Introduction of a new IAM solution at Thüringer Aufbaubank

Initial situation

The regulatory requirements of MaRisk are increasing rather than decreasing. With its previous IAM solution, Thüringer Aufbaubank could no longer cope with them. Therefore, the company took a turn in 2019 and now works with the GARANCY Identity Manager. In particular, it allows the previously little-practiced implementation of a role concept, with which the principle of “no right without a role” can be consistently applied. The days of the docket, on which it was stated who needed which authorization in which IT system and when, are long gone at the Thüringer Aufbaubank (TAB).

The development bank has around 800 employees, including subsidiaries, most of whom work at the main site in Erfurt. In 2016, the Aufbaubank introduced a tool for central identity and authorization management as part of an IT governance project. However, after one year of operation and in view of the draft MaRisk and BAIT, it became clear that the software would not be able to meet the increasing regulatory requirements in its current form in the long term.

The Challenge

An audit in accordance with Section 44 of the German Banking Act (KWG), ordered by BaFin and conducted by auditors from the Bundesbank, confirmed TAB’s opinion and provided the final impetus: the existing IAM concept was to be reconsidered, and a new solution was to be purchased. Tommy Grimmer, Head of the IT Control Department at Thüringer Aufbaubank: “It was important to us that it had good usability and met all current and future requirements of MaRisk and BAIT – as far as can be foreseen. That’s why we chose Beta Systems’ software, not least because a number of other banks are already working with Garancy and reported positive experiences.

Implementation: The request for rights through roles

In the first step, the project team transferred all previously managed authorizations 1:1 to the new GARANCY Identity Manager system in 2019. In the second stage, starting in 2020, Aufbaubank dealt with the redesign of authorizations. The basic principle is: no right without a role, i.e. rights are only applied through roles, and individual rights are only assigned in exceptional cases (e.g. temporary read and write rights to project directories).

The Aufbaubank has been working with profiles and roles for a long time, especially in file processing. Authorization design has always been a driving force, “but never to the extent and depth that would have been required by the minimum or need-to-know principle,” says Grimmer. So clustering was already being done at the department level, but not with the level and depth as now with the new IAM solution.


“It is only with Beta Systems that the roles are really divided into subject matter, jobs and functions,” explains Cindy Schöneweck, Compliance Officer in IT Control at Aufbaubank and hired specifically for the new IAM project.

She coordinated the introduction of the IAM system in close consultation with the organizational department, the specialist departments and the independent IT consultant Dr. Claudia Walhorn, who has already helped introduce and support GARANCY in other (investment) banks. One of her principles: There is a separate authorization concept for each application with user* administration. In the “Intranet” application, for example, there are rights for reading, writing and administration.

These are bundled into so-called basic, organizational, specialist or functional roles (role types), which are derived from the bank’s organizational chart. For example, all employees have a basic role that governs time recording, access to certain applications (e-mail, AD), network drives, etc. There is also a specialist role for each job description, as well as organizational roles for organizational units and cross-divisional functional roles (including Staff Council).

Many employees in the departments have the same specialist role. For example, around 200 people from two large specialist areas are assigned to around 21 specialist roles. The bank is currently splitting up these roles in GARANCY in close consultation with the specialist areas, and is also adjusting existing rights in the process.

Learn more about the methodology of IAM implementation here

Download your free white paper now!

Year of foundation: 1992
Employees: ~ 800
Industry: Financial services
Headquarters: Erfurt
Connected systems: approx. 65
Roles set up: 5,540 technical roles
Managed accounts: Approx. 1,100 incl. technical users

The Challenge
In 2016, Aufbaubank introduced a central tool for identity and authorization management. However, with a view to the drafts of MaRisk and BAIT, it became clear: the software would not meet the increasing regulatory requirements in its former form in the long term.

With Garancy, roles are cut to professionalism, jobs and functions. The Aufbaubank can thus implement its principle of “no right without a role”: Those who have the same job description also have the same access rights and are assigned the same specialist role.


The principle of “no right without a role” means that at Aufbaubank, anyone with the same job description also has the same access rights and is assigned the same specialist role.

For each new employee, exactly those rights and roles are selected from an existing set that are required for the individual’s job. Role formation thus simplifies the assignment of rights: everyone is assigned the basic, specialist and, if necessary, organizational and functional role that reflects their future profile in the company.

This significantly reduces the administrative effort involved in assigning rights.