Setting up Identity and Access Management (IAM)

Insurance
, ,
1

Purpose

Identity and Access Management (IAM) helps you control who can access what in your Novulo solution. It ensures users only see and do what they’re supposed to. Keeping your solution secure, compliant, and easy to manage.

This guide explains the main concepts and shows how to set up access rights in a structured way.

Understand IAM in Novulo

IAM in Novulo is built on three key building blocks:

Concept What it means Example
Identity A person or system with a login Employee record for John Doe
Access Rights Permissions to view or modify data Read access to Policies
Rights Profiles Bundles of access rights grouped by role Claims Processor profile

Rights profiles are the foundation of IAM in Novulo.

Define Access Principles

Before setting up profiles, take a moment to decide how your organization wants to structure access.

Common principles:

  • Least privilege: Give each user only what they need.
  • Role-based access: Manage access through job roles.
  • Separation of duties: Split critical tasks between users (e.g. input vs. approval).

:light_bulb: Tip: Document your access principles — they’re useful for audits and compliance reports.

Create Rights Profiles

Once your principles are clear, start setting up rights profiles.

For more detailed information review: Rights Profiles

  1. Go to All apps → Users → Rights Profiles.
  2. Click on the plus icon to start a new profile.
    image
  3. Fill in the detail for your New Profile. Default in each application is the “Administration profile”. This profile grants all access.
    image
    image689×147 2.67 KB
  4. A Tree (boom) appears. This tree has two branches or sections: GUI and database rights.
    • GUI controls what menu’s, pages, tabs, forms, grids and button this profile can see. Every page is only defined once even if it can be accessed via different grids.
    • Database controls for each record type whether this profiule can view, add, edit of delete the record. Access on database level applies to all methods to access the apllication, including access through REST, Export and Import.
      image
      image947×705 34.1 KB
    • image means Access
    • image means No access
    • image means Conditional access
    • After an update new elements that have been added are marked in red and have no rights. New nodes need to be checked by a system administrator.
  5. Select the relevant GUI or database in the tree.
    • Settings for selected subtree lets you quicky set multiple rightssettings. Applies to every element below.
    • Settings for selected item shows all available elements as well as links for easy navigation to the data source (database table) and details pages.
      image
      image1713×681 51 KB
  6. Set rights.
    image
    image759×626 12 KB
    • Table access (green) is always stronger than field access. If you don’t have Access rights to the table as a whole, individual rights on element (orange) level are discarded.
  7. Saving is not needed. Conditional rights do have a small save button you need to press.
  8. Test with a sample user to verify the permissions.

:light_bulb: Tip: What you see is not what you get! A user might be allowed to see a persons grid (GUI), but have no database right to view the records, resulting in an empty grid.

Merge Rights Profiles

  1. Go to All apps → Application maintenance → Users → Users.
  2. Click on the plus icon to start with a new merge of rights profiles.
    image
  3. Select the target profile.
  4. Click in the sub rights profiles on the plus icon to add rights profiles.
    image
    image832×302 8.28 KB
  5. Check ‘Make complete’ to make all nodes without rights (the red nodes) explicit ‘no rights’.
  6. Click merge.

Assign Profiles to Users

After you’ve created rights profiles, assign them to users.

  1. Go to All apps → Application maintenance → Users → Rights profile merge definitions.
  2. Select a user.
  3. Switch to edit modus
  4. Assign rights profile.
    image
    image947×273 9.04 KB
  5. Save your changes.
  6. Users need to re-login to make all changes effective.

Users can have multiple profiles — for example, a Customer Service role with Reporting rights

Review and Report Access

Identity and Access Management isn’t a one-time setup — it’s ongoing.
Plan regular reviews to check:

  • Update your rights profiles after every update.
  • Are users’ rights still correct?
  • Are former employees’ accounts deactivated?
  • Are there any users with unnecessary high privileges?

You can export access reports or build dashboards with Novulo Insights to monitor access over time.

Link IAM to Compliance and Reporting

Good IAM supports compliance requirements like GDPR, ISO 27001, and SOC 2.

Examples:

  • Limit data access to authorized users.
  • Keep an audit trail of changes to profiles and user access.
  • Document periodic access reviews in compliance reports.

:light_bulb: Tip: Use IAM reports as evidence in audits — they show that you’re in control of your system access.

Setting up your insurance solution