GEDORE keeps it simple - Permission management made easy
When you ask Frank Heisig, IT Infrastructure Team Leader at GEDORE, about the “LIAM” project, his expression reveals a range of emotions: a drive to get things done, relief—and pride. After all, by implementing the LIAM (Light Identity Access Management) software solution from Consulting4IT, he has managed to almost completely automate the management of drive access.
The project was triggered by the disproportionately high effort and spiraling costs involved in overhauling the existing IT authorization structure. But to explain how it all began, Heisig has to go back a bit. “When I started at GEDORE, I found unmanaged file servers,” he recalls. “There were permissions at every level. Without any process, structure, or transparency. Sure, that’s certainly also the result of an organically grown IT structure, as is often the case with family-owned companies like GEDORE. At some point, it just becomes unmanageable. For us, it was a good opportunity to start the whole thing from scratch.”He sums up the project’s launch pragmatically: “We looked at the existing process, tore it down, and set up a new one. And then we got started using the simplest tools.”
From Excel to the first tool
Frank Heisig, Sven Tacke (then head of IT), and his colleague Felix Kind—who was still an IT systems administrator at GEDORE at the time—subsequently opted for a highly restrictive system—one that strictly regulated the assignment of permissions in order to curb uncontrolled growth and restore order. In the first step, all data was migrated to new drives. At this stage, the only distinction made was between project drives and team drives. Using Microsoft’s built-in DFS (Distributed File System), Frank Heisig and Felix Kind succeeded in creating a scalable, centralized, and globally deployable structure.
The entire system was set up and managed using an Excel template. Heisig had programmed it so that, in the end, a script was available that created folders and groups and assigned permissions to them. Heisig’s comment on the solution at the time: “That was the first attempt, and it represented a massive increase in productivity. But the administrative effort behind it was still enormous.”The Excel solution had primarily served to establish a foundation. The next step was a dedicated tool for permission management. Heisig: “After the Excel solution, we implemented software that met our basic requirements: We were able to manage permissions with it. However, the application was essentially too complex for our needs and not particularly user-friendly. When change requests also skyrocketed due to the growing number of locations, it became clear to us that we needed something else.”
No sooner said than done - LIAM
“So we started thinking about what an effective solution might look like. We quickly realized that a kind of standard service within Matrix42’s existing service catalog would be ideal—no Excel or unnecessary complexity, user-friendly and standardized. A service that maps our entire process, which every user can book independently as needed, and where everything is also neatly documented,” Heisig summarizes the needs analysis.
Since the standard Matrix42 Service Catalog did not offer such a solution at the time, Heisig and Kind came up with a different idea: they turned to the Matrix42 specialist Consulting4IT. Not only had Consulting4IT implemented large parts of the service catalog at GEDORE, but it had also made a name for itself over the years by developing and distributing Matrix42 add-ons. The two had also already made some interesting contacts and gathered ideas during Consulting4IT’s in-house training sessions.So Heisig got right down to business. In the summer of 2019, he sent Consulting4IT the relevant requirements and a feasibility request. Even today, he’s still surprised by how quickly things moved after that. “Consulting4IT picked up the ball and delivered a product by the end of 2019: LIAM, ”recalls Heisig.
What Homeowners Need to Know About Quotas
Heisig and Kind then got straight to work, striving to set everything up as simply as possible. “Our motto: Keep IT simple—IT has to be simple,” says Heisig, explaining the philosophy behind the project.The integration of LIAM into the existing clear folder and group structure was completed within a few hours. Consulting4IT then created new folders and permissions in the system over the course of a few weeks, following the specifications provided by the two IT experts from Gedore. The underlying structure is based on the principle that for every folder there is a designated group with at least two owners who are responsible for access rights. If a user requests a permission via the LIAM service, one of the owners makes the decision. The entire process is then fully automatically documented in a change request in the background.
