The IT onboarding process is straightforward, but the friction starts early.
When a new employee joins a company, the IT department is (usually) informed by the HR department. The HR department communicates the new employee's details, so that the IT department can set up the various accounts on internal tools, and supply the right hardware package to the employee.
That's the theory.
In practice, it's a little less fluid.
Friction starts at the very beginning of the process: the information vector.
The IT department needs to be informed of a new arrival, as it is this department that prepares all the necessary tools to ensure that the new employee is up and running as soon as he or she joins the company. This is precisely where the problems begin. As the HR department generally has no automated system for transmitting information, an e-mail, a ticket or even a Word document is sent manually to the IT department. This information is then supplemented by the IT department, which asks the manager, HR department etc. for additional information.
For example, the HR department communicates the date of arrival, but if there is a change, the process does not follow. As a result, the IT department is faced with a fait accompli: the employee who was due to arrive in 2 weeks' time is already in the office, waiting for his login details.
Another example: the HR department has not passed on information about the department to which the new employee belongs, so the IT department cannot create the accounts correctly. The accounts will therefore be created without the right authorizations, or the accounts will not be created until the IT department has obtained the right information from HR.
In all cases, this friction leads to wasted energy, lost time and dissatisfaction (HR department overworked, IT department overwhelmed, end-user only partially operational).
Reasons for friction
The frictions I've just mentioned are very pernicious.
These frictions are hardly visible: a user will always end up with access to the tools he needs, whether from day one or after a week or a month. The IT department will always end up creating the accounts and providing the hardware the user needs. So - on the face of it - it's "not that bad".
Except that...
This friction is recurrent: with each new arrival, it's the same mess.
These frictions affect many employees (HR department, IT department, users, managers).
Such friction can result in the employee terminating the trial period. In very tight sectors, this can be a catastrophe.
This friction creates a bad atmosphere between departments.
This friction can lead to security breaches (misconfigured security groups, open accesses left unattended, etc.).
Before we can correct and eliminate this friction, we need to understand the reasons for it.
In a conventional system, if the IT department wants to know which people will be arriving shortly, it has to reconstruct the information sent by the HR department: retrieve all the e-mails, take the latest information if there have been any changes... This friction is generated by the so-called "differential" transmission mode.
In this "differential" transmission mode, information is sent directly to the IT department on an ad hoc basis:
- 1st mail: "a new user named Eric Boutier arrives on September 1st".
- 2nd mail: "his function will be 'Head of Department'".
- 3rd mail: "this user actually arrives on August 31st".
This information, sent sequentially, requires the IT department to reconstruct the final information: "A new user, Eric Boutier, Service Manager, arrives on August 31st".
The second reason for friction is what is commonly known as "info hunting" (or "info fishing"). The HR department delivers partial information because it doesn't have the information, or simply because it doesn't know what information the IT department needs to create accounts on the various tools (Active Directory, Office 365, Google Workspace, etc.).
Would you like to receive our white paper on identity and access management?
How can we correct this friction?
To correct the friction generated by this chaotic process, there are 2 things to do.
First of all, we need to create a single repository that lists users for both HR and IT departments. This repository is fed by the HR department and consulted by the IT department. This user repository acts as a "buffer", enabling the IT department to consult the most up-to-date information available.
This single repository must have several features:
- Generate notifications 🔔: to inform the IT department as soon as there is a modification (new arrival, modification of a date or function of an employee arriving soon...)
- Automatically connect to HR tools ⚙: this feature is optional, but helps to streamline exchanges by limiting double entry by the HR department. Most HRIS (Lucca, Eurecia, ...) allow simple integration.
- Have scalable fields 📈: as the process is automated, it will be necessary to add new fields to this repository (personnel number, business unit, analytical code...) which will be linked to business tools such as Salesforce for example.
- Be collaborative 🤝: to enable everyone to enter the necessary information (HR, manager...)
Secondly, we need to define the mapping between HR information and the technical information used to create the accounts.
To take a simple example, to create the "UPN" (User Principal Name) field, which will be the user's Active Directory login, we need the user's surname, first name and company domain. With these 3 pieces of information, and the calculation "formula" (1st letter of the first name, followed by a dot, followed by the last name and the domain), we can calculate the login.
So Franck Baritiu will become f.baritiu@domain.com for example.
The methodology for building this mapping is simple: start with the information you want to have in the accounts of the applications you want to create. Then, simply ask yourself the question "how is this information constructed?" to deduce the calculation formula to be defined.
This inverted and somewhat counter-intuitive method enables us to define the most efficient transformation matrix possible, since it starts with the desired result and works backwards to the information required and the calculation formulas to be defined.
Let's take an example of an active directory account. When you want to create an AD account for a newcomer, you need to define the Organisational Unit (OU) in which the account is to be created. How do you choose the OU? Each company has its own strategy, but in our case, the OU must be defined according to the user's department and geographical location. We can therefore deduce that the HR information we need will be the geographical location and the department. The calculation formula will be, for example, a correspondence table associating a specific OU to each department/site.
So, with a single repository and correctly defined mapping, it's relatively easy to streamline and automate account creation in your company's tools.
How can you automate the filling-in of technical information from HR information?
For each field of an account to be created, we need to retrieve the user's information and transform this field according to a formula or correspondence tables.
An AD account can contain dozens of fields, while most "classic" accounts (Office 365, Gsuite...) have at least ten.
These operations quickly become very time-consuming, and you should try to automate them as much as possible.
There are many possibilities open to you. The idea here is not to make an exhaustive list, but to give you a few keys so that you can choose the method that suits you best.
The most basic: the good old Excel file. In one sheet, you enter your user's administrative information, and in a second sheet, you use formulas (SEARCH, LEFT, RIGHT...) to display the information to be filled in the right fields for each account.
You can also use scripts if you know how to code or script: powershell, batsh, you name it :)
Finally, the most practical solution is still to use an identity management tool (or identity governance management). These IAM tools centralize and simplify the creation of accounts on the various systems, based on information obtained from the HRIS.