Introduction of a new IAM solution at Thüringer Aufbaubank

As a rule, the regulatory requirements of MaRisk increase over time. The previous IAM solution used by Thüringer Aufbaubank was no longer able to keep up with this. That’s why the company decided to replace their system and has been working with Garancy® Identity Manager since 2019. One of its key features is that it specifically supports a role-based concept, which makes it easy for the insurer to apply their principle of “no right without a role.” At Thüringer Aufbaubank (TAB), the days of using checklists to define who needs what authorizations for which IT system and when are long gone.

The bank, including all subsidiaries, has around 800 employees, most of whom work at the main site in Erfurt. Aufbaubank had already introduced a central tool for identity and authorization management as part of their IT governance initiative in 2016. However, in light of new and upcoming MaRisk and BAIT regulation, it became clear after just one year of operation that the software was not cut out to meet future regulatory requirements.

An audit in accordance with Section 44 of the German Banking Act (KWG), mandated by BaFin and conducted by Bundesbank auditors, confirmed TAB’s assessment and provided the final impetus for taking a new approach: The previous IAM concept had to be reconsidered, and a new solution needed to be found. Tommy Grimmer, Head of the IT Control Department at Thüringer Aufbaubank: “One of our top priorities was to find a solution that delivers excellent usability and meets all current and upcoming requirements of MaRisk and BAIT – as far into the future as possible. That’s why we opted for a software solution from Beta Systems, not least because a number of other banks already work with Garancy® and recommended it to us."

Rights are only requested via roles: In the first step, the 2019 project team mapped all previously managed authorizations to the new Garancy® Identity Manager system. In the second stage, starting in 2020, Aufbaubank redesigned the authorizations. The underlying principle was to assign no right without a role – in other words, rights are only requested via roles, and individual rights are only assigned in exceptional cases (such as temporary read/write access to project directories).

Aufbaubank has been using profiles and roles for a long time, especially in the area of case processing. So the authorization design has always driven specialist roles, “yet never to the extent or level of detail the ‘minimum access’ or ‘need-to-know principle’ would have called for,” recalls Tommy Grimmer. Clustering had already been applied at the department level, but not at the level and depth that the new IAM solution provides.

“It is only with Beta Systems that the roles are truly aligned with the specialist skills, jobs and functions,” explains Cindy Schöneweck, Compliance Officer in IT Control at Aufbaubank, who was hired specifically for the new IAM project.

She coordinated the introduction of the IAM system in close cooperation with the organizational department, the specialist departments and the independent IT consultant Dr. Claudia Walhorn, who has a strong track record of assisting (investment) banks with the introduction and operation of Garancy®. One of her core principles is that there should be a dedicated authorization concept for each application that includes user administration. The “Intranet” application, for example, has read, write and administration rights.

These are grouped into so-called basic, organizational, specialist or functional roles (role types) derived from the bank’s organizational structure. As a result, all employees have a basic role that governs time tracking, access to certain applications (e-mail, AD), network drives, etc. There is also a specialist role for each job description, as well as organizational roles for organizational units and cross-departmental functional roles (such as staff council).

As regards the functional areas, many employees share the same specialist role. For example, about 200 people from two major departments are assigned to about 21 specialist roles. The bank is currently mapping this division of roles in Garancy® in close consultation with the specialist departments, while also streamlining existing rights in the process.

Reduced administrative effort when assigning access rights. Aufbaubank’s principle of “no right without a role” results in the following workflow: Any two employees with the same job description also have the same access rights and are assigned the same specialist role.

For each new employee, the rights they require to perform the tasks assigned to them are selected from an existing set of rights and roles. The defined roles thus simplify rights assignment. Everyone is assigned the basic, specialist and, where appropriate, organizational and functional roles that reflect their future profile in the company.

This significantly reduces the administrative effort involved in assigning rights.