Why Should I Automate User Provisioning with Auto IDM?
Updated: Dec 29, 2020
Automatically create accounts in your IT systems
The goal of this write up is to describe the user provisioning problem, and describe how Auto IDM’s approach can help solve this for you. Our long term mission is for every business to automate user provisioning, today that’s not possible.
Don’t know what an HR management system is, or an IT system? Hop to the definitions section here. Otherwise, read on!
What is user provisioning?
User provisioning is creating, updating, modifying, disabling, and deleting accounts. An employee’s life cycle stages throughout their time at your organization looks something like this:
Changes over time
Employee Lifecycle Diagram
Onboarding and offboarding tasks happen for every employee. In your organization, there is a checklist with a bunch of steps to onboard someone, and the steps are about ~30% HR, ~50% IT; the rest are Finance/Legal/etc. The core problem is that each team's systems don’t talk to one another, so there’s not a clear system of record. It’s fairly obvious that HR should be in control of the system of record for everything about employee information. Due to a lack of integration between systems, we end up with systems that have to get updated manually when HR needs to make a change. This means every change leads to an urgent/important activity for IT.
Automation allows for your Directory System to stay up-to-date with HR.
We’ll go over what each step probably looks like in your organization if you’re not automated.
Your HR team sends an email or submits a ticket that looks something like this:
Subject: New Employee Starting Tomorrow
Email Address (What’s the rule for email addresses? First initial + last name)
What should this account have access to? (Groups)
Do they need access to the company shared folder?
Do they need access to accounting software?
Do they need access to the CRM?
Where do I send their initial password?
What office are they at? Michigan? South Carolina? Florida?
Normally, this process isn’t as clean because HR doesn’t have all of the information at the time of the hire. A title may change, the department may be moved around, etc. The one constant with hiring is there are always changes to the process. IT takes this information and puts it into the Identity Provider. This generally is a list of ~10-20 steps that includes:
Adding the user to all the necessary groups (possibly copying from another similar employee)
Waiting for the email to be created
Sending an email to the new employee’s manager with the credentials
Provisioning a new computer, imaging the computer, prepping the apps for the computer (For a Windows shop, Windows Auto Pilot attempts to solve this, as well; with Azure, it’s looking more and more possible. https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot )
Changes over time
There are a number of HR and employee-related actions that trigger changes on the IT side of the house.
Position change in the company
Name change (marriage)
Merger and Acquisition (Rare but automation makes this a lot easier)
The most common changes are actually company-wide changes that impact the Identity Provider.
Group adds / removes that link to HR groups
Mass field changes (upn/proxyaddress, picture updates, office moves, etc.)
Restructuring of groups/role mappings. What groups does engineering need access to?
How long to keep old accounts for archival reasons
Email address domain name change
Any mass field change
For the most part, offboarding is the same as onboarding in reverse, with a few additional tasks.
Security issues - Potentially rogue employees are an issue as 50% of companies have ex-employees who still have access to company data! This was written by Onelogin here. With automation, the account can disabled the instant HR marks them as offboarded.
Archival of ex-employees’ data. What is your archival process?
How does Auto IDM solve this problem?
A fully managed solution means the following:
No software to maintain
No configuration to configure/update
No updates to maintain
Proven implementation process that will get us to the finish line at your businesses pace, while not missing anything
Support includes the full end-to-end process; you’ll experience the best support you’ve had from a vendor
User provisioning process is supported by a company, not just a single person on your team
Solution is hands-off
Your team now has access to a dedicated team of people focused on user provisioning and data integration
Cost scales with your business size as the complexity of user provisioning tends to scale with the number of employees. Therefore, if you have a low employee count, your price is going to be very affordable; 30 employees * $25 / year = ~$800. 200 employees * $20 / year. 1000 employees * $15 / year. Pricing is flexible, and we also offer monthly pricing.
We know that a fully managed solution is the best long-term solution, because the HR landscape is changing dramatically. Over time, with the rapid pace of innovation in technology, the HR and IT providers are going to continue to change.
Our cost structure also drives us to be more efficient and care about the same problems our customers care about. They want the solution to get out of the way and allow their organization to move forward.
High level diagram:
Access wise we need
Email address to send reports to
HR System access
Identity Provider access
We either do compute inside our secured infrastructure, or we can deploy an agent to a server inside of your infrastructure. This agent reports back to us metadata about the job. Each customer we have has any data isolated, and access to data is logged. We pride ourselves on finding errors before our customers find them, and work to detect all problems before they are noticed. In the event that we detect an issue, we create a ticket to let you know about the issue, and any remediation's we put in place.
All passwords are stored in an encrypted form via AKS (Amazon Key Service)
Data isolation is achieved with network isolation techniques, and AWS IAM (Identity and Access Management) rules
Jobs are ran as scheduled batch runs
Jobs can be run in Real Time (HR system dependent)
All employee changes are treated as events which gives us the ability to go back in time to see how changes were made and why they were made
How to get in contact with Auto IDM
HR: Human Resources
Human Resources or HR
IT: Information Technology
Information Technology or IT
HRIS / HRMS : Human Resources Information System / Human Resource Management System
Human Resources Information System HRIS or HRMS Human Resources Management System is the name for your organization's system of record for an employee. When an employee gets hired, this is the first system that data is entered into. This is the center for other related HR activities like Payroll, Benefits, Time Tracking, etc.
Common providers are BambooHR, Gusto, Namely, ADP Workforce, UtilPro, Ease, etc.
Identity Provider (IdP)
Your Identity Provider is the place your IT team uses to give your employees an account to log into their computer, and is now normally used for email, as well.
For a more technically accurate definition, check out: https://en.wikipedia.org/wiki/Identity_provider
Common providers are Active Directory, Microsoft 365 (Azure AD), Google Workspace, etc.
Identity Management (IdM)
Identity Management is where Auto IDM gets its name from. Generally, IDM and IAM (Identity Access Management) are used interchangeably.
System of Record
Authoritative data for some kind of data element. In this case name, title, department, etc are all more than likely authoritative in the HR system. For a more complete definition, check out https://en.wikipedia.org/wiki/System_of_record