HR Provisioning: Employee Lifecycle (Part 2)

In my first post, I covered some basic provisioning concepts and emphasized that while provisioning processes ideally are "role-aware," they also need to be sufficiently flexible to handle a variety of intervening events. In this post, I cover some of the ROI for improvements in provisioning processes and walk through just a few events in an employment life cycle to show where provisioning fits into HR processes. I'll follow-up with two more posts. One to look at termination processes and the other to zoom-in on architecture to support provisioning.

The ROI for Improving Provisioning

There are ample business cases for investments that improve provisioning processes.

• When employees and contractors are not granted timely access to the systems they need to do their jobs, the cost to productivity can be staggering. For a medium-sized company, systemic bottlenecks in granting individuals system access can quickly add up to hundreds of thousands of dollars in non-productive hours per year. For a large company, provisioning delays quickly translate to millions of dollars of lost productivity.
  
  
  
  
• Security risks are great if access and entitlements are not removed on timely basis when employees and contractors terminate their work or when their roles change such that they no longer need certain system access.
  
  
  
  
• Compliance with Sarbanes Oxley and a growing number of regulations related to data protection also contribute to the need for accurate and reliable processes for managing "who has access to what."

As mentioned in the prior post, provisioning is a horizontal enterprise process that intersects with a range of enterprise processes, but which has special implications for HR, which oversees employee comings and goings. In the sections that follow, I step through just a few parts of the employee life cycle to give a look at dependencies between provisioning and specific HR business events.

New Hire Import

It is common for employers to manage recruiting processes using hosted applicant tracking systems (SaaS-model providers). Upon acceptance of an offer, information collected about the new hire during the recruiting process often is imported into a core HR or ERP system. It is at this point that the individual's details are added to the HRIS and to an enterprise provisioning system and/or global directory. This is usually "pre-provisioning" before the new employee has entered on duty or actually granted any access or entitlements.

Onboarding

Onboarding is a collection of services to bring a new hire into employee programs and to furnish the individual with the permissions, access, and equipment he or she needs to be productive on the job. Onboarding is a orchestration of processes in its own right within a broader new hire choreography. Onboarding typically is a mix of manual and automated steps. Some of the steps have a specific sequence as well as dependencies relative to other steps. Business Process Management (BPM) engines are commonly used to manage some or all of the onboarding process. Onboarding component processes include:

• Work eligibility verification. Under U.S. law and under the laws of many other countries, new employees must present identity documents and those showing legal eligibility to work. Verification of work eligibility increasingly occurs as part of pre-hire screening processes. However, compliance requirements still generally require the new hire to present in person relevant documents to the employer (passport, visa, driver’s license, SNN card, etc.). From a provisioning perspective, completion of this step is a base-level threshold. If an individual isn't legally authorized to work, they obviously shouldn't have any entitlements or access to an employer's system resources.
  
  
  
  
• Badging. This typically involves the employee being photographed and may involve the collection of biometric information, if used in authentication processes. This usually results in the issuance of a badge or other physical credential to gain access to buildings and other facilities. Employers needing to control access and maintain security across large or distributed facilities often have central systems for managing access. Where that is the case, such systems usually would be tied into enterprise provisioning systems so that physical access to buildings and other facilities could be reliably granted or revoked based on the changing status or roles of employees and contractors.
  
  
  
  
• Benefits enrollment/Payroll setup. This typically involves several different integrations with payroll providers, third-party benefits administrators, and other benefit plan providers (savings plan, etc.). This doesn't have as much to do with the provisioning of access and entitlements as it does with the provisioning of accurate indicative about the new employee.
  
  
  
  
• Training. Some degree of orientation and training (whether formal or informal) usually is part of the onboarding process. Training has some relationship to provisioning in that in some cases, training may be mandated before certain access is provided.

There are other steps in the onboarding process. For example, providing the employee with necessary equipment and facilities (a chair, computer, etc.) or procuring such equipment if it isn't in inventory. However, these aren't addressed here since they aren't directly related to provisioning of system access and entitlements.

Not all of the above steps proceed linearly, but consider a new employee or contractor that has been added to the provisioning systems and has been badged, equipped, oriented, etc. That employee might initially be provisioned for access to systems based on his or her role. But what happens after that? Stuff happens! After employees get hired, they may or may not make it through probation. If they make it through probation, they may take on new assignments requiring new access and entitlements. They may take extended periods of leave (family medical leave, sabbaticals, etc.). They return to work. They transfer to new departments, locations, etc. Organizations also change around employees. Systems are added, replaced, and consolidated. Divisions are acquired and sometimes spun off. The point is that a wide range of events can occur that require provisioning and de-provisioning of system access and entitlements. Provisioning architecture must be sufficiently flexible to accommodate the pace and variety of provisioning events that occur in the real world.

A good deal of security research has focused on role-based access control. However, as described in the preceding paragraph, provisioning also must be responsive to a wide variety of business and life events. Access control driven solely from pre-defined roles, quickly breaks down and gets complicated in the real world. So it is helpful for any role-based access framework to also allow for some type of request-based management of access and entitlements. Supervisors or applicable authorities would review and approve such requests within applicable policies. For purpose of effective compliance and management, metadata regarding who approved what access and why also should be tracked.

Provisioning: Employment Lifecycle