How a Fortune 500 financial services company cut ERP provisioning time by 75% and freed 110 hours monthly

Industry: Fortune 500 financial services and insurance company
Region: US-based, global operations
Key systems: Oracle ERP, Okta, Workday for HR, SailPoint for identity administration
SafePaaS use cases: Access requests and approvals, preventive lifecycle controls, Oracle ERP provisioning, audit trail, and workflows

Outcomes

Reduced time spent on role and entitlement management by 50–70%, freeing ~110 hours per month across business and IT teams
Eliminated manual identity data uploads from disconnected sources, removing errors and bottlenecks
Cut IT tickets for stuck access requests by 60–80%
Reduced Oracle ERP provisioning time from 2–3 days to just a few hours

Background: Fast-moving Fortune 500 using Oracle ERP, Okta, and SailPoint for Identity Administration

This Fortune 500 insurer spans multiple business units and regions, with thousands of employees who depend on timely access to Oracle ERP for productivity.. Okta handles identity and access management, while SailPoint handles identity administration and lifecycle management.

However, these tools operated in silos from an access governance perspective, creating gaps in consistency, visibility, and auditability. While SailPoint handled provisioning workflows and Okta managed authentication, neither provided the federated governance layer needed to orchestrate policies and decisions across systems in a consistent, auditable way.

Manager and organizational hierarchy data from Workday were manually extracted and uploaded into downstream tools, creating friction that slowed Oracle ERP access and increased operational effort. Without a federated governance layer coordinating the identity systems they had already invested in, the insurer was left managing stuck access requests, inconsistent role definitions, and limited ability to demonstrate that access decisions aligned with current risk appetite and regulatory expectations.

Business Challenges

1. Approval Decisions Were Based on Outdated Organizational Context

Pain Point:
Manager and hierarchy data existed in SailPoint, but it did not flow in real time into Oracle ERP provisioning workflows. Instead, approvals depended on periodically exported CSV files uploaded into downstream systems.

Business Impact:

Approval logic lagged behind actual organizational changes
Access decisions reflected yesterday’s org chart
Increased risk of inappropriate access approvals due to stale governance context

2. Manual File-Based Integration Created Governance and Operational Risk

Pain Point:
The access team relied on manual CSV exports and uploads to synchronize approval data across systems.

Business Impact:

Delayed propagation of organizational changes into access workflows
Higher probability of human error in data handling
Governance controls weakened by non-automated, non-auditable integration steps

3. Organizational Volatility Broke Approval Workflows

Pain Point:
Managers frequently changed roles, left the company, or were reassigned due to reorganizations and backfills. Approval workflows frequently pointed to invalid or outdated managers.

Business Impact:

Requests stalled when approvals were routed to inactive or incorrect managers
Business users waited for critical ERP access, impacting productivity and operations
Administrators spent time chasing stuck approvals instead of focusing on strategic IAM initiatives

4. Operational Inefficiency for Access and IT Teams

Pain Point:
Administrators had to manually intervene, reroute approvals, and open tickets just to unblock provisioning workflows.

Business Impact:

Increased administrative overhead and ticket volume
Slower time-to-access for business users
IT and security teams diverted from higher-value automation and governance work

5. Inability to Achieve Policy-Driven, End-to-End Provisioning

Pain Point:
Because approvals and policy checks relied on stale manager data, the organization could not fully implement a real-time, policy-driven provisioning model.

Business Impact:

Access decisions were not consistently aligned with current risk posture
Difficulty demonstrating continuous compliance with regulatory expectations
Reduced confidence that ERP access reflected current organizational risk and control requirements

Manual, file-based synchronization of organizational data caused approval workflows to operate on stale hierarchy information, resulting in stalled access requests, increased administrative burden, and weakened governance and compliance assurance.

A federated access governance model designed for zero-trust environments is intended to deliver:

Stronger data protection across ERP and connected applications, with access grounded in current identity and manager data.
Better visibility and reporting on insider and third-party access, including who approved what and based on which policies.
Increased resilience and efficiency in access operations, reducing dependency on manual file uploads and ticket-driven clean-up work.

“We were spending more time fixing stuck requests than actually managing access risk. Every time a manager changed, we had to open tickets and wait for support to clear the workflow.”

