Slashdot Mirror
Ask Slashdot: New Employee System Access Tracking?
New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?
There are a number of products build exactly for this....
IBM Has Tivoli Access Manager. It is as good as you expect a Enterprise IBM product to be :/ - ie not great....
Oracle has a product called Thor (now Oracle Identity Manager) which is built for this exact thing. Unfortunately it IS oracle, and all the shitty price and UI you expect from such a thing.
There is CA Identity Manager if you really hate yourself (It IS CA, and has all the fun and joy a CA product can give).
In short? There IS stuff build for this exact problem, the downside there is nothing good which has been built for this problem :/
Perhaps you could outsource this to a competent "IT services company".
Our company uses OneLogin with a set of custom scripts to sync everything with AD and our internal systems. Works pretty well.
My Other Computer Is A Data General Nova III.
Fairly simple conceptually.
The devil is in the detail if you expect a robust scaleable system which will gain traction in a business and survive the many political pressures to change to the latest great idea.
In short, get yourself an IAM Architect with a proven track record and sufficient authority in the business to drive the changes.
Good luck
Use a Service Catalog to inform employees what is available and how to access each service.
See https://itservices.stanford.edu/services for a good example.
For small scale implementation: Excel.
One excel per employee.
HR fills sheet which contains tick boxes for existing systems and sends filled form to IT.
IT opens accounts for that user per selection.
HR didn't file the form? No accounts.
HR missed certain box? Speak with manager and request access using normal request policies.
There are no atheists when recovering from tape backup.
I think you use single sign-on and try to do a better job of choosing services that support it. LDAP authentication is fairly prolific these days.
It's not a HR system but is a enterprise IAM plus it works great for small teams ( of 3 even )
https://www.portadi.com
More than happy to be a reference
Regards
John Jones
End of the day. Big or small, its not the tools its the business process that the tools are built around. Crawl, walk, Run; stop looking for the perfect solution. Start off with Excel get your process down so its clock work. New hire has accepted. This should be a cue for the hiring manager to start his process and not rely on HR. You don’t want HR allowing folks access to your production systems. Once its all down and working you look at what steps can be automated. Bite off chunks as they come at you and end the pursuit for the perfect system, it doesn’t exist.
It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products (we have tons of databases, and Oracle owned "Health Sciences" apps, so we were already in bed with the devil to begin with) It uses SOA for workflows and approvals, and we built a series of templates for system access. Employee A starts the company as a Tech Writer? Automatically provision AD, OID, exchange, home directory, 5 shared folders, 3 sharepoint sites, and the QA logging application. (You get the idea) It also has the ability to provide self service, so if the previously mentioned user wants access to the Oracle Health Sciences cluster, he clicks the button next to it on the menu ... and the OHS Admin, and his manager get emails with links to approve.
Getting buy in from the business for this kind of spend took almost 2 years, and 9+ months to implement (defining workflow, approvers etc takes waaaay longer then you think it will!) The legal dept is also in love with the idea they can now request access reports for users, which makes the process of external audits go from days or information gathering .... to an automated email. At least for us (medium sized company, ~10,000 employees, currently growing at a rate of 75 a week) this has been a long trip... its not something you can simply bang out over a weekend with a 6 pack of Mtn. Dew and a spare server.
That's what you get for outsourcing everything. How about doing some real work for a change.
Can you use something simple like the group version of Lastpass / setup their accounts and manage their passwords / revoke access?
We use several SaaS solutions for our software development company's operations. I set up everything and one of my requirements was that we could log into all of them with our google apps for business email addresses. Works nicely, but with different services from different vendors, most of the API's and cross-system integrations deal with adding people, not typically the global management of adding and removing users from all services. You do have a centralized place to remove and/or disable an account though.
It works, it is complex, you need a large Budget (not for the licences but for linking your systems), you need an expert to implement which should be from the outside of your Organisation! https://www.microsoft.com/en-us/server-cloud/products/microsoft-identity-manager/default.aspx
Just use a centralized solution that is configured to give access and authorization to assets, they exist, it's called LDAP and you can plug whatever the hell information you want in them, even the HR-only information (such as tax records etc). You then just need to make sure your roles are defined within your organization and HR knows about which roles to give to a person.
If you're talking about giving people root/wheel access to certain boxes even when LDAP is broken, then you can still use LDAP as a source to feed into eg. an ansible/puppet script (or whatever configuration management system you decide to use) that runs every few minutes/hours/days and inserts/revokes access for those sysadmins.
Custom electronics and digital signage for your business: www.evcircuits.com
You absolutely must implement a policy that all software going forward must be able to authenticate via LDAP or RADIUS (backed by LDAP).