Thanks to this process, there are no longer any unclear permissions—it is always clear who requested or approved what. Owners can also use an additional automation feature in the service catalog to generate a report at any time, showing them exactly who has access to their folders.Another feature proved to be a real boon for GEDORE: The simple management of quotas, i.e., limiting storage space on storage media for users or groups. “We didn’t have that in the past, and it led to entire file servers being accidentally overloaded when extremely large files were uploaded,” recalls Heisig. “That’s actually what Windows’ integrated quota management is for. But managing it is a nightmare.” With a tool developed in-house by GEDORE and integrated with LIAM, users can now also request additional quotas. When they reach 80% of their allocated storage space, they are automatically notified by the system and can request more storage space directly if needed. “This way, we’ve ensured that our file folders no longer fill up,” explains Heisig.
Integrating your location? A piece of cake
Integrating new locations—once a nightmare scenario. Now: done in a single day. Where an administrator used to have to invest a lot of time and effort, the process is now so simple that setting up the necessary file structure for a new location has even been used as a training exercise for interns. “We’re currently integrating many locations because we’re massively expanding our IT footprint,” says Heisig, explaining the process: “After preparing everything with LIAM, all I have to do is explain to the person in charge on-site that they are now a data owner. Then I explain to them what rights and obligations they have in this context: the right to grant access permissions independently and the obligation to manage and be accountable for them. Done. This gives people the tools to migrate most of their data themselves.” Heisig emphatically stresses that this is by no means a way of shifting work onto others. Everyone involved benefits from the process: “As a rule, this approach is also easier for the user—that is, the on-site data manager. Because instead of having to explain at length to IT, as in the past, how they want their folders set up, the process runs much faster and is also automated via LIAM.”
Overall, the tool has been very well received by users within the company. After a few initial questions, it has even—to quote Heisig—“become second nature to everyone.” Kind notes: “LIAM is so intuitive that you can understand and use it right away.”
Transparency for greater security and GDPR compliance
LIAM also has a positive impact in other areas. Keyword: GDPR. “In the past, there was a chaotic jumble of permissions based on the idea that whoever shouted the loudest got access. That’s a recipe for GDPR violations in and of itself. I wouldn’t have been able to explain why certain people had access to certain data,” explains Heisig. “Thanks to the new authorization structure, the risk of such violations is now virtually zero. Should it ever happen—which is highly unlikely—violations can be easily detected, reported to the data protection officer, and countermeasures initiated.”
LIAM is also helpful in minimizing the risk of insider threats thanks to the transparency it provides regarding internal access rights. The tool operates on a similar basis to the Varonis security solution used at GEDORE. That solution also relies on analyzing access rights within the internal data structure.
However, Heisig makes a clear distinction between the two solutions: “LIAM provides us with the online store, improves the quality of our IT services, and saves us a lot of time and money. Varonis, on the other hand, identifies inconsistencies, errors, and security vulnerabilities, thereby maximizing our IT security. That is why we believe the applications complement each other perfectly and that we can make excellent use of both—in combination.”
Benefits and Cost Savings – LIAM: A True All-Rounder
And that’s not all, as Heisig and Kind explain in further detail. For example: access permissions for new hires and departing employees. “That’s a particularly nice bonus,” says Heisig. Because with the services booked through LIAM, a report can now be generated when an employee leaves, showing what they had access to. This simplifies the assignment of permissions when the position is filled. LIAM also simplifies the process of filling new positions thanks to its simple catalog selection.The high degree of standardization of the solution is also particularly noteworthy for GEDORE-IT. “Where everyone used to do their own thing, everything runs the same way today,” says Kind happily.
Other advantages, according to Heisig: “LIAM documents everything in changes in accordance with ITIL, and the error rate is in the per-thousand range, if at all. And if the boss ever wants to know why someone has access to a particular system, we can provide him with the information immediately, without having to spend hours sifting through emails. This also takes care of audits. Because with LIAM, we can not only prove who has access to what, but also who had access to what and when, and who approved it. Just think of what a decisive advantage this represents, for example, during external audits and certifications. These often involve reviewing issues such as access rights within a company. We could never have achieved all of this with a manual process.”
