Introduction


Starters, Movers, Leavers? Joiners, Movers, Leavers? Hire to Retire? However you refer to your Employee Lifecycle Process I'm sure that the mere mention of it is also accompanied by a number of moans and groans. Most moans and groans are probably of the frustrated type along the lines of how long the processes take, having no way of telling which processes are complete and which are pending, and having to chase numerous people up along the way.

We get it completely! We understand the frustrations of Employee Lifecycle processes and we also understand the deeper issues, especially around security, that lurk underneath the surface frustrations of 'I just want my new employee to be able to start their job'.

In this article we will examine some of the common challenges of the Employee Lifecycle process and how automation will not only improve the speed and governance of these processes but how it will also prevent a number of potentially serious security holes.


Common Challenges and Risks of Manually Managing the Employee Lifecycle


Security Risks: It is well known that not properly managing the employee lifecycle from a new hire through to a leaver exposes organizations to many security risks. Classic issues are for instance; unused new accounts with default passwords; employees moving around the business, collecting new authorizations as they go, causing segregation of duties issues and sensitive access issues; having employees leave but their system User-IDs still remaining valid. Such User-IDs could be used for malicious purposes. Effectively managing leavers has become even more critical now that many businesses rely on third party cloud systems (for instance SalesForce.com) as these systems could still potentially be accessed by ex-employees from their own home, perhaps to illegally download business sensitive information such as sales or marketing data.

Regular employee authorization re-certification processes are also an essential element to keeping each employees' authorizations commensurate with the job role.


Data Synchronization and Data Errors: Key employee information such as their Name, Job Title and eMail address should remain correct, up to date, and synchronized across all systems and applications. Synchronizing this data can be extremely challenging especially if you are not using common User-ids across systems. Automation can therefore play a vital part in ensuring that key employee data remains correct in all systems. It is also worth considering offering employees a self-service portal to enable them to periodically check and maintain their own data.


Process Orchestration: Most starter, mover, leaver processes need to be performed in a certain order otherwise they will fail. For instance, there is no point requested an SAP account before the AD/LDAP team have created an account and eMail address for the employee.


Process Tracking and Audit Trails: With so many different processes being performed by a number of different departments, it is little wonder why it is so difficult to track the progress of these activities whenever an employee starts, moves around, or leaves an organization.


Asset Management: And not only is tracking employees difficult, what about the company assets that they have been given? Laptop, mobile phone, perhaps even a company credit card. Have their expensive software licences, such as their SAP licence, been invalidated and returned to the pot? Again, robust and automated Employee Lifecycle management is key to ensuring that you know exactly what assets an employee has and that you have made sure that they have all been returned when the employee leaves.


Time and Effort: When you take all of the above into account then effectively managing your starter, mover, leaver processes takes an enormous amount of time and effort. Making matters worse is that this time and effort is often being expended by highly skilled, senior employees.



What key capabilities of a solution are required to properly address these challenges?


Ideally, one automation system should have all of the following capabilities and features in order to orchestrate and automate your Employee Lifecycle Processes;


Multi-system and Cross-Application Connectivity. It should be able to connect to multiple platforms and applications: MS Active Directory, SAP, Oracle Apps, AS/400, Unix, and other cloud or on-premise Apps via API/SOAP (e.g. Salesforce etc.)


It should be able to collect and analyze employee information from these systems. Especially in the context of security, sensitive access, SoD, usage data, and SAP licence classification). It should also be able to detect changes in this data that can be used as workflow event triggers


It would need to be able to execute commands and processes on these systems. For instance, create/update/delete users, provision roles, assign AD Groups etc.


Extensive workflow capabilities. It should have a visual, flexible, event driven, workflow automation (orchestration) and alerting engine that can also be used to track active processes and provide an audit trail of past activity


It should be able to allow you to define standardized job/business role profiles or objects. For instance, the job role of "Accounts Payable Clerk" consists of an AD account attached to domain group 'AP_ADMIN' with a Professional Licence SAP account with roles 'Z:AP_DISP' and 'Z:AP_ADMIN'. This greatly improves security and maintenance as your Employee Lifecycle Automation system can provision access and authorizations based upon job roles.


Ideally the system should also provide employees with self-service capabilities. Self service capabilities via a user portal can help keep data up to date, alleviate a lot of time and pressure on your security teams and help desk, and also provide much higher levels of security and audit-ability. Commonly used self-service processes are; password reset, emergency access, new authorization requests, recertification processes, employee key personnel data checks and correction




Creating a Secure “Joiner” Process

A good “joiner” process would ideally begin with an automated trigger from the HR system. Failing that then perhaps an HR team member or the new employees manager would complete an online web form to capture all of the relevant data.

