Today is the day of the decision or more precisely of the meeting with the superiors of Mr. Schneider, Ms. Schmitt, and Ms. Weber. Monika and Susanne just take off their things and then it starts. The beginning is not exactly promising. Susanne Schmitt need only say “Mr. Schneider and access to the Controlling systems“, and they first get defensive and then try to shift blame. But Susanne does not make it that easy for them. She does not let up and, in her part of the presentation, paints a truly worst-case scenario of the disgruntled employee and how he is damaging the company. Because this example simply has everything, stolen and leaked customer data, deleted recipes, manipulated controlling data and, on top of that, a blatantly excessive budget. Suddenly, Ms. Weber has her superiors’ attention again, because no one wants to take the blame for this outcome. She concludes her presentation with a comprehensive explanation of why the currently existing systems and lists in IT and scattered throughout the entire company are not suitable for minimizing this risk. The two do not receive an immediate response, as the superiors ask for a few days’ time to reflect due to the comprehensive effects of their decision. But after all, any postponement is of no use, the damage to be feared and also very real is always more expensive than investing in a central, professional identity management system.

The manager of Ms. Weber has the topic Identity Management on the agenda for his weekly update meeting with the management. In his opinion, he will not need much time, because sales and data protection have calculated the costs of sales decline and data breach. Saving on IT is fine, but you can also save in the wrong place, and would definitely be the area of IDM (identity management). Thus equipped, he confidently strides into the meeting and embellishes his presentation with the fact that the costs have not yet taken into account the damage to the customers’ reputations and to the labour market. New employees are already grumbling when they wait for access. What happens when you have a real data breach that is exploited in the media? In this case, too, the decision is not made immediately; understandably, the managing directors still want to wait for the result of the current quarter before increasing the IT budget for the following year.

Since Ms. Weber is still optimistic, in the meantime she is starting to draw up a survey for all internal and external employees. On the one hand, it asks which accesses and authorizations each employee has and whether all are still needed. This creates a user matrix with roles and permissions, which is then sent to the division heads in the company for fine-tuning and approval. In this way, she can at least determine who needs access to which IT resources and systems in order to do their job. The end result should be a central user matrix, including hierarchies, for all IT resources and systems in the company.

Shortly after Controlling has approved the final quarterly report, Ms. Weber’s supervisor is back with the management at his weekly update meeting. Despite the tense market situation, earnings have turned out better than expected. This made it an easy decision, and the IT budget for next year was increased slightly. This means that almost nothing stands in the way of implementing a professional, central identity management solution. In the few months remaining to the end of the year, it is now necessary to find a suitable provider who offers a comprehensive solution within the available budget. After all, this also saves on overhead costs in IT in the long term, since the processes are automated.


Part 1: If you are in a company long enough, you have all permissions and access. ››