The Company deals with the production and pre-shipment processing of natural gas and condensate, as well as geological prospecting and the development of new oil, gas and condensate fields.
With over 10,000 employees, management of user accounts and access rights at the Company was fairly time-consuming. In light of this, the Company opted to centralize and automate these processes by adopting an Identity Manager (IdM) based system.
The project was conceived to with an eye to benefitting multiple departments. A streamlined IdM system would reduce administration costs, user account setup time and security risks. It would also make users of corporate IT resources much more comfortable.
“Automatic and transparent user access rights management is critical for our company,” says one of the Company’s representatives. “We decided to have Jet Infosystems deploy our IdMS, since Jet’s proposal most closely fitted our objectives. Jet Infosystems has an excellent track record, as well as considerable experience with IdM solutions that are based on products from leading vendors and its own expertise.”
The system was expected to (a) accelerate processing of access rights applications through use of e-forms, (b) allow gradual transfer to electronic approval of applications with legally valid digital signatures, and (c) significantly reduce workload on system administrators. Data security was expected to improve thanks to stringent procedures for granting access rights.
The Oracle WaveSet (previously Sun Java System Identity Manager) platform chosen for the new system was customized to fit the client’s requirements and business needs.
Since the new system’s functionality was to be integrated with the work of the IT department, security department, and many of the Company’s business departments, it took Jet Infosystems several months, in consultation with these departments, to prepare a list of requirements and a detailed design. All of the system’s software and hardware components were duplicated to ensure 100% fault tolerance.
Evgeniy Akimov, deputy director of Jet Infosystems’ Data Security Center: “The Company’s staff took part in discussions and decision-making throughout the project. Our work was therefore well-coordinated and the results were more predictable. No major changes to project functionality or the work plan had to be made. The Company’s IT administration division and software division helped us write scripts and make adjustments to the system. The original deadline was met without any problems.”
The IdM system modules were deployed in a series of stages.
Stage one (June 2010): The first system release is launched. The system is linked up with the human resources management (HRM) database and with processes such as “recruitment” anddismissal.” Information from the human resources database is used to update the Active Directory (AD, a global catalog of user accounts needed for centralized network administration and security) and the Exchange 2003 corporate email system.
Stage two (August 2010): The system is dramatically expanded to include business processes such as “transfer,” “leave-granting”, “role approval/role-period extension” and others. The system now can generate PDF applications for access to AD and SAP R/3 resources in over five categories (accounting, production, finance and others).
The system is integrated with the CryptoPro authentication center. Legally valid digital signatures can now be used for the application approvals to save time.
Stage three (November 2010): Local adjustments are made to user forms, application templates and user interface; the “name change” business process is added; new audit reports are introduced for the security department. Access procedures for Exchange 2010 corporate email system are set up.
Stage four (January 2011): The entire human resource management system is integrated with the IdM system.
The IdM system now covers the company’s principal business processes and interacts with the main HR database and four managed systems: SAP R/3, AD, HRMS and Exchange 2010 (see flow chart below).
The Company now has a centralized approach to user accounts management and access rights. User accounts are automatically created for new employees in systems to which they need official access. If an employee has a change in job position or moves to another department, his/her access privileges are automatically revised; dismissed employees’ accounts are automatically blocked. Applications for access can never be granted in error, as approval requires numerous authorizations. The IdM system is now fully functional. Technical support has been outsourced to Jet Infosystems. The system is in high demand: already over 3000 applications for access have been filed. It covers 12 business processes in the Company (“recruitment,” “position changes,” “account locking/unlocking,” and so forth).
“Innovative approaches to IT have been a major factor in the Company’s sustained growth,” says Igor Lyapunov, director of Jet Infosystems’ Data Security Center. “An IdM system soon pays for itself, as it cuts IT administration costs, provides good support to users, and saves time on application processing. Introducing this system at the Company was a sound policy decision. In light of our experience, many other companies have now come to realize that they need IdM systems as well.”
A representative of the Company says: “While the project’s overall outcome cannot yet be judged, we already feel that our IT and DS departments’ performance has noticeably improved. A functioning IdM system, in conjunction with the company’s rules and procedures, greatly facilitates the use of corporate systems. Access applications are now approved much more quickly. System components customized to meet our specific needs have proved highly useful.”