Embed Size (px)
Citation preview
Implementation of SAP’s Compliant User
Provisioning solution at Vodafone
Nick Tuffs – Vodafone Global Identity Management Team
21st November 2011
Agenda
• Background to Vodafone
• About the EVO Programme
• Existing and proposed UAM processes
• Why, What and Who we chose to implement
• Gathering Requirements
• Implementation timeline
• Success
• Next steps
• Lessons Learnt
• Questions
2
Background to Vodafone
3
• HQ in London and Newbury
• World’s largest mobile telecoms company (by revenues)
• Second-largest by subscribers (341 million)
• 4th largest company on London Stock Exchange
• Networks in 20+ countries
• Partner networks in 30+ countries
• Market capitalisation £93 billion
Vodafone’s Global Footprint
4
What is the EVO Project?
• EVO stands for the Evolution of our existing multi-country business model, to a single, uniform way of running our global business in the finance, human resources and supply chain functions.
• The largest transformation programme ever approved by the Vodafone Board.
• The Future State Operating Model is supported by a single IT system - EVO SAP.
i. The Core Business Model ii. Shared Service Centres iii. Vodafone Global Procurement Centre (VPC) iv. A Single Enterprise Resource Planning (ERP) system
Key Benefits and figures for EVO
Consistent and timely cost information
Simple and efficient business operations
Standardised global processes
Leveraged shared services for back office processes
The best commercial solutions for global purchasing
IT landscape simplification through system consolidation
Expected annual cash savings of over €600m
€284m savings (08/09)
€731m savings (09/10)
€2.5bn cash savings over 7 yrs
What phase is EVO in now?
• Evo is approaching the 8th release phase with 50000+ live users
LIVE MARKETS:
UK
Germany
Vodafone Group Services
Portugal
Spain
Netherlands
Ghana
Ireland
Italy
Greece
Turkey
STILL TO GO-LIVE
New Zealand
Qatar
Czech Republic
Romania
Egypt
South Africa
Remedy
7 IT
Ticketing
Tool
MS
Excel
form
Compliant
User
Provisioning
module of
SAP GRC
PASI in-
house
tool
VF-HU
VF-Ghana
VOCH
VPC
VGS
VF-NL
VF-DE
VF-PT
VF-ESManually created
ticket
LOCALLY OWNED APPROVAL
PROCESS AND TOOLSGLOBAL APPROVAL PROCESS AND TOOLS
Ticket can come
from OpCo SPOC
or via EVO service
desk. Ticket is
considered as pre-
approved.
VOCH UAM
perform
SoD check
Risk and
Remediation
module of
SAP GRC
CUP performs SoD check
Central User
Administration
System in
EVO SAPVOCH UAM
perform
user
provisioning
Global SoD
rules in RAR.
CUA connects
to all EVO SAP
systems
Line Manager
and Role Owner
approvals sent
via email
Line Manager
and Role Owner
approvals
managed via
CUP workflow
CUP performs
user provisioning
Line Manager
and Role Owner
approvals
managed via
SASI workflow
Line Manager
and Role Owner
approvals
managed via
PASI workflow
SASI in-
house
tool
Existing AS-IS UAM process and tools for EVO
• Different local processes to trigger VOCH UAM team to act. Interface is via Remedy tickets and EVO Service Desks.
• End to end time to process requests is variable as local processes vary – SLAs exist for Global side via VOCH UAM team.
• Manual activity is costly and prone to errors causing SoX issues and cost overheads.
Global Solution Piloted for VOCH SSC
RAR module
of SAP GRC
Central User
Administration
System in
SAPIDM R3
(OIM)
IDM creates
approved request in CUP
and recieves updates
on request status
CUP module
of SAP GRC CUP performs
automated
SoD check
CUP performs automated
user provisioning
VOCH UAM
Team
manage
exceptions
Line Manager
and Role Owner
approvals sent
via IDM workflow
GLOBAL PROCESS
AND TOOLS
EVO PROCESS
AND TOOLS
• Automation: IDM provides front end, workflows and triggers CUP to perform SoD check and provisioning.
