When it comes to provisioning and deprovisioning user accounts, IT departments often don’t know who’s who in the organisation, or who should have access to what. They rely on being fed data by human resources (HR), the custodians of employee data. But how is this managed? How can users be managed in different environments based on the type of work they do?
Identity is the new control plane
The move from traditional on-premises IT solutions to cloud services has seen a dramatic change in the way that systems are managed and controlled. The access to services from any location and using any device means that a lot of the traditional management methods are not feasible.
Free use of multiple mobile devices, from remote locations as well as on-premises, means that the only thing that really remains under an organisation’s control is the identity used by an individual to access the services.
This is what we mean when we say that “identity is the new control plane”. We can associate applications and services with individual users based on their job within an organisation. By controlling the user, there is less concern over the device being used.
As a result, the identity of the user is key. What is their role within an organisation? What does that mean they should be able to do within the applications and services they have access to?
Joining up IT and HR
The job and its associated information (job title, manager, position, etc.) are all things that are stored in the human resources system. This means that they are in a location that can be looked up to make sure that the job title is spelt correctly and is consistent. If your position is as important as ‘Chief Cook and Bottle Washer (1st Grade)’, the last thing you want is to see your job title in Active Directory (AD) referenced as ‘C. Cook & BW’.
Quite often, when things are put through a manual process, they get misaligned. What started out as a request to create a new account in AD for ‘Dave Guest’, the new starter in the ‘Information Technology – Service Desk’ department, can come out the other end as an account named ‘DaveGest’ in ‘IT’. Simply because of the way that the information is re-typed.
A better way to do things would be to feed the new starter information directly into the AD from the HR system. That way, the name is spelt the same way it is in HR; the job title is the same, and so is the department.
There is a problem with this picture though. There are not many HR systems that can talk to AD, and – even if they could – would anybody want all of the employee records to be added to AD? AD accounts cost money for Client Access Licenses, so having accounts for people who do not need access to IT can be expensive.
There is a solution to this.
Microsoft Identity Manager (MIM) allows us to take information from almost any HR system and process it intelligently – adding users to AD where it is appropriate. If we can identify that all staff in certain departments get an AD account, then MIM can take the relevant details and provision the accounts directly to AD.
This is a much better model which ensures that user accounts are created in AD, matching the business requirements. Better than that, it’s also able to deprovision accounts as people leave. This closes a common security flaw within many organisations.
Enabling cloud synchronisation
Recently, there’s been a move towards increased use of cloud services, and the publishing of company data on an intranet. This means that more and more people actually need IT accounts.
The same issues around provision of AD CALs exist so it may be that an organisation only wants to have a definitive set of users who can access the on-premises services through AD, but all of the remaining employees need to access services like a protected intranet using a cloud account.
This means creating accounts in the cloud directory separately to those in the AD. Microsoft provides a synchronisation utility called AD Connect which automatically takes the accounts from AD and makes them available in the cloud. We can add these to our diagram very simply.Obviously, there’s a problem with this. Only the employees who have an AD account are included. What about the remaining employees? What we really need is a way to link the HR system to the cloud directory so that these employees can also have an account.
This is something else that MIM can do. By creating a link directly between MIM and the Azure directory these other employee accounts can be automatically provisioned into Azure ready for use.
This means that the employees can access the intranet, or other cloud-based services, without the need for an AD account. As these accounts are managed completely in the cloud, they are available to the user from anywhere at any time.
These accounts are provisioned, and deprovisioned, following the chosen business rules. Now, all of the employees can access the relevant services using a known ID and password, with all of their personal information remaining consistent and correct.
Security is maintained at all times, and the users can access the services they need when they need them, from wherever they are.
Linking an HR system to provide the automatic provisioning of accounts – both to internal, on-premises systems and to the cloud – provides a user population with better-controlled access, maintaining security around the accounts and keeping data secure and consistent.
The deployment of an identity management system to provide this automation – including provisioning to cloud services – can save time and money, while enabling the user population to work more effectively.
Want to learn more? Sign up to view a recording of our webinar, ‘Navigating the world of identity and access management’, and discover the key data security and user access benefits of implementing an effective identity and access management solution.