ARCA-Consult´s real speciality -
Consulting for added value


Our long-standing experience 

and extensive expertise enable us to implement at any time the complex tasks that a company faces when introducing or updating an identity & access management system. It is important to remember that no two companies are the same.
Our individual and fresh approach – a hallmark of ARCA-Consult’s core competencies – makes the difference.
We bring every project to its successful conclusion – with the required flexibility and efficiency.

But we are still on hand to assist later on.
We work with you to implement legal and regulatory compliance requirements to ensure permanent effectiveness and consistently optimised adaptations. This means that periodic recertification according to risk classifications will no longer present an insurmountable obstacle on your way to the next successful audit.

Our consultancy services

Definition of requirements and gap analysis.

The first step is to identify statutory and regulatory requirements. These requirements are then reflected in the target processes for authorisation management. A gap analysis is conducted to determine any variance between the status quo and the target processes. We work together with you – and relevant external partners if necessary – to determine which standardised requirements are already fulfilled and where adaptations remain necessary. We use the findings as a basis to infer the activities and measures, along with the necessary workload for implementation. Furthermore, the identified courses of action enable us to prepare an accurate quotation for the specific consultancy services your company needs.

Tool selection

The software tools available on the market focus on different areas and have corresponding strengths but also weaknesses. It is therefore imperative to ensure during tool selection that the company’s requirements are covered to the greatest possible extent. ARCA-Consult has developed a custom procedure to make a selection that is tailored to the needs of individual companies.

Roles concept

The development of a roles concept is a vital building block in establishing an IAM system. ARCA-Consult therefore attaches a lot of importance to precise preparation of this work step. Well-conceived role modelling can significantly enhance the effectiveness of an authorisation management system. This builds on the classification of different types of roles in the company and the allocation of which elements or activities are applicable within the entire role life cycle. An automated role assignment algorithm for the identities is then applied on this basis. A role/risk classification and role taxonomy add the finishing touches to the roles concept.

Authorisation concept

The individual rights and groups of rights for each IT application/system can be accessed in an authorisation concept. Naturally, it also includes the authentication and authorisation rules and how they must be applied. Risk classification and a rights SoD (segregation of duties) round off the concept. We support you in this process with our proprietary templates and other elements and in doing so ensure a uniform concept structure.

SoD matrix / segregation of duties

Preparing a segregation of duties matrix is a particular challenge to ensure safe operation and to prevent conflicts of interest. In this context, a top-down approach of assigning roles according to a set of duties and positions must be combined with a bottom-up approach based on the current system of access rights. This requires job descriptions and authorisation concepts, which form the basis for preparing the SoD matrix. Benefit from our experience to obtain a clear and practicable application.

Risk analysis

Fundamentally: An IAM system can only be as good as the underlying risk analysis of managed authorisations. The assignment of rights and roles, as well as the resulting authorisation processes, must build on the principles of integrity, availability, authenticity and confidentiality analysis. As a result, the processing and escalation pathways inferred on this basis ensure that an organisation adheres to the compliance requirements. The ARCA-Consult Risk Construction Kit simplifies and standardises implementation of your risk management.

Application process

The issue of the application process is frequently one to which the individual departments adopt a critical stance. The question of who is entitled to apply for authorisations and how they should do so tends to create a lot of uncertainty. The same is true of the rules that need to be adhered to in the request process. Rights and application owners are often driven to distraction in these cases, as the knowledge they require is often unrelated to their actual skill sets. It is therefore advisable to include this group before getting started. In addition, clearly and understandably worded roles and rights management is a very important issue.

Rights analysis

A common practice used in many companies – “just copy Jim’s profile” – flies in the face of the need-to-know principle. This means that rights analysis prior to migration is absolutely vital. The ARCA-Consult rights analysis processes your current rights status in a neat overview and helps you to create a robust design for your system of rights.

Migration phase

The migration phase is among the principal tasks when introducing an IAM system. Many companies face tough challenges when defining the migration method. Long migration cycles with significant outlay on time and resources can incur considerable costs, especially if one considers the aspect of maintaining parallel operation. Implementing smooth migration processes is among the most pronounced competencies of ARCA-Consult.


Re-certification is used to check the correctness and currency of the authorisation concept for role contents and the assignment of roles to identities. ARCA-Consult develops recertification plans on your behalf and in doing so defines processes and activities that need to be carried out based on the recertification findings. This is a time-consuming affair but can be made more efficient thanks to the significant experience of our consultants.


Reconciliation is used to compare the current and target status of accounts and their authorisations in the IAM and authorisation systems and to check them for consistency. Our consultants are experts in the identification of reconciliation execution sequences, while still maintaining high performance and ongoing operations.

Additional consultancy services in the area of IAM

Password management

Each IAM system must have a default password engine as part of the account management system. The company’s current password policy must be used as the basis for this engine. As an ARCA-Consult client, you will be able to draw on our best practice knowledge.

Privileged Account Management / Privileged Access Management

In privileged access management, privileged accounts are made available for a certain period in order to carry out extraordinary actions. Once they are complete, the account is blocked until it is re-activated. This gives the discipline its name of privileged account management. Privileged access management also includes the administration of technical accounts and system accounts, as well as periodic password changes for privileged accounts. We identify these accounts and work with you to establish your high privileged account management (HPA) system.

Privileged session management - logging of critical activities

Privileged session management – logging of critical activities A highly sensitive logging system ensures that all activities by privileged users (HPA) can be tracked. We cooperate with the works council and management bodies to prepare processes that guarantee legally compliant access to these highly critical logs.

Security Information and Event Management (SIEM)

Security Information and Event Management (SIEM) is used to identify and classify risks to IT operation and to analyse their threat potential. Suitable countermeasures are initiated when necessary. The event classes triggered in this way mitigate risks such as data theft and eavesdropping. Based on our practical experience across a variety of industries, we prepare individual risk-oriented profiles together with you, design the necessary event classes and define the escalation processes. We apply the necessary discretion in these cases.