Therefore, even in this application, accounts are now centrally managed and client employees are automatically created, modified and cancelled in APS according to information from the HR system. The connection was again made via a single integration platform (Enterprise Service Bus) as required by the bank’s IT standards. In connection with the APS connection, the original concept of roles in IdM was supplemented with a new element that now multiple role types can exist for one connected application and these roles have programmatically defined links between them. E.g. if a user does not have a role of type X, they must not request a role of type Y, etc. All other issues such as role requests, importing role definitions from Excel, rules for automatic role assignment and removal, role management interfaces, user lifecycle management, etc. have remained unchanged as for existing applications. After all the necessary modifications were delivered, the actual connection of the APS application was already handled by trained staff on the bank side with only minimal support from our side.

Along with the APS connection, other minor useful features were implemented in IdM, of which we highlight the following:

• The ability to administratively specify the order of roles to display in role requests and the ability to completely hide individual roles for requests
• New notifications of impending user account expiration
• Addition of new information on approval forms so that the access approver has all the necessary context for the decision and does not have to search for information from other sources
• Extension of the attributes recorded about external users