Connect key systems

Provision important systems, where “important” is a mix of financially and politically significant systems. Typically, this might include the ERP system (if it’s different than the HR system and especially the finance modules), help desk/trouble ticketing, call center, inventory control/supply chain, intranet or key web-based applications, custom developed database applications, and the physical security (i.e., badging). You want to come up with a list that covers 80% of what real people in the organization care about; this is surprisingly easy to do. The list, I mean; deployment is hard.

These don’t all need to be done at once and for all users, but –again — it’s important to think through the business rules that govern the identity infrastructure so that all the pieces are coordinated over time.

For example, the badging system might be a unique source of identity data with information about people (e.g., night cleaning crews) who have access to your buildings but are not otherwise represented in your IT systems. You probably don’t want to give them email accounts or access to your corporate financials, but that information might be very valuable for disaster planning so that you know who is in your offices at any given time and who, exactly, they are. In some instances, such as hospitals, there are so many employees in the ‘extended enterprise’ that aren’t directly on the payroll that the badging system becomes the source of authority for identity data.

Deploy basic provisioning and workflow

As you move beyond basic capabilities, the feature sets of identity management products start to become differentiated. But in the current state of affairs, most of the major vendors have at least some workflow and automated provisioning capabilities. With the infrastructure pieces in place, you can start to take advantage of these capabilities to do things like new hire provisioning and employee self-service.

These will have obvious end-user benefits (“obvious” in the sense of visible, if not quantifiable) but motivating factor is often de-provisioning. That is, the ability to rapidly — instantly — turn off an employee’s access to those key systems such as payroll or badging when they leave the company. It’s what’s politely described as “zero day stop.” It can be brutally effective; by the time the now ex-employee leaves the conference room after their conversation with their manager, they can no longer access their email account or the corporate intranet or, sometimes, the phone extension on their desk. And it scales! Mass layoffs made easy!

Less ghoulishly, you also get tremendous reductions in help desk calls for password resets and routine requests for changes to information. You might not want to grant all of those requests (allowing users to change job_title often leads to entertaining results and I’ve heard of instances where people change their phone number in their record to a colleague’s number, in order to avoid work), but you can add a manual approvals step to the process to minimize those impacts.