HKHS has 1,300 staff members and 60 offices across Hong Kong. Approximately 900 employees work in the property management division, and around half of them are site staff. These staff members usually relocate to different site offices within six months to carry out property management and maintenance services.

Prior to the Oracle implementation, employees had to request changes of access to location-dependent documents repositories, database applications, and e-mail groups.

“People inevitably forgot their login names and passwords because there were too many for them to remember,” said Patricia Fong, manager, IT Projects, Hong Kong Housing Society. “This meant the IT team spent a lot of time resetting logins and passwords, which distracted them from higher level work.”

Much of this provisioning work had to be completed manually, as the organization did not have automated facilities for user account provisioning. Staff could wait up to seven days before they were granted their access requests, preventing them from completing their property management duties. HKHS also lacked centralized user account management and authorization and enterprisewide role management, which exposed the organization to security risks, as it could not accurately track access rights based on an individual’s role.

HKHS decided to implement a comprehensive identity management platform to gain centralized control over user provisioning and authentication by user profile. First, the organization integrated its PeopleSoft Enterprise Human Capital Management system with Oracle Internet Directory and Oracle Virtual Directory to create a central user repository. Second, Oracle Identity Manager was used to provide a comprehensive range of user identity and role lifecycle functions. Finally, Oracle Access Manager was used to provide authentication, Web single sign-on, access policy creation and enforcement, and reporting and auditing.

In the past, a staff member changing roles or business units would submit a request to the IT team asking for authorization to access different applications. Depending on the complexity of the request, it could take two to seven days to grant access. A complication could occur if requests were received during frozen periods―when access to the PeopleSoft Enterprise Human Capital Management system is stopped for up to five days per month due to scheduled activities, such as a payroll calculation. The lengthy wait times meant staff could not access the applications they needed to do their jobs, leading to user frustration and lower productivity.

Oracle Identity Management automated user provisioning, enabling granting access requests on the same day or the next business day (more complicated requests may take up to three days). “We receive about 100 provisioning requests a month and can grant almost all of them on the day they are received,” said Fong.

Similarly, when a staff member resigns from the organization, the user accounts is automatically deactivated. After HR staff makes a note in the employee’s record that the person is leaving, the information flows through to the Oracle Identity Management system, which then automatically deactivates the user account at the close of business on their last day. Previously, this was not always possible, and there was a risk that users could access applications after they had left.

Automation has reduced the time the IT team spends on managing user identities of a dozen frequently used IT systems. Fong estimates that more than 12 hours is saved for each system per month by eliminating the need for IT staff to attend to 20 login failure incidents. Users as a whole save up to 10 hours because they no longer have to wait for the IT team to fix login failures. The IT team also saves close to seven hours by automating user account creation and assignment.

“This means members of the IT team can be redeployed to higher value work in security and quality assurance,” said Fong.
“Oracle Identity Management products are very user-friendly, so that makes the job of our IT team much easier,” she added. “More importantly, we have significantly improved corporate security, giving us peace of mind that confidential business and client information is protected from unauthorized access.”
 

Property officers and managers need to access at least eight key applications in their estate management and maintenance roles. These include e-mail, financial management, property management, cash management, MIS reporting, document management, electronic workflow, and PeopleSoft Enterprise Human Capital Management systems.

Applications can only be used at a specific location and cannot be accessed from another office. For example, a manager can only approve a repair request for Estate A from the Estate A location. They cannot view and approve an Estate A repair request from Estate B. This also applies to their e-mail and reports.

The challenge for the IT team was to ensure that staff had access to the right applications at the right location. In the past, if an employee needed access to a certain application for a specific estate, it could take days before the access request was granted.
By setting up a central access policy, access requests can be automatically completed immediately after receiving approval from users’ managers. The system knows which applications and e-mail groups users need for their work and can restrict access to systems and reports that they don’t need. Automated user provisioning also means staff no longer have to wait days to access applications, increasing productivity and user satisfaction.

“If employees can access the systems they need, it enables them to better serve our customers; that is, we can provide public housing assistance to the people who need it most and ensure they live in safe, comfortable, and well-maintained apartments,” said Chester Lau, IT security and quality assurance manager, Hong Kong Housing Society.

Staff is happier because they no longer have to remember multiple logins and passwords. Today, users only have to remember their Windows login password. Each time they reset their Windows password, it is automatically applied across all the applications they need to access. The organization’s security policy requires staff to change their password every 90 days.

The Oracle identity management system has introduced access protocols at HKHS that have improved overall security. For example, it records every access request, allowing senior IT managers to ensure IT staff follows access authorization procedures. All errors or issues can be traced back to the source.
 
Another example of improved security is first-time password delivery. Previously, the organization had one default, first-time password. Now, first-time passwords are automatically generated and each one is unique, reducing security risks.

Audit reports generated by the system are submitted to an internal audit and governance committee, as well as external auditors. “The reports enable us to show our audit and governance committee that the IT team is enforcing and complying with corporate security policies,” said Lau.

HKHS intends to implement a Service-Oriented Architecture, having purchased Oracle SOA Suite in preparation for this move. According to Fong, the Oracle identity management system will constitute a very critical part of the organization’s SOA.

“We need access control for every Web service module and intend to use Oracle Identity Management to expose our infrastructure to Web services,” she said. “We have already used Oracle Service Registry to make Web services available under policies established in Oracle Web Services Manager.

“To strengthen SOA governance in relation to security, we also piloted authentication and authorization services based on user profiles and policy rules using Oracle Web Services Manager and Oracle Internet Directory. This has improved the traceability and maintainability of the services access control, and will result in a stronger foundation for SOA governance.