The IT onboarding process is simple, but the friction starts very early.
When a new employee arrives in a company, the IT department is (generally) informed by the HR department. The HR department communicates information about this new employee so that the IT department can create the various accounts on internal tools and provide the employee with the correct hardware package.
That's the theory.
In practice, it's a little less seamless.
Friction begins at the very start of the process: the information vector.
The IT department must be informed of a new arrival, as it is responsible for preparing all the necessary tools so that the new employee is operational from their arrival in the company. It is precisely at this stage that problems begin. Since the HR department generally does not have an automated system for transmitting information, it is an email, a ticket, or even a Word document that is sent manually to the IT department. This information is then supplemented by the IT department, which asks the manager, the HR department, etc., for additional information.
For example, the HR department communicates the arrival date, but if there is a change, the process does not follow. The IT department is then faced with a fait accompli: the employee who was supposed to arrive in 2 weeks is already on site and waiting for their credentials.
Another example: the HR department has not transmitted the information of the department to which the new employee belongs, and the IT department cannot create the accounts correctly. The accounts will therefore be created without the correct authorizations, or the accounts will not be created until the IT department has obtained the correct information from HR.
In all cases, these frictions generate loss of energy, loss of time, dissatisfactions (HR department requested, IT department overwhelmed, end user partially operational).
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
Reasons for friction
The frictions I have just mentioned are very pernicious.
These frictions are barely visible: a user will always end up having access to the tools they need, whether it's on the first day or after a week or a month. The IT department will always end up creating the accounts and providing the equipment the user needs. So it's - seemingly - "not that bad".
However...
These frictions are recurring: with each new arrival, it's the same mess.
These frictions affect many employees (HR department, IT department, user, manager).
These frictions can lead to the employee breaking their trial period. In very tense sectors, this can be a disaster.
These frictions generate a bad atmosphere between the services.
These frictions can generate security breaches (misconfigured security groups, open access left abandoned, etc.)
Before these frictions can be corrected and eliminated, it is essential to understand the reasons for them.
In a classic operation, if the IT department wants to know the list of people arriving soon, it is obliged to reconstruct the information sent individually by the HR department: retrieve all the emails, take the latest information if there have been any changes... This friction is generated by the so-called "differential" transmission mode.
In this "differential" transmission mode, information is sent on an ad hoc basis directly to the IT department:
- 1st email: "a new user named Eric Boutier arrives on September 1st"
- 2nd email: "his function will be 'Head of Department'"
- 3rd email: "this user is actually arriving on August 31st"
This information, sent sequentially, requires an effort of reconstitution by the IT department to arrive at the final information "A new user, Eric Boutier, Head of Department, arrives on August 31st."
The second reason for friction is what is commonly called "information hunting" (or "information fishing"). The HR department delivers partial information because it does not have the information or simply because it does not know what information the IT department needs to create accounts on the various tools (Active Directory, Office 365, Google Workspace, etc.).
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
How to correct these frictions?
To correct the friction generated by this chaotic process, there are 2 things to do.
First, a single repository must be created that lists users for both the HR and IT departments. This repository is populated by the HR department and consulted by the IT department. This user repository serves as a "buffer" and allows the IT department to consult the most up-to-date information available.
This unique repository must have several characteristics:
- Generate notifications 🔔: to inform the IT department as soon as there is a change (new arrival, modification of a date or function of an employee arriving soon...)
- Automatically connect to HR tools ⚙: this feature is optional but streamlines exchanges by limiting double entry by the HR department. Most HRIS (Lucca, Eurecia, ...) allow simple integration.
- Having scalable fields 📈: as the process becomes more automated, it will be necessary to add new fields to this repository (employee number, business unit, cost center, etc.) that will be linked to business tools such as Salesforce, for example.
- Be collaborative 🤝 : in order to allow everyone to enter the necessary information (HR, manager...)
Secondly, it is necessary to define the "mapping" of HR information with the technical information that allows the creation of accounts.
For a simple example, to create the "UPN" (User Principal Name) field, which will be the user's login on Active Directory, you need their first name, last name, and the company's domain. With these 3 pieces of information, and the calculation "formula" (first letter of the first name, followed by a dot, followed by the last name and the domain), the login can be calculated.
So Franck Baritiu will become f.baritiu@domain.com for example.
The methodology for building this mapping is simple: start with the information you want to have in the accounts of the applications you want to create. Then, simply ask the question "how is this information constructed" to deduce the calculation formula to be defined.
This inverted and somewhat counter-intuitive method makes it possible to define the most effective transformation matrix possible, since it starts from the desired result to trace back to the necessary information and the calculation formulas to be defined.
Let's take an example of an Active Directory account. When you want to create an AD account for a newcomer, you have to define the Organizational Unit (OU) in which the account must be created. How to choose the OU? Each company has its own strategy, but in our case, the OU must be defined according to the user's department and geographical location. We can therefore deduce that the HR information we will need will be the geographical site and the department. The calculation formula will be, for example, a correspondence table that associates a specific OU with each department/site.
Thus, with a single repository and a correctly defined mapping, it is relatively simple to streamline and then automate the creation of accounts in your company's tools.
How to automate the population of technical information from HR data?
For each field of an account to be created, it is thus necessary to retrieve the user's information and transform this field according to a formula or correspondence tables.
An AD account can contain several dozen fields, most "classic" accounts (Office 365, Gsuite...) have at least a dozen.
These manipulations are quickly very time-consuming, so you should try to automate them as much as possible.
Many possibilities are available to you. The idea here is not to make an exhaustive list, but to give you some keys so that you can choose the method that suits you best.
The most basic: the good old Excel file. In one sheet, you enter the administrative information of your user, and in a second sheet, you display, using formulas (VLOOKUP, LEFT, RIGHT, etc.), the information to be filled in the correct fields of each account.
You can also use scripts if you know how to code or script: PowerShell, Batsh, you name it :)
Finally, the most practical approach is still to use an identity management tool (or identity governance management). These IAM tools centralize and simplify the creation of accounts on different systems based on information obtained from the HRIS.
