The process is well established: the HR department sends a new employee's details to the IT department. All the information is used to create the user's Active Directory account.
It's almost like being in a fairy tale: it rarely happens this way: the process may be non-existent, the information sent may be partial (missing information, no arrival date...) and, above all, the information may change, as an employee's arrival date may evolve according to his or her previous notice period.
Why connect to HRIS?
The HRIS contains all the information needed to create the newcomer's account: surname, first name, personnel number, job title, department, geographical location, date of arrival and possible date of departure (in the case of a fixed-term contract, for example). This information is vital for creating the Active Directory account with the right security groups and settings, so that the user's IT resources are operational as soon as he or she arrives.
This data source is often referred to as the "Golden Source", as it contains the contractual information that the new employee has signed, corresponding to his or her employment contract or any amendments to it.
This is the safest, truest and, above all, most up-to-date information, since this data source is generally used to generate pay slips.
Having access to this information at the source allows :
- limit notification actions by the HR department: the IT department is informed as soon as the data is entered into the HRIS, so there's no need to send an e-mail or a ticket to notify the IT technician who will create the accesses.
- be informed when information is modified: the information is always up to date, so there's no need for the HR department to think (or forget) to inform ISD that the date of arrival or the first name have been corrected after the first entry.
- to have ALL the information you need
How do I connect to HRIS?
The answer to this question obviously depends on your HRIS. Most recent SaaS HRIS systems have APIs that allow you to query the HRIS with an authentication key. This is often the simplest method, as it allows you to obtain structured information in CSV, JSON or XML formats, for example.
In the case of on-premise HRIS, it is often possible to connect directly to the database. Whether it's SQL Server, MySQL, Oracle or PostgreSQL, all you have to do is connect to the database with the appropriate credentials and extract the necessary information. This mode of operation does, however, require you to know which tables to search and extract the desired information. It is possible to have this information spread over several tables, so you'll need to formulate the right SQL query. You can ask the editor to help you, but editors are not very responsive to this type of request.
It is also possible that your HRIS is more secure or less open. In this case, you'll need to export the data in CSV format, usually on a regular basis, to get the latest information.
Would you like to receive our white paper on identity and access management?
Next: creating Active Directory accounts
Now that you have the information from your HRIS, you need to create the Active Directory account corresponding to each new arrival. First, you need to compile a list of the information to be entered in the Active Directory account. For fields such as surname or first name, this is relatively easy. On the other hand, other information, such as personnel number, can become complex: should it be entered in the EmployeeId or EmployeeNumber attribute? Which login script should be used? And above all, when it comes to security groups, how do you avoid forgetting any?
For more complex fields, you can use mapping tables to convert "HR" information into "IT" information. For example, a user's geographical location can be converted into an Organizational Unit (OU), which can then be entered into AD. These correspondence tables need to be regularly updated to ensure the correct correspondence.
HR information can also include the newcomer's cell phone number, enabling you to text him/her the login details for the Active Directory account you've just created.