Identity Governance Modernization for a European Telecom Operator

Replacing a legacy IAM stack with Evolveum midPoint — 15,000 identities, 6 enterprise integrations, and a Kubernetes-native deployment. Delivered in 5 months by a 2-person team.

Discuss Your IAM Modernization
See Our Methodology
TelecommunicationsIndustry
15,000 identitiesScale
6 enterprise systemsIntegrations
5 months, 2 engineersDelivery

The Challenge

A major European telecom operator was running an aging identity management stack that no longer met the demands of a modern, multi-entity enterprise.

Access management lived in spreadsheets. Application permissions were tracked in Excel files, reviewed manually, and updated through ad-hoc processes. With over 15,000 identities — internal employees across multiple organizational entities, contractors, external dealer networks, and machine accounts — this approach created governance gaps and growing audit risk.
No automated identity lifecycle. Onboarding, role changes, and offboarding required manual intervention across multiple disconnected systems. When someone changed roles or left the organization, access removal depended on individuals remembering to update each system separately.
Limited integration with modern infrastructure. The legacy stack could not efficiently connect to the container-based platforms and modern development tools the organization was increasingly adopting.

The operator needed to evaluate whether Evolveum midPoint could replace their legacy IAM system, handle the full identity lifecycle across all identity types, and integrate with both existing and modern systems — without disrupting ongoing operations.

What We Delivered

Over 5 months, a 2-person WKI team delivered: an authorization concept replacing Excel-based access management, lifecycle automation for 6 identity types, 6 enterprise system integrations including 2 custom-built connectors, a Kubernetes deployment with full CI/CD pipelines, and structured knowledge transfer to the operator’s internal team.

Authorization Concept — Replacing Spreadsheets with Policy

We designed and implemented an authorization concept that replaced the operator’s Excel-based access management entirely.

We built a structured role architecture within midPoint:

  • Application roles linked to the organization’s real application inventory, each carrying business criticality and risk classification
  • Permission roles defining granular access rights derived from business rules rather than ad-hoc assignments
  • Business roles grouping permissions into meaningful bundles aligned with job functions
  • Meta-roles enforcing prerequisites and exclusions to prevent toxic access combinations (separation of duties)

Access requests moved from email chains and spreadsheet lookups to a self-service role catalog. Employees could request application access directly, with automated routing through manager approval, security officer review, and role-owner sign-off.

The authorization data itself was ingested into midPoint automatically via daily synchronization — turning what had been a static document into a living, enforceable governance framework.

Identity Lifecycle Automation

We architected and implemented lifecycle management for six distinct identity types:

  • Internal employees (multiple organizational entities)
  • Contractors (multiple organizational entities)
  • External dealers and sales boutique staff
  • Machine and system accounts

Each identity type follows its own provisioning rules, organizational relationships, and deprovisioning policies. When an identity is disabled — whether an employee leaves, a contractor’s engagement ends, or a dealer relationship changes — all permission assignments are automatically removed across every connected system. No manual cleanup, no forgotten accounts.

Enterprise System Integration

We connected midPoint to six enterprise systems, building the connectors and integration logic for each:

Inbound (sources of truth):

  • Enterprise HR system — daily synchronization of all employee and organizational data
  • Authorization concept data feed — daily automated ingest of the role-permission-application mapping

Outbound (provisioned systems):

  • Enterprise directory — account provisioning, group management, and access control. New applications could be connected to the identity infrastructure within minutes
  • Development platform — automated user provisioning and project access management
  • Internal asset management platform — custom connector built from scratch
  • Ticketing system — automated ticket creation for access change tracking and audit trail

Kubernetes-Native Deployment with Full CI/CD

The entire midPoint environment was deployed on Kubernetes with production-grade infrastructure and a complete GitOps workflow:

  • Version-controlled configuration — all midPoint configuration stored in Git, enabling change tracking, peer review, and rollback
  • Automated CI/CD pipelines — build, test, and deploy automation promoting through dev, test, and production environments
  • Multi-environment management — identical deployment via Helm charts, eliminating manual configuration drift
  • Secrets management — credentials and certificates managed through a dedicated vault, not stored in code

The operator’s team could manage configuration changes through familiar development workflows — commit, review, merge, deploy — rather than manual admin console changes. Infrastructure-as-code from day one.

Knowledge Transfer

Throughout the engagement, we conducted structured knowledge transfer sessions ensuring the operator’s internal team could maintain and extend the deployment independently. At the conclusion, the operator’s team had full independence to operate and extend the platform on their own.

Key Outcomes

From spreadsheets to automated governance. The Excel-based model was replaced with an enforceable, auditable role architecture. Access requests, approvals, and revocations now follow defined policies.
6 enterprise systems connected. Identity data flows automatically between HR, directory services, development tools, asset management, and ticketing.
Minutes instead of weeks for new application onboarding. The directory-based authorization model enabled rapid connection of new applications.
Full lifecycle automation across 15,000 identities. Joiners, movers, and leavers processed automatically for six identity categories.
Production-grade infrastructure with GitOps workflow. Kubernetes with CI/CD, version-controlled configuration, multi-environment promotion, and enterprise SSO.
Complete operational handover. Documentation, delivery protocols, and hands-on training — full independence for the operator’s team.
Delivered by 2 engineers in 5 months. Senior expertise and disciplined methodology delivering enterprise-grade results without large consulting teams.

What began as a feasibility evaluation evolved into a complete working identity governance environment — with 6 system integrations, automated lifecycle management, a production Kubernetes deployment, and full operational handover.

“The collaboration on the feasibility project for implementing a new IDM system was very professional and efficient. We appreciate the expert knowledge, high quality of delivery, and proactive approach throughout the entire project.”

— Project Manager, European Telecom Operator

Facing a Similar Challenge?

Whether you’re replacing a legacy IAM stack, implementing midPoint for the first time, or modernizing identity governance for a complex environment — we’ve done it before. Let’s discuss your situation.

Schedule a Technical Discussion
Learn About Our Methodology

Related Services