Germany’s Fast-Growing Techniker Krankenkasse Achieves Automation and Role-Based User Administration with ASG-Entact ID™
Industry: Health Insurance
Location: Germany
With more than five million insured members, Techniker Krankenkasse (TK) is one of Germany’s largest and fastest growing health insurance companies. Headquartered in Hamburg, TK employs more than 9,000 employees and maintains more than 200 locations.
The Challenge
TK’s user administration group is responsible for all user access throughout the organization, making it responsible for thousands of employees based at hundreds of office locations, which comprise a heterogeneous IT environment with numerous information systems. To improve efficiency and ensure secure access management in this complex environment, the user administration group embarked on a project to streamline cross-platform user administration in the late 1990s. The scope of the project was challenging, and the importance of the project was very high, but TK met its objectives successfully.
In order to administer user IDs and permissions for access to its mainframe more efficiently, TK developed an application called RACF Dialogue to manage user rights and privileges. This tool enabled decentralized administrators based in more than 200 offices nationwide to manage user ID access effectively, without any RACF syntax knowledge. RACF Dialogue supported the granting of user rights and access for employees, as well as the ability to manage password resets.
However, since the late 1990s, a variety of new systems at TK were implemented, including non-mainframe information systems such as Novell Netware®, Lotus Notes®, SAP®, and others. One consequence of these implementations was that TK’s RACF Dialogue application could no longer exclusively manage the administration of user rights. The central user administration team’s workload drastically increased with each new system implementation, because it was not feasible or secure for TK to train all of the decentralized administrators to use a different security interface to manage access for each new type of platform. Centralized user administration needed to support all users on these non-mainframe systems, and this was no longer possible with the current application.
The Solution
The RACF Dialogue application was continually enhanced and refined during the years it was in use. One of the key enhancements was to add a workflow capability for requests for access into the various types of systems being used. Having decided to establish a new graphical user interface (GUI) for end-users — one that would run in parallel to the old IMS application — TK needed to create cross-platform Role-Based Access Control (RBAC). As a result, it was imperative to set user rights using a role-based administration system. Technically, this challenge could be achieved with RACF Dialogue; however, it would mean having role-based access rights maintained within two different systems, RACF and a DB2® database.
Previously, RACF Dialogue covered various subroutines with more than 10,000 lines of code and several extensive DB2 tables. Also, the end-user was forced to work with an outdated ISPF interface, which was no longer enough to fulfill all of the required administration tasks.
These and other reasons prompted TK to stop using RACF Dialogue and look for a standard Identity Management user administration software solution. The primary requirements for the solution included:
 | • | | A modern, intuitive graphic user interface that was easy to learn for both centralized and decentralized end-users |
| |||
| • | | A fully functional replacement that included all of the capabilities of the RACF Dialogue tool to ensure that all previous functions would be available during migration to superior technology |
| |||
| • | | The Identity Management solution had to be extensible and open to support additional new types of information systems that TK might add |
| |||
| • | | Full support of RBAC so TK could leverage existing RBAC definitions for all managed systems, and the ability to grant role-based administration and user rights in all managed systems |
Products from five vendors were short-listed and carefully examined starting in 2000. Of the solutions from five vendors, TK chose ASG-Entact ID™ because it was the only solution to satisfy all of TK’s criteria, and it included additional features such as an audit component.
ASG-Entact ID enabled TK to automatically synchronize and update employee data from an authoritative source, the SAP Human Resource Database. This determined employees’ identities, job functions, and more on a daily basis, and it provided significant automation, ensuring all employee data in the system was up-to-date.
Measurable Results
TK’s central user administration group no longer had to manually set up and delete user IDs and permissions for new users, change users’ job functions, or terminate users’ relationships with the company. ASG-Entact ID automates these processes, along with automatically creating user IDs and permissions for various platforms when a new employee joins the company. For job changes, the solution also automatically removes access related to old job functions and adds the access required for new job functions. Access for terminated employees is revoked automatically. Exception access is managed with the Web workflow application by the decentralized administrators, and properly approved requests are automatically provisioned by the system.
Another big advantage achieved with the migration to ASG-Entact ID was the flexibility in the management of roles. ASG-Entact ID easily incorporated existing roles and even allowed pre-existing role names from RACF Dialogue to be used. This enabled TK to leverage extensive work previously done in this area and made it easy for the decentralized administrators to find their way through the new workflow and user provisioning environment. Finally, the new system ensured that every decentralized administrator could only see and manage the employees based within his or her own area of authority.
The transition from RACF Dialogue to ASG-Entact ID was overseen by only two people at TK. It was not a standalone, independent project. Rather, it was carried out during regular daily business.
“The transition described here is not the end of our implementation of Identity Management software,” explains Michael Vaillant, security administrator at TK. “This solution from ASG has provided our primary infrastructure for enterprise access management and will also facilitate the addition and implementation of further new systems in the future.”
