PUBLIC
Copyright© 2021 by Lempinen & Partners Oy
All Rights Reserved.
No part of this document may be reproduced, transmitted, transcribed, stored in an electronic
database or translated into any language, in any form by any means, without prior written
permission of Lempinen & Partners Oy.
The information in these documents is subject to change without notice. Products or corporate
names may be trademarks or registered trademarks of their respective companies and are used only
for the explanation and to the owner's benefit.
There is no warranty of any kind for the accuracy or usefulness of this information except as
required by applicable law or expressly agreed in writing.
PUBLIC
Contents Executive summary ................................................................................................................................. 1
IAM lifecycle stages ................................................................................................................................. 2
Concepts and capabilities of IAM Application ........................................................................................ 3
IAM Connectors ...................................................................................................................................... 5
Ansible & Tower API............................................................................................................................ 5
Azure Active Directory ........................................................................................................................ 5
On-Prem Active Directory ................................................................................................................... 5
Personio .............................................................................................................................................. 6
SalesForce ........................................................................................................................................... 6
SAP ERP ............................................................................................................................................... 7
SAP SuccessFactors ............................................................................................................................. 7
ServiceNow ......................................................................................................................................... 7
Request trial ............................................................................................................................................ 8
More information ................................................................................................................................... 9
PUBLIC Page 1 of 9
Executive summary
Identity and Access Management (IAM) is a framework of policies and technologies ensuring that the
proper people in a corporation have the appropriate access to technology resources. Having this done
correctly you can save costs, enhance your security, enable employees to be more efficient and happier as
well as to help companies pass audits related to accounts and accesses. The IAM is more commonly known
as IGA (Identity Governance and Administration).
IAM Application will bring the right technology to force your policies easily and efficiently to the whole
organization. IAM Application automates the IAM lifecycle from request of the access rights to verification,
creation, monitoring to removal of it.
IAM Application enables users to request all access rights from ServiceNow easy-to-use Service Portal (that
is used also for ordering laptops and other tools of work-life) and one should no longer need email or other
legacy solutions for handling access requests. Users and managers can order either indefinite or temporary
access and deprovision unnecessary access when they are no longer needed.
In Europe and companies working in the European market, GDPR is forcing companies to protect
individuals’ Personal Identifiable Information (“PII”). IAM Application provides information on which
system holds an individual’s information and who has access to it. For internal or external audit purposes
reports can be created using ServiceNow reporting engine to gain necessary information on identities and
accesses in different systems as well as information on who has had the access to the systems.
IAM Application makes it easy for managers and for security department to compare access rights to
individuals as well as track login times for inactive users not using the system. When access is no longer
necessary IAM Application will manage removal of access rights and inactivation of identities from the user.
Business Driver
Reduce IT workload
Increase employee satisfaction
Improve business productivity
Reduce IT risk and license costs
Reduce number of systems
Business Benefit
Save unnecessary costs related to providing identities and access rights
More committed and efficient employees
Identities and access rights at the right time and right sized
Save costs of unused licenses and improve security
Save license costs as well as training and maintenance costs
IAM Application
Automate IAM request handling and provisioning to all systems
Manage IAM with ITSM and choose your service channels (portal, mobile, chat,
sms, email)
Define and deliver access rights based on business driven job roles
Application provides different options for auditing access rights and removing
unnecessary accesses from users
IAM Application is part of ServiceNow SaaS with very competetive pricing
PUBLIC Page 2 of 9
IAM lifecycle stages
In today’s world securing company premises is no longer adequate. Instead, security must be planned from
identity perspective. IAM application manages the following identity lifecycle events: joiner, mover and
leaver.
Joiner use case means on-boarding new person based on HR system or ServiceNow Service Portal.
Mover use case ensures that identity related accounts and access rights follow company policies after
changes to information such as last name or department.
Leaver use case deprovisions automatically or manually all accounts and access rights from person who no
longer requires access to company resources.
• Integration (e.g. HR System)
• Service Portal
• Native UI
Request Access
• Approvals (0-n)
• Critical Access Combination check
• License check
Verification• Automated
provisioning
• Manual task based provisioning
Providing Rights
• Reconciliation with target systems
• Update user information
• Reporting
Monitoring Identity Status • Reconciliation with
target systems
• Reporting
• Notifications and alerts
Loggin and Tracking Access
• Automated access removal tasks initiated from Service Portal or HR System
Removing or Restricting Rights
PUBLIC Page 3 of 9
Concepts and capabilities of IAM Application
IAM Application for ServiceNow has these core capabilities:
Workflow orchestration is based on ServiceNow workflow and flow engine to automate IGA processes.