The monitoring system, such as ProfileTailor™ Dynamics, would then automatically select the applications in which new user accounts will be created, allocate the correct permissions and authorizations, set initial passwords, and send an email or text message to the employee and their superior notifying them that the user accounts are ready.

The key elements of a good joiner process would typically be:

  • Automatic identification of a new employee being created within the HR system that would be used as a trigger for the automated workflow to start. Failing this, other systems can be used as a trigger, or systems such as ProfileTailor™ Dynamics can provide a web portal to request new employee requests manually.
  • Automatic allocation of permissions and provisioning capabilities for creating user accounts (at least in important applications).
  • A Segregation of Duties (SoD) and sensitive access check with the necessary approval steps if required.
  • The prevention (or at least the alerting) of manual user creation to reduce the risk of hacking and attempts to bypass the managing system.
  • The ability to escalate the process if the request is waiting for more than a specified amount of time.
  • One screen to see all open requests and their status.

Creating a Secure “Leaver” Process

An automated “leaver” process is crucial to verify that nothing is left behind when an employee leaves the organization. Many times, forgotten user accounts are used for hacking, committing fraud, and stealing data from cloud based systems.

When outlining a healthy leaver process, be sure to include the following:

  • Automatic identification of employee terminations from the HR system.
  • An automatic report sent to the security team (or the employees manager), which includes the employee’s activity during the previous two weeks prior to their actual leave. Employees often act irregularly during the final stages of employment.
  • Automatic locking or termination of all of the users accounts in all systems. If a system cannot be accessed via API, then the automation system should at the very least open a helpdesk ticket.
  • The provision of a 'hot button' that can be used if an employee has been asked to leave with immediate effect. This would override the normal HR system trigger and shutdown their access to all systems and accounts immediately.

Creating a Secure “Mover” Process

Moving between roles and departments within an organization often creates a number of new risks. This is owing to employees 'collecting' new authorizations as they move from role to role without consideration to removing old authorizations. This can lead to numerous segregation of duties and sensitive access risks.

A good automated “mover” process should therefore include the following primary capabilities:

  • Automatic identification of an employee moving departments or role
  • Automatically remove old permissions and authorizations and provision new ones based upon the employees new role. Some systems such as ProfileTailor™ Dynamics allow you to define business role objects that contain the full set of system accounts and roles/authorizations that a job role requires. It can therefore automatically remove and re-provision access when it detects employee movements.
  • If you can automatically perform the above then, at the very least, an employee recertification workflow process would be triggered
  • Reset the employee’s license type according to the usage requirements of their new role.


Some Additional 'Business as Usual' Employee Processes that can be Automated

There are a number of other 'business as usual' processes that, when automated, and in some cases being made available on a self-service basis, will create a far more secure environment and also save a lot of time, cost and effort. For example;


Automatically locking inactive user accounts. Inactive user accounts are both a security risk and potentially a waste of expensive licenses. Locking them with a well-documented process that also sends friendly warning emails to employees beforehand can save significant helpdesk and IT resources. When implementing this process, remember that some accounts should not be locked even if they are inactive (e.g. administrators).


Self-service password reset. This simple process can be very effective if implemented correctly and will save a huge amount on helpdesk or security team resources.


Managing Temporary Employees. Creating and closing temporary employee user accounts in systems and applications can cause a management headache and a potentially risky and insecure environment. Automating their user lifecycle processes can therefore save a significant amount on resources and prevent potentially high risk accounts being left open or accessible to abuse.


Emergency Access and Temporarily Elevated Access (Absence Delegation). It is inevitable that at some point certain employees may require Emergency Access to fix issues or that key personnel may be absent. An automated Emergency Access workflow or a Temporary Delegation workflow which can provision elevated permissions and authorizations for a fixed period of time to cater for such circumstances. Such workflows can include approval steps and a detailed audit log of what actions were performed during the period of elevated access.



 

Next Steps...

Hopefully this article has provided a thought provoking insight into how automation can help secure your enterprise and also vastly reduce the amount of effort and cost associated with managing your Employee Lifecycle processes.

If you would like to find out more about how Grey Monarch and ProfileTailor™ Dynamics can help in this area then please do contact us or have a look at our dedicated page here.

You can also share this page via the following buttons: