B.

OVERVIEW
An overview of the applications or systems supported can be found in Table 1 below. This includes descri
are covered.
Table 1
Application / System Overview
Application / System Supported

Active Directory Federation Services (ADFS)

Microsoft Azure AD Premium

On-Prem Directory Services

Azure Active Directory

C. Identity and Access Management (IAM)

Solution Scope

Component

Interfaces

Applications supported
 Applications supported

Integrations

Service Scope
General
Service Line

User support
Application Management

Infrastructure Services
Infrastructure Services

General Services
CyberArk
Service Line

User support
Infrastructure Services
 General Services

Service Hours
Support for the ADFS, AD and AAD application will be provided within standard service hours with 24/7 su
User support provided specifically by the Service Desk will cover 24/7 support.
Incident Management in regards to the central server and network infrastructure, will cover 24/7 support
Incident Management in regards to CyberArk will cover 24/7 support on high priority P1 and P2 incidents
ted can be found in Table 1 below. This includes descriptions of the applications or systems as well as which companies or loca

Description

ADFS provides Federated Single Sing-on (F-SSO) with WS-

Federation and SAML 2.0 capable applications hosted either in or
outside the VELUX infrastructure. The federations can be made
either one to many or one to one. The user always only use their
VELUX AD credentials to log in.

Identity data is synchronized through Azure AD and data mapping

is being performed in Azure AD. IAM team is only a user of the
Azure AD system, hence not responsible for the actual system.
IAM Team will be responsible as “ticket owners” ensuring that
intial troubleshooting, communication and coordination is being
done.

The Directory service deployed with Active Directory provides the

core user authentication and permissions control of the
infrastructure. The service is deployed fully redundant across both
on-premise datacenters and in VELUX Azure subscription.

AD provides user authentication for all end users on their

deployed workstations as well as all permissions control for user
and department file services
Azure active directory service is deployed as part of Microsoft
Azure and used to support among other O365, Workday Sync and
Identity platform for Azure Portal. The service is a SaaS solution
provided by Microsoft and manged by Supplier.

Description
Enterprise Single Sign-On Page, fs.velux.com (VELUX single sign-
on), Proxy adr. maintenance interface.
Single Sign-On (SSO), ADFS, AD, AAD.
AAD covers SSO on the following applications:
·         SAP C4C
·         SAP CPI (Application and platform)
·         SAP IBP
·         SAP SAC
·         SAP CPI-DS
·         SAP Fiori
·         uPerform
·         AWS
·         Azure subscription
·         SAP SSO
·         SAP Concur
Single Sign-On
·       Supplier Data Flow Manager (DFM) (AAD)
·         SAP BO Launch Pad Portal (AD)
·         SAP CRM (ASE Web App) (AD)
·         BPO Navigator (AD)
Data Syncronization
·         Active Directory - HR Feed TDI - ISIM
User Management
·         AD/Azure AD

Service Item

User Administration

Incident Management (User Trouble shooting)

Monitoring
 Monitoring

Incident Management

Scheduled Maintenance

Monitoring

Incident Management

Ongoing Maintenance
Reporting
 System documentation update

Advisory service

Service Item

User Administration

Monitoring

Incident Management

Test Management
Problem Management

Daily Operations

Ongoing Maintenance
 3rd party coordination

Reporting

System documentation update

Audit

be provided within standard service hours with 24/7 support provided as on-call support outside normal service hours. On-Cal
Desk will cover 24/7 support.
ver and network infrastructure, will cover 24/7 support on high priority P1 and P2 incidents. The 24/7 support is provided as o
cover 24/7 support on high priority P1 and P2 incidents. The 24/7 support is provided as on call support outside normal service
applications or systems as well as which companies or locations that

3rd party agreement Company and/or

locations

Microsoft All VELUX

locations

Microsoft All VELUX

locations

Microsoft All VELUX

locations

Microsoft All VELUX

locations

IOU
CSP / MBU

CSP / MBU

AAD team will take responbility of the integration of

application to the Azure Active Directory and AAD team is
not responsible on the configuration of SAP application
 AAD team will take responbility of the integration of
application to the Azure Active Directory and AAD team is
not responsible on the configuration of SAP application
issue / integration.

CSP / MBU

Scope
Manage users in AD if not already
registered (Create, Modify, Delete) CBO
Users not able to login SSO or facing
unsuccessful login issues. User can
contact SD or DSS to raise the issue.
Resource Management Interface support
- granting self service URL access to end
user. Trouble shooting specific issues in
resource management
If the SSO for
cloud (ADFS):
MBU / CSP. If the
ADFS: User not able to authenticate SSO for non-
through Windows intergrated cloud ( AD ) : CBO
authentication
ADFS: User not able to authenticate
through fs.velux.com SSO page
Data synchronization between Workday,
Azure AD and on-prem Active Directory.