Identity analytics and reporting are based on reconciled information from source such as HR systems and from target such as ERP systems. Application is compliant with ServiceNow core reporting features such as dashboards.
Fulfillment (also called “provisioning”) capabilities support both automated and manual provisioning, updating, deprovisioning and deleting of accounts and access rights.
Entitlements management enables organization to see accounts and access rights per identity. Users are able to review their own and subordinates entitlements in Service Portal.
Access certification provides capability to dynamically create certification requests for certifiers to ensure entitlements are justified. The application is compliant with these native ServiceNow capabilities:
• Portal interface for end-users and administrators • Approvals • Reporting engine • Email, SMS and push notifications • Integration capabilities for REST, SOAP, LDAP, JDBC, OID, File transfer
PUBLIC Page 4 of 9
• IntegrationHub integration connectors (for example JIRA, Microsoft Active Directory, Okta and many more)
More information about the capabilities is available in The Practical Guide for Implementing IAM on ServiceNow document available on our website: https://lempinenpartners.com/practical-guide-for-implementing-iam/
PUBLIC Page 5 of 9
IAM Connectors
Customers can connect the IAM-application to any system as a part of the implementation process. New
connectors will be built based on customer demand. The connectors built for the IAM Application are listed
below.
Ansible & Tower API This connector manages account and group memberships via Tower API for Ansible
(https://www.ansible.com/). The following use cases are available out-of-the-box
• Create account • Update account • inactivate account • add to group • remove from group • reconcile account • reconcile group
Azure Active Directory
This connector manages accounts, groups and roles for Azure Active Directory. The following use cases are available out-of-the-box
• Create account • Update account • inactivate account • add to group • remove from group • add role • remove role • reconcile account • reconcile group • reconcile role
On-Prem Active Directory
This connector manages accounts, groups and roles for On-premise Active Directory. The following use cases are available out-of-the-box
• Create account
PUBLIC Page 6 of 9
• Update account • inactivate account • add to group • remove from group • reconcile account • reconcile group
Personio
This connector manages HR data from Personio HR system to ServiceNow IAM. The following use cases are available out-of-the-box
• Joiner use case • Mover use case • Leaver use case • Reconcile employee information
SalesForce
This connector manages accounts, groups and roles for Salesforce. The following use cases are available out-of-the-box
• Create User • Update User • Inactivate User • Activate User • Provision Profile for User • Update Profile for User • Add User to Public Group • Add Entitlement to User • Remove Public Group from User • Remove Entitlement from user
o As manual task • Reconcile Public Groups • Reconcile Public Group members • Reconcile Entitlements • Reconcile Entitlements Members
PUBLIC Page 7 of 9
SAP ERP
Connector manages account and access automation for S4 and R/3 SAP environments. The following use cases are available out-of-the-box
• Create SAP User • Update SAP User • Inactivate SAP User (based on valid to date) • Add and remove SAP roles • Add and remove SAP profiles • Reconcile SAP Users • Reconcile SAP Roles • Reconcile SAP Profiles • Recertification rules in ServiceNow based on SAP accounts, roles and profiles
SAP SuccessFactors
This connector manages HR data from SAP SuccessFactors HR system to ServiceNow IAM. The following use cases are available out-of-the-box
• Joiner use case • Mover use case • Leaver use case • Reconcile employee information
ServiceNow
This connector manages accounts, groups and roles for ServiceNow. The following use cases are available out-of-the-box
• Create user • Update user • inactivate user • delete user • add to group • remove from group • reconcile account • reconcile group • reconcile roles
PUBLIC Page 8 of 9
Request trial
You can request a 30-day trial version of the IAM Application for your development/test environment to
test the capabilities of the IAM Application. Before accepting the trial version request, we would like to go
over the basics of the application and discuss your IAM needs.
PUBLIC Page 9 of 9
More information
Please feel free to contact us for more information on the IAM Application for ServiceNow.
Lempinen & Partners Oy
Tel. +358 9 4282 7663
Email: [email protected]
https://www.lempinenpartners.com