When embarking on an identity and access management project, the accuracy of data and data transmissions is paramount to enable automated user provisioning. Data residing in HR systems and core directories should be carefully reviewed prior, during and after an IAM solution is put in place. Never underestimate the criticality of data and all processes associated with collecting and distributing the data since identity management technical solutions depend on this data to function properly. If considerable focus is not applied to this area, audit issues, ongoing support challenges and your reputation will be at risk.
Many capabilities tied to automated user provisioning relate specifically to HR data and how those HR attributes flow into a directory such as Active Directory. In many situations, the benefits of an IAM solution are negated by sloppy data entry, inconsistent standards around information and/or poorly designed data transmission architectures. Fix the underlying data entry/process issues, and your likelihood of success will be dramatically higher.
Start at the source
Prior to starting an identity and access management initiative, meet with the human resources department to fully understand their capabilities as well as the HR system’s capabilities. Is the HR department centralized, or decentralized where there is no single throat to choke for data entry issues? If there are different groups entering user data in different ways, stress the importance of data standards to everyone involved. Finding a champion in HR to own process change will go a long way, and this is often made easier when they know that the automated IAM solution will make their lives easier.
Another important question to ask early is whether consultant information is maintained differently from employee information. In many organizations, consultants are not stored in the employee HR system, and the level of detailed attributes also typically differs. Is an employee manager assigned to all consultants, and is that information updated if the consultant moves to another project? Consultants require system accounts and access just like employees so make sure you fully understand how their data will be handled. If the consultant data is in a different system, will your IAM solution support multiple HR feeds?
Aside from Human Resources processes, it is important to understand what capabilities exist in the core HR system. Can you obtain a data feed from the system? Does it enforce the assignment of a manager to every employee? If your goals are to leverage manager data for approvals, you’ll obviously need every user record to have a manager assigned. Also, be sure to ask if all HR-related changes for both employees and consultants are entered in the HR system/s. Some HR groups may state that they enter data when they hire an employee, but they may never update employee records after they are hired. If that is the case, leveraging manager data or other HR attributes may be useless because data will become inaccurate over time.
A strong information security leader is needed to help drive process change where data related issues exist. If the issues exist today, it is probably safe to assume that HR does not have a strong desire or strong leader in place to influence change. Showing strong leadership to improve other departments’ processes will reduce project risk and enable greater capabilities for your identity management vision. Many organizations fall into the trap of trying to have technology solve the problems, but it is best to improve the core issues rather than design a complex technical solution to mask the issues.
It is also important to reign in enterprise/solution architects when it comes to designing the data flow from the HR system to the user provisioning solution. Simplicity is key to avoid challenges with ongoing support of the solution. If the data must hop between multiple systems, trying to track down issues can be very challenging. A direct pull or direct push from the core HR system should be the goal.
Hopefully, your human resources department and HR system are top-notch resulting in a strong foundation for your identity and access management initiatives. Unfortunately, this is often not the case so be sure to do your homework prior to throwing technology at the problems. Good luck!
To learn more about Avatier’s ITIL service catalog solutions watch the Gwinnett Medical Center Customer Testimonial:
Get the Top 10 User Provisioning Best Practices Workbook
Enable user provisioning software rapid planning, strategic decision-making, and technology innovation. Jump start your user provisioning and identity management initiative. Learn from IT security experts and address the challenges that derail projects.
