How to connect my HRIS and my Active Directory?

Publié :

02/2022

| Mis à jour le

-
Articles
>
Automation
The creation of Active Directory accounts must be done using information transmitted by HR. We offer solutions to obtain this information from the HRIS. In this way, the information is more reliable, but you can also automate this through an identity and access management platform.

Summary

The process is well-established: the HR department sends the information of a new employee to the IT department. All the information is used to create the user's Active Directory account.

One would almost think we are in a fairy tale: it rarely happens this way: the process may be non-existent, the sending of information may arrive partially (missing information, no arrival date, etc.) and above all the information may change because the arrival date of an employee may change depending on their previous notice.

Why connect to the HRIS?

The HRIS contains all the information required to create accounts for new hires: last name, first name, employee number, function, department, geographic location, arrival date, and potential departure date (in the case of a fixed-term contract, for example). This information is crucial for creating the Active Directory account with the correct security groups and settings so that the user's IT resources are operational upon arrival.

This data source is often called the "Golden Source" because it contains the contractual information that the new employee has signed and that corresponds to their employment contract or any amendments that modify the employment contract.

This is therefore the most reliable, most accurate and, above all, up-to-date information, since this data source generally makes it possible to generate pay slips.

Having access to this information at the source allows:

  • to limit notification actions from the HR department: the IT department is informed as soon as the information is entered in the HRIS, no need to send an email or a ticket to notify the IT technician who will create the access rights.
  • to be informed when information is modified: the information is always up to date, no need for the HR department to think (or forget) to inform the IT department that the arrival date or first name has been corrected after the initial entry.
  • to have ALL the necessary information

How to connect to the HRIS?

The answer to this question obviously depends on your HRIS. Most recent SaaS HRIS systems have APIs that allow you to query the HRIS with an authentication key. This is often the simplest method because it allows you to obtain information in a structured way in CSV, JSON or XML formats, for example.

In the case of on-premise HRIS, it is often possible to connect directly to their database. Whether it's SQL Server, MySQL, Oracle, or PostgreSQL, simply connect to the database with the appropriate credentials and extract the necessary information. However, this mode of operation requires knowing which tables to search and extracting the desired information. It is possible to have this information spread across multiple tables, so you will need to formulate the correct SQL query. You can call on the vendor for help, but vendors are not very responsive to this type of request.

It is also possible that your HRIS is more secure or less open. In this case, you will need to export the data in CSV format regularly to have the latest accurate information.

And then: the creation of Active Directory accounts

Now that you have the information from your HRIS, you need to create the Active Directory account corresponding to each new arrival. First, you need to compile the list of information to be entered in the Active Directory account. For fields such as the first name or last name, this is relatively easy. On the other hand, it can become more complex for other information such as the employee number: should it be entered in the EmployeeId or EmployeeNumber attribute? Which logon script should be entered? And above all, with regard to security groups, how do you avoid forgetting any?

For the most complex fields, you can use mapping tables to convert "HR" information into "IT" information. For example, a user's geographical location can be converted into an Organizational Unit (OU) that must be specified in AD. These mapping tables must be regularly updated to have the correct correspondences.

HR information can also include the new employee's mobile number, which will allow you to send them the login credentials for the Active Directory account you just created for them via SMS.

Besoin d'évaluer le coût d'un projet d'IAM ?

Téléchargez ce livre blanc sur le coût de l'inaction dans l'IAM :

Nous n'avons pas pu confirmer votre demande.
Votre demande de livre blanc est bien prise en compte.

Recommended Articles