Regular Monitoring and Event

Management for:
-          ADFS: Service verification and log
file monitoring
CBO
-          ADFS: fs.velux.com: monitor CBO
availability
-          ADFS: Federation monitoring
-          Active Directory - HR Feed TDI -
ISIM
Incident trouble shooting for website
and/or service availability, user access
issues and user registration issues CBO

Additional development of Active

Directory - HR Feed TDI - ISIM CBO
Verify Back-up Script and Restore
procedure. Ensure application backup CBO
availability
Monitoring of AD landscape CBO
Troubleshooting related to AD issues CBO
Troubleshooting related to insufficient
master data quality. CBO
Back-up and Restore of AD landscape CBO
ADFS Server maintenance (regular health
check, clean-up tasks) CBO
Yearly Failover test on ADFS Hosts,
proxies and SQL databases CBO
Directory service maintenance(AD)
-          Manage users (Create, Modify,
Delete)
-          Manage DHCP (Create, Modify,
Delete)
-          Manage internal DNS (Create,
Modify, Delete)
-          Manage external DNS (Create,
Modify, Delete)
-          Manage Roles (Create, Modify,
Delete)
-          Manage Permissions (Create,
Modify, Delete)
-          GPO (Create, Modify, Delete) CBO
-          GPO procedure refresh.
-          GPO Fix on Fail (ACN managed
GPOs only)
-          GPO House Keeping: (ACN
managed GPOs only)
According to Operational procedure
-          GPO Restore Test: (ACN managed
GPOs only)
Check of GPO restore procedure

Maintain Directory service availability

Directory service maintenance(Azure AD)

-          Manage users (Create, Modify,

Delete)
-          Manage Roles (Create, Modify,
Delete)
-          Manage Permissions (Create,
Modify, Delete)
Note: AD is automatically synchronized
with AAD hence the AAD services above CSP / MBU
apply for the non-standard user
management e.g. management of guest
users (such as B2B persons).

Maintain Azure active Directory service

availability

General reporting to VELUX regarding

SSO & User Management If the SSO for
cloud (ADFS):
MBU / CSP. If the
SSO for non-
cloud ( AD ) : CBO

AD report:
-          One monthly standard GPO
overview report CBO
Changes to GPO report

General reporting to agreed VELUX

distribution list.
OI estimation has been agreed for 24 CBO
hours per year and it is 100% from
Offshore team and Lead from Offshore.
 As part of normal operations (Incident
Management or Maintenance) CBO

Update document when system is

changed via ME or Projects CBO
Client meeting participation with
minimum preparation required CBO

Scope
-  Handling privileged account on-
boarding & off-boarding requests on ad-
hoc basis
-  Creating Safes
-  Creating Accounts
-  Verify Password
CSP
-  Adding Safe members or providing
permissions
-  Unlock /restore accounts and reset
passwords
-  Create/Update Scheduler for password
rotation
- Recon and Verify accounts for
privileged account password
- Providing CyberArk console Access
Monitoring of CyberArk components
including backup replication/ Vault Sync,
Disk space/Memory utilization
1st and 2nd level support on issues related
to CyberArk
CSP
As part of Operations (i.e. Incident
Management or Maintenance delivered
as Base Service)
-  Co-ordination and Execution of Unit
Test
-  Co-ordination of System test and
Execution with support from VELUX
when required
-  Support VELUX at User Acceptance Test

As part of ME or Project work

CSP
Preventive screening of incidents for pain
points and continuous improvement.

Identify Problems, drive Root Cause

Analysis (RCA) and Problem resolution
related CyberArk
CSP
Handling of Problems where Root Cause
lies outside Supplier’s scope of control

Maintaining CyberArk including analyzing

the environment, configuring policies
and implementing Best practices.

-  Handling two upgrades per year

-  Coordinate during Server patching for
both Vault server recommended by
CyberArk with patch team
-  Co-ordinate during quarterly VM
upgrade on Vaults and other CyberArk
Component servers with patch team

-  Co-Ordinate during Monthly patching

for CyberArk component servers like
CPM,PSM,PVWA etc.
CSP
-  CyberArk Fix-pack deployment and
verification whenever CyberArk release
fix packs.
Certificate renewal (As and when
required)
Applying renewed CyberArk license (As
and when required)
-  Handling more than two upgrades per
year
Handling future integrations or
onboarding accounts of new applications

DNA Scan on UNIX and Windows Servers

Server Enrollment-10 servers enrollment

per year
Server Enrollment-More than 10 servers
enrollment per year
CSP
 3rd party coordination with CyberArk in CSP
relation to Incident or Problem
Management or Maintenance delivered
as Base service.

3rd party co-ordinations due to Incidents

occurring for reasons outside Supplier’s
responsibility
3rd party coordination related to ME or
Project Work
CyberArk Report extraction. Reporting to
present operational status on BPR status
meetings.
Report Design
As part of normal operations (i.e.
Incident Management or Maintenance
delivered as Base Service)

CSP
Update document when system is
changed via ME or Projects (i.e. Non-base
service)
Participate in preparation, interviews and
follow-up on findings in relation to audit
activities (one audit yearly)
Participate in spot-check audits

ded as on-call support outside normal service hours. On-Call support will be provided for Incident Management on high priority

ority P1 and P2 incidents. The 24/7 support is provided as on call support outside normal service hours.
upport is provided as on call support outside normal service hours.The remaining services covered by this SOW, will be provided
agement on high priority P1 and P2 incidents only.

his SOW, will be provided within standard service hours. Any extension of the service hours, e.g. to cover 24x7x365, will require
24x7x365, will require a new Contract Change.