Search
  • Derek Visch

Why Should I Automate User Provisioning with Auto IDM?

Updated: Dec 29, 2020

Automatically create accounts in your IT systems

The goal of this write up is to describe the user provisioning problem, and describe how Auto IDM’s approach can help solve this for you. Our long term mission is for every business to automate user provisioning, today that’s not possible.


Don’t know what an HR management system is, or an IT system? Hop to the definitions section here. Otherwise, read on!


Sections:

  1. What is user provisioning

  2. Employee Lifecycle Diagram

  3. Onboard

  4. Changes over time

  5. Offboard

  6. How does Auto IDM solve User Provisioning

  7. High level architecture

  8. Technical Details

  9. How to get in contact with Auto IDM


What is user provisioning?

User provisioning is creating, updating, modifying, disabling, and deleting accounts. An employee’s life cycle stages throughout their time at your organization looks something like this:


Stages

  1. Onboard

  2. Changes over time

  3. Offboard

Employee Lifecycle Diagram



Onboarding and offboarding tasks happen for every employee. In your organization, there is a checklist with a bunch of steps to onboard someone, and the steps are about ~30% HR, ~50% IT; the rest are Finance/Legal/etc. The core problem is that each team's systems don’t talk to one another, so there’s not a clear system of record. It’s fairly obvious that HR should be in control of the system of record for everything about employee information. Due to a lack of integration between systems, we end up with systems that have to get updated manually when HR needs to make a change. This means every change leads to an urgent/important activity for IT.


Automation allows for your Directory System to stay up-to-date with HR.


We’ll go over what each step probably looks like in your organization if you’re not automated.


Onboard

Your HR team sends an email or submits a ticket that looks something like this:


Subject: New Employee Starting Tomorrow

  • First Name

  • Last Name

  • Department

  • Title

  • Email Address (What’s the rule for email addresses? First initial + last name)

  • What should this account have access to? (Groups)

  • Do they need access to the company shared folder?

  • Do they need access to accounting software?

  • Do they need access to the CRM?

  • Where do I send their initial password?

  • Start date?

  • What office are they at? Michigan? South Carolina? Florida?

  • Full time?

  • Contractor?

  • End date?

  • Manager?

  • etc.

Normally, this process isn’t as clean because HR doesn’t have all of the information at the time of the hire. A title may change, the department may be moved around, etc. The one constant with hiring is there are always changes to the process. IT takes this information and puts it into the Identity Provider. This generally is a list of ~10-20 steps that includes:

  • User creation

  • Adding the user to all the necessary groups (possibly copying from another similar employee)

  • Waiting for the email to be created

  • Initial Password

  • Sending an email to the new employee’s manager with the credentials

  • Provisioning a new computer, imaging the computer, prepping the apps for the computer (For a Windows shop, Windows Auto Pilot attempts to solve this, as well; with Azure, it’s looking more and more possible. https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot )

  • Etc


Changes over time

There are a number of HR and employee-related actions that trigger changes on the IT side of the house.

  • Position change in the company

  • Name change (marriage)

  • Location change

  • Merger and Acquisition (Rare but automation makes this a lot easier)


The most common changes are actually company-wide changes that impact the Identity Provider.

  • Group adds / removes that link to HR groups

  • Mass field changes (upn/proxyaddress, picture updates, office moves, etc.)

  • Restructuring of groups/role mappings. What groups does engineering need access to?

  • How long to keep old accounts for archival reasons

  • Email address domain name change

  • Any mass field change

Offboard

For the most part, offboarding is the same as onboarding in reverse, with a few additional tasks.

  • Security issues - Potentially rogue employees are an issue as 50% of companies have ex-employees who still have access to company data! This was written by Onelogin here. With automation, the account can disabled the instant HR marks them as offboarded.

  • Archival of ex-employees’ data. What is your archival process?

How does Auto IDM solve this problem?

A fully managed solution means the following:

  • No software to maintain

  • No configuration to configure/update

  • No updates to maintain

  • Proven implementation process that will get us to the finish line at your businesses pace, while not missing anything

  • Support includes the full end-to-end process; you’ll experience the best support you’ve had from a vendor

  • User provisioning process is supported by a company, not just a single person on your team

  • Solution is hands-off

  • Your team now has access to a dedicated team of people focused on user provisioning and data integration

Cost scales with your business size as the complexity of user provisioning tends to scale with the number of employees. Therefore, if you have a low employee count, your price is going to be very affordable; 30 employees * $25 / year = ~$800. 200 employees * $20 / year. 1000 employees * $15 / year. Pricing is flexible, and we also offer monthly pricing.


We know that a fully managed solution is the best long-term solution, because the HR landscape is changing dramatically. Over time, with the rapid pace of innovation in technology, the HR and IT providers are going to continue to change.


Our cost structure also drives us to be more efficient and care about the same problems our customers care about. They want the solution to get out of the way and allow their organization to move forward.


Technical

High level diagram:



Access wise we need

  • Email address to send reports to

  • HR System access

  • Identity Provider access

We either do compute inside our secured infrastructure, or we can deploy an agent to a server inside of your infrastructure. This agent reports back to us metadata about the job. Each customer we have has any data isolated, and access to data is logged. We pride ourselves on finding errors before our customers find them, and work to detect all problems before they are noticed. In the event that we detect an issue, we create a ticket to let you know about the issue, and any remediation's we put in place.


Technical details

  • All passwords are stored in an encrypted form via AKS (Amazon Key Service)

  • Data isolation is achieved with network isolation techniques, and AWS IAM (Identity and Access Management) rules

  • Jobs are ran as scheduled batch runs

  • Jobs can be run in Real Time (HR system dependent)

  • All employee changes are treated as events which gives us the ability to go back in time to see how changes were made and why they were made

How to get in contact with Auto IDM

If this is interesting to you, or if you’d like to chat about other ways that we could partner to build a relationship, set up a meeting at www.autoidm.com/schedule or email us at sales@autoidm.com


Definitions

HR: Human Resources

Human Resources or HR


IT: Information Technology

Information Technology or IT


HRIS / HRMS : Human Resources Information System / Human Resource Management System

Human Resources Information System HRIS or HRMS Human Resources Management System is the name for your organization's system of record for an employee. When an employee gets hired, this is the first system that data is entered into. This is the center for other related HR activities like Payroll, Benefits, Time Tracking, etc.


Common providers are BambooHR, Gusto, Namely, ADP Workforce, UtilPro, Ease, etc.

Identity Provider (IdP)

Your Identity Provider is the place your IT team uses to give your employees an account to log into their computer, and is now normally used for email, as well.


For a more technically accurate definition, check out: https://en.wikipedia.org/wiki/Identity_provider


Common providers are Active Directory, Microsoft 365 (Azure AD), Google Workspace, etc.


Identity Management (IdM)

Identity Management is where Auto IDM gets its name from. Generally, IDM and IAM (Identity Access Management) are used interchangeably.


System of Record

Authoritative data for some kind of data element. In this case name, title, department, etc are all more than likely authoritative in the HR system. For a more complete definition, check out https://en.wikipedia.org/wiki/System_of_record



 

©2020 AutoIDM LLC.  |  Contact Us  |  269-205-3389  |   251 North Rose Street Suite 200. Kalamazoo, MI 49007.

  • LinkedIn
  • YouTube
  • Facebook
  • Twitter