THOSE WHO DON'T UNDERSTAND ENTITLEMENTS CAN'T MODEL THEM.

Hessische Landesbank — IAM Analysis and Role Preparation

Omada has been procured. CyberArk is ready. The program has budget, timeline, and sponsors. And then it turns out that nobody knows exactly which entitlements actually exist in the mainframe environment. Not because no one is responsible, but because it never bothered anyone that they were never fully documented.

Omada is ready. The question is what goes into it.

As part of a program to improve information security, the Omada Identity Suite was to be introduced as the central Identity and Access Management (IAM) entitlement system and CyberArk as the Privileged Access Management (PAM) solution. Both in parallel, both under time pressure. The problem was not the program. The problem was what lay beneath it.

Grown structures do not lie. But they stay silent.

IT infrastructure and mainframe environments have their own history. Entitlements granted years ago were rarely documented, because they worked. Entitlement concepts were carried forward, not always reviewed. Privileged rights exist, but no one has ever systematically consolidated them. That was exactly the starting point. Omada needs role models. CyberArk needs cleanly identified privileged accounts. Neither was ready.

Count, review, clean up.

The first step was taking inventory. Which types of entitlements actually exist in the IT infrastructure and mainframe environment? How many accounts, what volumes, what structures? Volume frameworks and estimates were created, not as a bureaucratic exercise, but as a basis for decision-making for the subsequent integration.

At the same time, existing entitlement concepts were reviewed. Some still reflected actual operations. Others did not. Where necessary, they were updated before they could serve as a basis for modeling. Privileged rights were identified and prepared in a way that allowed a structured handover to CyberArk.

Only once it is clear what exists can a decision be made about what should remain.

Making visible what no one had looked for in years.

The entitlement structures are documented, cleaned up, and ready to be modeled in Omada. Privileged accounts are identified and prepared for CyberArk. The program was able to build on a foundation that did not exist in this form before.

The decisive point lies less in the technology. It lies in the fact that decisions made in operations that were never written down are now visible and manageable.

Why platform rollouts often fail later than planned.

Many IAM projects do not run into trouble because the wrong platform was chosen. They run into trouble because the foundations are not right. Role models built on incomplete entitlement structures reproduce the old problems in the new environment, just with more automation.

Anyone introducing an IAM or PAM platform and skipping the upstream step of taking inventory saves time at the start and loses it later. This project shows what that step actually means and why it is the prerequisite for the new platform to deliver what it is supposed to.