World’s Largest Caterpillar Dealer Digs Its New Identity System

For more than 86 years Caterpillar dealer Finning has delivered the unrivaled service its customers have come to expect. Founded in 1933, by 1965 Finning employed 1,000 and reached annual revenues of $78 million. Today, Finning employs more than 13,000 and attained 2017 revenues of $6.2 billion.

Today, as the world’s largest Caterpillar dealer, Finning sells and rents Caterpillar equipment and provides parts and service to its customers across the mining, construction, petroleum, forestry and power systems industries. Currently, Finning operates in three geographies: Western Canada, South America, the UK, and Ireland, with its head office in Vancouver, British Columbia, Canada.

Over the years, like most businesses, the identity and access management processes at Finning grew organically as the company grew. That meant there were many manual processes in place when it came to be onboarding, managing, and offboarding users, managing credentials, and certifying that staff and other users had the right levels of access to their systems. Because the manual processes were not very efficient and prone to error, they were expensive.

Automating antiquated process

The Finning IT team decided it could, through process improvement and automation, create efficiencies and improve their user experience, increase security, and streamline tasks required for regulatory compliance, such as those required by Canada’s C-198, a set of financial data governance rules similar to those of Sarbanes-Oxley in the U.S.

To further these efforts, in November 2016, Finning hired Bart Ludwig as their new IT and identity management leader to help the company get the right identity management program in place.

His most pressing task? Automate time-consuming manual processes. “We had a considerable amount of manual processes driving our identity governance activities, including on- and off-boarding people into applications and conducting access certifications and related activities,” Ludwig said.

Identity Control and Visibility

Initially, Ludwig and the team would focus their efforts toward access certification to its crucial back-office human resources and enterprise resource planning systems, including integration with SAP’s governance, risk, and compliance module.

Before they could start, Ludwig and the team would need to select the best identity and access management platform for their needs. There were a number of factors they considered for this platform, including straightforward change management, effective application integration, and a high-quality user interface. After their careful evaluation of available platforms was complete, the team selected IdentityIQ from SailPoint. “In many ways, IdentityIQ felt like it was a generation ahead of the other tools in both its look and feel and its usability,” Ludwig said.

IdentityIQ helps enterprises manage their identities in complex hybrid cloud and on-premises environments.

The decision to deploy IdentityIQ within their Vancouver headquarters was made in September, and by the end of December the team not only successfully connected IdentityIQ Compliance Manager to their Infor M3 ERP application, but they also completed their first fully automated access certification for that system. “It moved very fast and straightforwardly,” Ludwig said.

With IdentityIQ in place, Ludwig and the team have now gained the control and visibility they needed and can now ensure users have the right level of access for the right reasons. The staff undoubtedly welcomed these new, highly-automated access certification processes. In previous years, Finning’s identity team would complete the certification process to its ERP systems manually, which typically consisted of numerous email reminders regarding spreadsheets that needed to be filled out. No more. No more having to chase users and application owners to get those spreadsheets updated. “Our staff told us that the automated certification process was a big improvement over the manual processes from years past. It was very well received,” Ludwig said.

Once the Canadian ERP certification process was automated, the identity team turned to a new SAP deployment underway in South America that was replacing their legacy system. As part of that deployment, the team worked with SAP to help implement IdentityIQ. That deployment, too, was a swift success. They were managing SAP access through IdentityIQ the day the new system went live.

The Finning team also put into place automated provisioning so that they could more quickly onboard, offboard, and manage identities in their environment. Their prior ticket-based system had been inefficient. In their older ticketing system, whenever someone requested access, they had to send a ticket requesting access based on the role of the new user. Often, the role requested was misunderstood, and the creation of an incorrect role would be initiated. In those cases, a follow-up ticket was required. Then, after the correct role was finally established, the actual provisioning had to be completed manually.

“Rather than these manual processes, our user access is now requested, and all of the workflows associated with granting and providing that access are already automated,” he said.

The new system both improved staff experience and took days off the time it previously took to provision new users. “There was a lot of time spent in that system. Now we can automatically review the access for our users, and a comprehensive catalog that described that available access. We were able to cut down by 80 percent the time it took to provide access into the system,” he said.


Discussion