk delegation is also a part of this IAM technology. Although the term may not immediately ring a bell, it is often the first step in introducing the technology within the organisation.
Helpdesk delegation
In conventional setups, helpdesk personnel often have elevated administrative rights for applications like Active Directory Users & Computers (ADUC), posing inherent security vulnerabilities. While you may want a helpdesk worker to have the ability to reset other employees’ passwords, this level of access could also enable them to alter an executive’s password, create new user accounts, or even delete the entire Active Directory. Such risks are not theoretical; we’ve heard of such cases from our clients. On top of this, maintaining a comprehensive log of all changes is essential. It’s important to track what modifications were made, why, and by whom—data that isn’t always automatically captured by the system, and that helpdesk staff may neglect to record, either intentionally or unintentionally.
Helpdesk Delegation enables the provision of delegated forms to (non/semi-skilled) helpdesk staff and key users. These key users are approachable colleagues within the work environment who are equipped with just the right permissions needed to assist their teammates. The forms can target various IT management tasks, like creating user accounts, granting or revoking access permissions, or resetting passwords. This system empowers staff to perform designated helpdesk activities without requiring admin rights in the foundational systems. The solution also intelligently tailors permissions within these forms based on an individual’s level of access. For example, a junior system administrator might be allowed to reset passwords, but not for managers or directors. Similarly, standard access rights may be granted, but high-risk permissions are withheld pending approval from the corresponding resource owners.
In addition to user-friendliness brought about by an intuitive graphical interface and extensive rights management options, Helpdesk Delegation offers certainty. The certainty that changes are always executed in the same uniform manner, and the certainty that a clean audit trail is always available. This can be automatically logged in the utilized ITSM system, such as TOPdesk, for example.
Self-service
The concept of self-service is not only well-established but also rapidly expanding. Who isn’t accustomed to managing their own banking through a mobile app? Or easily submitting healthcare claims online? Or scanning and paying for groceries themselves at the supermarket? While this convenience is fully integrated into our consumer lives, it’s often conspicuously absent in our professional lives. Yes, you may be able to digitally request leave days, but arranging a (temporary) increase in your access permissions yourself is generally not possible in many organisations. Contrast that with consumer experiences where you can, for example, secure new travel insurance within 5 minutes, while employees often have to navigate cumbersome procedures and wait for days to access a network folder, which they may need to accomplish their job tasks.
Generally speaking, employees often have a better understanding of the resources and permissions they need to do their job effectively compared to their managers and certainly better than the IT department. Managers do have a role in approving these permissions, but the ultimate decision typically falls on functional administrators and license managers. On the other hand, the IT department is the expert when it comes to executing changes. Many of the requests that reach the helpdesk, such as password resets, account unblocking and permission changes, are repetitive and not particularly stimulating for IT professionals, yet they consume a significant amount of valuable time and resources. Helpdesk Delegation helps alleviate this burden, offering tailored self-service portals that empower different roles within the organisation to manage IT-related issues themselves, their teams or their resources.
Functional management self-Service
The goal of self-service is to delegate tasks that were once the sole responsibility of the IT department further into the organisation. After the helpdesk, the next logical step is to provide an IT service desk for so-called resource owners. A resource owner is typically a functional (application) manager or license manager responsible for a specific system, application, or folder. Service Automation provides them with a clear overview of the users who have access to their resources and an easy way to grant or revoke access. The system instantly provides a comprehensive overview of who is using what licenses, whether the organisation is exceeding its license count, and the number of available licenses.
Manager self-service
The subsequent step in delegation is towards managers. While the technical aspect of this phase is straightforward—given that forms and procedures are already outlined for service desk and resource owners—it marks a pivotal organisational milestone. More staff will come into direct contact with the Service Automation platform. Once this layer is deployed, managers gain real-time visibility into the access rights and license usage of their team members. This increases managers’ awareness of their department’s ‘IT footprint,’ aiding in the reduction of unnecessary costs. Managers can also independently add or remove rights for an employee, eliminating the cumbersome process of service tickets and service personnel for execution.
Employee self-service
The ultimate step in self-service is delegating to the end user. Through a self-service catalog, employees can easily request additional rights for applications, folders, or mailboxes themselves. An approval process, in which, for example, the manager reviews the request before it’s implemented, prevents end-users from acquiring unnecessary rights. This verification process is much simpler for a manager or license manager than for an IT staff member. After approval, the Service Automation solution ensures that the changes are automatically implemented.
Typically, Service Automation is particularly well-suited for handling access requests within and across systems, applications, and folders. But its IAM functionality also offers the option for controlled customization to automate complex and organisation-specific tasks. Instances I’ve encountered include the generation and extension of guest accounts, enforcing user acceptance of privacy policies prior to account activation, and even fully automating the request and approval processes for company assets—complete with digital signatures for loan agreements. Just like with connectors for User Provisioning, the only limitation is the presence of an interface to the system you want to modify. And, of course, your own imagination.