• Manual: VOCH UAM team handle exceptions such as SoD conflict and mitigation, provisioning failures and IDM profile loads.
• This solution has been piloted and proved for VOCH in September 11 and will now be rolled out for all EVO live markets.
• The Chosen Partners needed to; i. work closely with the in house support teams ii. collaborate closely on the integration of the two tools iii. work to the same project time scales
• The Project covered i. Online request and approvals.
ii. Automatic SoD checks and role assignment
iii. The revoke of role assignments
• The ability streamline the current SPM (fire fighter) request process.
• Chosen partners were – su53solutions for the GRC-CUP integration
– Wipro for the Oracle Identity Management Solution
10
Project Partners and Scope
Gathering Requirements
• Key task performed were; i. Agree the scope for CUP and the division of control with OIM ii. Integration of OIM to CUP via webservices iii. Integration of CUP to RAR iv. Integration of CUP to CUA
• The Requirement to
i. Allow users to raise and track requests in a self-service manner ii. Remove the service desk input by automatically sending requests for approval to be
performed directly in the system iii. have all request automatically processed with a back ground Risk analysis. iv. have as little manual intervention as possible in the provisioning process to reduce
headcount in the UAM team.
• Compliance approval of unmitigated risks, before assignment in the EVO
system.
11
Gathering Requirements
• Agree the detailed web interface connector requirements for OIM-CUP connectivity.
• Agree the required Workflows for the OIM – CUP integration
• Agree the required Workflows for the CUP – SPM workflow
• Agree the Systems in scope
• Agree the roles and role owners in scope
• Agree the Mapping of Single to Composite roles to match internal Job Aid
• Agree the SPM ID’s and Owners are correct
• Agree how role data and assignment would be exchanged between OIM and CUP
12
Implementation Timescales
• Extremely demanding timeline i. Inception (early April)
ii. Expected Go-live (1st August)
• The project was broken down into the following stages i. Design Phase ii. Build Phase iii. Test Phases (integration, product and user acceptance) iv. End user training for the local support team v. Deployment to production (Technical Cutover) vi. Go-Live support vii. Post Go-Live Support Phase (Warranty)
13
Success?
• Since go-live on 15th September, over 300 requests have been processed to completion for the VOCH.
• The volume of tickets handled manually by the user administration team has dropped by 160 tickets per month.
• User feedback on the turn around time end to end has been positive.
14
Lessons Learnt
15
• Any change to an established user administration process requires training and communications on a detailed level.
• Vodafone took ownership of the shared project plan and co-ordinating the activities across the multiple teams involved was an intensive process.
• Connection of the CUA child systems and updating CUP master data must be performed in detail to prevent failed provisioning that has to be debugged.
• HR master data errors caused workflow approval and provisioning errors.
• From OIM perspective the schedulers to check and retry tasks sent to CUP are critical to BAU operations.
• Check that the GRC systems have the hardware required to handle CUP, RAR and SPM as this is managed by IBM for Vodafone.
• Due to the different platforms involved the support model for end users must be clearly thought out with supporting use cases and training.
• Line managers and role owners still take some time to approve requests despite it being easier!
Next Steps
• We are planning a phased roll out as part of the ongoing EVO release plan following a standardised release plan.
• Next implementation is for Vodafone Group Services, Vodafone Hungary and Indian Shared Service Center.
• Our solution although more complex integration wise for the first go-live is relatively simple to rollout to additional markets as technically just the role master data and initial loads have to be prepared for OIM and CUP.
• Important part is the involvement of the individual markets contacts: HR, Communications, UAM process owners and role owners.
• Future enhancements of the platform are planned to include user attestation for compliance processes.
16
Questions
17
