Pull to refresh

Enterprise Identity Management Processes. Part I: Employee on-boarding

Reading time5 min
Views1.8K

This is the first in series of articles dedicated to detailed overview of processes and components of enterprise identity and access management (IAM). These articles are designed to help technical architects and system designers to better understand what is involved in complex business processes which drive identity management and provide detailed review of all critical components.

Solid understanding of identity management business processes before implementation of a new IAM system very often makes a difference between success and failure and it must be worked out and agreed to by all key participant before implementation can start.

This review does not address specific software configurations and settings required to support these processes and workflow, but any modern identity management software will be able to support them.

Diagram below documents workflow for an employee on-boarding which is one of the core identity management processes to support new employee who is joining the company. The flow is designed to be integrated into existing hiring process and provide logical and physical access to an employee by day one of the employment.

The horizontal segments of the diagram represent participants or "actors" who take part in this flow with actor descriptions written on the left side.

Let's review participating actors and their functions as it relates to identity management processes:

  • Employee - this is a person who is joining the company on full or part-time basis after successful job application process.

  • HR - department of human resources within the company who is handling employee on-boarding process. HR department typically has it's own systems and processes which deal with many aspects of on-boarding, but they are primary owners of employee records.

  • Hiring Manager - a person who is hiring new employee and is responsible for general management activities and approvals.

  • Escalation manager - this is an immediate manager of the hiring manager and for the purposes of this workflow, it is the point of event escalation.

  • IAM system - this is the core identity management system which is designed to handle and automate different functions and flows associated with provisioning of logical and physical access.

  • Service management - this is company department and/or systems which are responsible for creating and tracking various services requests dealing with logical and physical access and provisioning (computers, phones, building access etc.). Service management may or may not deal with fulfillment of the requests, in many cases fulfillment is done by different company departments and service management function is to track these activities.

  • Provisioning administrator - this is a function which deals with manual provisioning and management of physical assets like fulfillment of service requests in a way that is relevant for requested asset.

  • Security administrator - this is a function which deals with provisioning of logical system access to all the systems required by an employee. Some of the system provisioning can be done automatically, but some manual activities may be required.

Let's review core components of employee on-boarding workflow:

  1. Employee pre-boarding flow is the process handled by HR systems which starts after employee accepts an employment offer. It can include new employee orientation, signing of non-disclosure and other legal forms, setup of information required for payroll and others. All these activities are performed by HR systems and are outside of scope of IAM system, but it is a trigger which starts IAM flow.

  2. The event of hiring a new person must be communicated to IAM system together with employee ID generated by HR system and person's first and last name, location and other relevant information required to provision logical and physical access. This event can be sent using either daily batch or better yet, as a real-time service call from HR to IAM system.

  3. IAM system assigns some basic access roles which are needed to every employee and do not require additional approval. It could be general building access, access to company internal employee portal, relevant file shares and/or cloud access and others.

  4. Access approval components is required to support manager approval of requests for logical system access and role/department specific privileges required for a new employee. In typical case, this approval workflow will be handled via email notification to a manager with IAM portal link to perform required functions. As indicated on the diagram, approval workflow must handle not only "happy" path, but events where request(s) fail or manager cancels employee on-boarding. In the event manager fails to act on approval request in defined time frame (usually 24-48 hours), it needs to be escalated to escalation manager. Request failure event is forwarded to security administrator for review and further actions.

  5. Ad-hock block of the process is responsible for requests of access and privileges outside of normal roles required for an employee. IAM system needs to provide manager with functionality to request any additional access as required by business function.

  6. This is an escalation of access approval requests and it needs to support the same error handling as indicated in manager access approval block #4 above.

  7. This block is responsible for actual system access provisioning and creation of necessary user account as requested by manager for a new employee. Access provisioning can be done automatically or manually depending on the volume of the requests and system capabilities.

  8. This block is responsible for integration with service management system. Any action which requires opening of service ticket is handled via this flow. It is highly recommended to have an API level interface to service management system which IAM system can use to open service requests, check their status and close them on completion. All systems in the scope of employee provisioning activities can interface with service management system like systems for telephone/voice provisioning, computer hardware requests and building access as shown on the diagram.

  9. As a result of successful provisioning, IAM system will assign a unique enterprise ID and associate it with access to all provisioned systems. This ID is a unique key used in reporting and compliance across the enterprise systems. It helps to answer a question of: "who has access to what and why?". In many cases enterprise ID needs to be communicated back to central employee database managed by HR.

  10. This is centralized HR employee database used by many enterprises for employee management and reporting. For demonstration purposes, it is shown as WorkDay database which is one of the popular HR and finance management software, but any other system can be used.

  11. This block is responsible for the functionality of access removal. It may be necessary to remove access as part of employee on-boarding in cases when manager rejects/cancels provisioning requests or employee fails to show up for work when access has been provisioned. Access provisioning cancellation needs to be differentiated between cases where it's been cancelled before access was provisioned or after.

  12. This is the last event in the successful on-boarding flow where necessary accounts information is sent to a new employee and manager is notified.

This list provides only essential steps and events present in typical new employee on-boarding process, but every company is different in systems used and details of the business flow so they should be carefully analyzed before proceeding with implementation.

Tags:
Hubs:
Total votes 1: ↑1 and ↓0+1
Comments0

Articles