Workflows
In the context of a role based model, we refer to Role Based Access Control (RBAC). However, in self-service, it’s all about Claim Based Access Control (CBAC). However, this doesn’t mean that every employee can freely claim all permissions. For instance, applications like Microsoft Visio and Adobe Photoshop are selectively allocated due to their high costs and specialized nature. When accessing a network folder from the HR department, the main concerns revolve around privacy and security risks. Different requests necessitate different evaluations by different people. A Service Automation solution must be able to facilitate these varied request and approval processes.
Manual request and approval process
In the absence of a Service Automation solution, end users typically request access through various methods such as phone calls, emails, or support tickets. The IT helpdesk then pursues the necessary approvals using these diverse communication channels. Once the request is evaluated, the change is manually executed across the relevant systems and applications. Subsequently, the actions taken are documented.
Requests and approvals via Service Automation
Clearly, this approach involves numerous manual steps and considerable effort, from the moment a request is made to when an employee actually gains access to the resources they need. Service Automation streamlines and speeds up this entire process by formalizing it into predefined workflows. In these workflows, you can specify whether a request receives automatic approval or needs further review, and by whom. For instance, you might set it up so that Microsoft Visio access is automatically granted, while access to a sensitive HR folder requires approval from both the direct manager and the head of the department. When an employee requests access to a particular resource, designated approvers are notified with a button to either approve or deny the request. Once all relevant stakeholders approve, the system automatically executes the change.
Automatically revoking permissions
However, granting access rights is not the end of the story. What if the individual no longer needs those rights? If the rights were truly essential for their role, they would have been allocated through the role-based User Provisioning process. In the case of optional access permissions, the need is often temporary. But while software like Visio may be expensive for the organisation, relinquishing it doesn’t significantly impact the individual employee. In fact, keeping it for future potential use might seem convenient.
If you were hoping that your employees would voluntarily relinquish excessive permissions, think again. While people are often eager to request access, they are less willing to give it back. This natural tendency conflicts with the key information security principle of ‘least privilege,’ where users are given only the minimum access levels or permissions needed to perform their tasks. An essential feature of a Service Automation solution, therefore, is the ability to enforce the temporariness of certain permissions. Workflows often include a maximum duration setting, allowing employees to choose how long they want the self-service product. This ensures a fail-safe situation where optional permissions are eventually revoked automatically, eliminating the issue of accumulating unnecessary rights.
Auditable
Organisations must be able to demonstrate that their processes are in compliance with laws and regulations. It must also be traceable as to which users have carried out which actions. Therefore, registration and reporting are essential within all user, authorization, and access management processes.
Without a Service Automation solution, it becomes exceedingly difficult to accurately account for optional authorizations that are granted during employment. With such a solution, however, this suddenly becomes extremely straightforward. Whether a helpdesk employee is requesting something via helpdesk delegation or an employee is using self-service, regardless of which workflow is in use, all requests, approvals, and executed actions are not only automatically carried out but are also centrally logged. This is a marked difference from manual execution in environments like ADUC where logging often falls short, or manual interventions in various systems and applications where the logging is fragmented. Worse yet is when the logging itself becomes a manual action, as in ITSM applications like TOPdesk or ServiceNow. After all, data breaches often occur from within the organisation, consciously or unconsciously, and who benefits from not logging their actions? Exactly.
This is not an argument against using ITSM solutions like TOPdesk, Ultimo, Zendesk, and ServiceNow. On the contrary. While in many organisations these platforms were initially the starting point for account or authorization requests, they now serve as the endpoint. The workflow and execution lie in Service Automation. However, if there is still a need for manual handling, such as granting rights within an application that lacks an interface, or something like a token, then this simply leads to a change request in ITSM. A receipt is written for every workflow for management reporting purposes. An application like TOPdesk thus remains capable of providing complete strategic information about the performance of your service desk and also offers insight into the productivity advantages. And certainly, before starting, we particularly recommend looking at your top 10 tasks in your service desk application to identify low-hanging fruit for automation through Service Automation.
Conclusion
A Service Automation solution ensures that your request and approval processes are always properly followed. It records all activities and involved parties, thereby providing the evidence needed to demonstrate compliance with information security standards. Additionally, it offers a simple interface for employees to manage their own IT matters. It also allows managers, application administrators, and other resource owners to approve or reject requests with a single click. All of this while significantly reducing the number of helpdesk tickets, freeing up the IT helpdesk to focus on more complex challenges. Service Automation technology safeguards the request and approval process within the organisation, but does it more efficiently, effectively and securely. It’s a win-win-win situation.
In our next blog, you’ll read how an Access Management solution can help your organisation. Would you like to know more about our Service Automation module within HelloID?
Written by:
Arnout van der Vorst
Others also viewed