But the key benefit is as simple as it is significant: cost. Heisig does the math: “Since LIAM launched, we’ve had a total of about 15,000 changes to permissions to date. With an average of three minutes per change per admin and a cost rate of about one euro per minute per admin, we’ve already saved 45,000 euros. That equates to 30 full admin days per year. And that doesn’t even take ticket processing and documentation into account. Plus, the numbers are fully scalable. So if you apply this to a larger company with far more than our current 600 users, you can calculate the immense savings potential this offers.”
The Concept as a Key to Success
Despite the project’s complexity, it ran almost seamlessly from the start, and the collaboration with Consulting4IT proved to be productive. “At first, we sometimes talked past each other a bit,” Kind admits. “But those were minor issues. If there were bugs in the software, they were fixed in no time. New features were implemented within a few days, and the user interface improved at a pace that really challenged us. Keeping up with all the new features alongside our day-to-day business was sometimes quite a task.”
This project’s success is primarily due to the solid groundwork laid by GEDORE. Not only had the file server been thoroughly cleaned up prior to the tool’s implementation, but there was also a coherent plan in place. Heisig: “I need an authorization scheme that is logical and therefore automatable. If, on the other hand, I insist on having to grant permissions to groups across five different levels—which, by the way, could easily be done with LIAM—the project will come back to bite me. But if I simplify the whole thing so that I can describe it on a single A4 page, then it has the best chance of success. Once again: IT has to be simple!”
Heisig's tip: The design should be based as much as possible on industry standards, featuring a well-thought-out ownership structure, defined read and write permissions, and a consistent naming convention. It also makes sense to work primarily with individual permissions. After all, LIAM provides a service that is designed to be booked by individuals.
Where GEDORE is headed
GEDORE is currently still migrating the remaining legacy data, which remains difficult due to the lack of accountability from the period before LIAM. But aside from that, the software has significantly simplified day-to-day IT operations at GEDORE. “Everything has become much easier,” says Heisig. “Of course, owners and users still have to figure out what to do with permissions. And mistakes do happen sometimes. But the whole system is structured so simply that you can identify and fix them very quickly.”
There are already more ideas in the works for the future. Just as with file sharing, GEDORE wants to apply the same approach to shared mailboxes, Microsoft Teams, and SharePoint.
Goodbye, problem child – hello, world of service
The result is a well-rounded picture: With the introduction of LIAM, GEDORE transformed its “problem child file server” into a standardized and automated platform solution. Thanks to this and the underlying “shopping” principle for permissions, the company not only took a major step toward the concept of service management; it also established a stable permissions management system. On this basis, responsibility now lies with the business unit—that is, where decisions regarding the assignment of rights can best be made. Furthermore, LIAM is part of the standard Matrix42 solution, which ensures stability and update security.
In addition to the significant cost savings for GEDORE, employees also benefit in many ways. The IT department has more time for other projects. And users can request access permissions at any time via the Matrix42 “service platform,” rather than having to wait a long time for a response and for their request to be processed. All of this is thanks to one guiding principle: Keep IT simple.
About GEDORE Werkzeugfabrik GmbH & Co. KG
Founded in 1919 and headquartered in Remscheid, GEDORE Werkzeugfabrik GmbH & Co. KG is a family-owned company that combines tradition with modernity. With a focus on innovation, performance, and first-class service, as well as the development of the GEDORE brands “GEDORE,” “GEDORE Red,” and “Ochsenkopf,” the company has succeeded in becoming one of the world’s leading brands for premium tools. Numerous well-known customers from industry and trade value the company’s high-quality hand and specialty tools, as well as its partially customized solutions. The slogan “Tools for Life” reflects the focus on uncompromising quality and customer proximity, which, according to GEDORE, form the foundation of the company’s success.