— CISO, Fortune 500 Insurance Provider

SafePaaS Solution: Federated Governance and Streamlined Identity Administration

Making SafePaaS the Federated Governance Layer

The insurer upgraded its governance architecture by deploying SafePaaS as the federated control layer across Oracle ERP, SailPoint, and Okta. Segregation-of-duty rules and advanced access policies were modeled in SafePaaS and evaluated before changes were applied in Oracle ERP, ensuring consistent policy enforcement regardless of the request’s origin.

This shifted the model from detecting conflicts after provisioning to blocking risky combinations at the point of request, thereby improving both the risk posture and the user experience. Instead of relying on each tool to enforce its own siloed logic, SafePaaS orchestrated identity data, policies, and approvals across systems as a single, federated layer.

Automated Integration to Eliminate Manual Uploads

SafePaaS implemented APIs to pull manager and user data directly from SailPoint, eliminating weekly CSV exports and manual uploads. SailPoint remained the system of record for identity administration, while SafePaaS continuously consumed that data to ensure workflows always used the current approver information.

With pre-built connectors and flexible data ingestion, the integration required no custom API development, reducing implementation risk and time-to-value.

“Once we moved to the API integration, the weekly uploads disappeared. Manager changes now flow automatically, and requests route to the right people without us touching anything.”

— CISO, Fortune 500 Insurance Provider

Closed-Loop Oracle ERP Provisioning

In the new model:

Access requests are initiated in SafePaaS, using up-to-date identity data from SailPoint to route approvals to the correct managers.
Once approved, SafePaaS provisions Oracle ERP roles and synchronizes updates back into the SailPoint platform.
A closed-loop process creates an end-to-end, auditable trail from request through provisioning and enforcement that auditors can trust.
Enterprise workflow capabilities let administrators cancel stuck requests and re-provision with updated manager data without opening vendor tickets.

Why They Chose SafePaaS

The insurer selected SafePaaS to gain a federated governance platform that could:

Map disparate identity sources into an auditable repository: SafePaaS connects Workday (the authoritative source for employee data), SailPoint, Okta, and Oracle ERP into a single governance layer, with built-in data transformation to ensure usability across systems.
Run preventive provisioning checks using current identity data before granting any access.
Model granular access policies against Oracle ERP without over-restricting legitimate access.
Provide audit-ready evidence in a single control process across request, approval, provisioning, and enforcement—reducing oversight effort and giving auditors confidence in the data.

Because policies are modeled once in SafePaaS and enforced consistently, the insurer avoided the typical multi-month, spreadsheet-driven clean-up projects and ongoing firefighting around stuck requests. Identity lifecycle management became more timely and efficient, with overhead reduced across business and IT teams.

Results: Faster, Governed ERP Access with Fewer Tickets

Operational Efficiency

With API-driven synchronization, manual weekly uploads for manager data were eliminated. The access team no longer spends time extracting, validating, and uploading files or opening tickets to clear stuck requests caused by manager turnover.

Reduced time spent on role and entitlement management by 50–70%, freeing around 110 hours per month across business and IT teams.
Eliminated errors and bottlenecks caused by manual uploads of identity details from multiple disconnected sources using spreadsheets.
Cut IT service requests to fix stuck application access requests by 60–80%.
Reduced average time to obtain required Oracle ERP access from 2–3 days to just a few hours.

“We went from firefighting stuck requests every week to actually spending time refining our access governance policies and models. That’s where we should have been focused all along.”

— CISO, Fortune 500 Insurance Provider

The net effect is less firefighting and more time spent designing and refining access controls and governance policies.

Risk and Control Improvements

Preventive access analysis now runs in SafePaaS against centrally defined controls before Oracle ERP access is provisioned. Because SafePaaS continuously ingests data from SailPoint and Workday, provisioning and risk checks remain aligned with the latest identity and manager data rather than outdated org charts.

This improves the organization’s ability to:

Block toxic access combinations at the point of request.
Maintain an auditable, closed-loop control process that supports clean external audits.
Demonstrate to auditors that access decisions are based on current, trusted identity data from the authoritative sources that management relies on.

Are you ready to modernize your Access Governance?

Learn how SafePaaS delivers federated governance, talk to an expert.