Otherwise, your little hire/fire checklist will get to be a mile long.
This is especially prevalent in the world of SSO, Directories and IDM. It can be done. But most companies are to cheap to pay someone to do it RIGHT.
You've got a couple of challenges as you grow fast. Not only tracking set up of access, but also making sure it is gone if/when the person leaves that is taken away along with any assets they may have received from the company. So treat a new employee as an action ticket. Each piece of access has to be recorded (could be a spreadsheet - that's a simple solution or even a simple Access or equivalent database, you could do something like that in an evening. Just secure it, back it up and back it up. Things to think about - what they need to get started (computer maybe) and basic access to get in - keep records of those physical assets and they're enrollment into the domain - additional software (how are you going to manage the licenses - if it isn't opensource) - what access do they need beyond basic to get their job done, do they need access to your customer database, etc. Another option is the use a Cloud Product - I've used Tivoli Service Request Manager (TSRM) successfully for tracking on-boarding and getting equipment and later de-boarding when necessary. This also gives you a legal record of what was set up for that person and what needs to be torn down. Just a thought.
I work somewhere that uses the Hitachi ID Identity and Access Management Suite:
http://hitachi-id.com/products/
I have no idea if it's good or bad, but I do periodic password changes through it across a range of systems and have never seen it mess things up.
We use Grouper an OSS project by Internet 2 which is designed to provide distributed access control to an institution. Http://grouper.internet2.edu.
Whatever manager requested the hire...ask for a setup like person. They likely need access similar to their peers. Use separate ldap groups for resource access, and role definitions. Role groups go inside resource access groups. I just finished writing a script to tie management of ad groups to the hris system, by jobcode and deptcode. Security and application managers can decide what roles get access to their apps. Going to trial it with a few apps. Going to need some change control on the hris system if we are really going to try to do some sort of rbac.
Look into http://sailpoint.com/
we use onelogin for SSO...you just set up a directory access (we use Azure Active Directory) and then can add any application they support (all the business apps we use)
you will need the skills to implement, or hire a consultant to help implement. VMware Workspace, Sailpoint, Okta, OneLogin, Siteminder are all options to consider. The simplest (to me) is to tie it to AD (since this is what most companies have already) and then use SAML to connect all the SaaS apps to it. SAML is pretty standard today as an option for most apps. WS-Fed if you want to tie back to Windows 2012. Anyway, it's real. my org is designed this way, we have about 50 apps, all run through one of these. Onboarding a new person took a few minutes, and it's priceless to me for my workday, 1 password to rule them all.
We use Spiceworks for ticket management, and OpenProject for longer term management. Both are free, and seem to work great!
Check out RapidIdentity from Identity Automation (http://www.identityautomation.com)
Your an it services company and you cant develop or figure out the tools to use to solve your IT related issues... umm the future sounds a bit rough for you guys.
First it sounds like you need DOCUMENTATION! the fact that its hard to manage employee ingress and egress means that you do not have clearly written procedures for such events.
"We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems."
I don't see how hard it is to determines what systems a given set of roles should need (hint, your customer should be letting you know or maybe you should ask them) you should have a list as to what everyone of your customers requires for each of the roles that they have in their business and then those procedures should be included on an in house wiki (in order to keep them up to date) that way when it comes time to track it, you can treat them as service tickets with a proper procedure and you are just checking boxes on a form (each box relating to a specific procedure) this allows different people to manage different systems all the while sharing the information about what each system and each customer needs.
your lack of documentation disturbs me. your immediate drive to find some widget to solve your problem should concern every stakeholder involved with your "IT Services" company.
Documentation is the answer, not software.
I'm an IT Implementorp of CA IDM and currently on a government project to replace Sailpoint with CA IDM as it's provisioning engine is lack luster at best. CA IDM has been around for years, has over 50 connectors to different products and can easily design a custom connector. It's Web Based with back end systems, and when plugged into GovernanceMinder can do auditing and determination of access before granting a user and violating an internal control (think SOX or HIPAA). These systems are expensive, can take a bit to deploy depending on your organizations size and user base, but once up and running they simplify your life.
http://pleasantsolutions.com/PasswordServer/
UCS is good at offering several authentication services (LDAP, Kerberos, AD/Samba4, SAML) for a central user database, has APIs to both automize user workflows based on informations provided by HR systems and integrate / provisioning other systems (like databases etc.), scales do to integrated multi-server-support -- and is fully open source and free. See https://www.univention.com/pro...
"On-board" is not a verb, it's an adjective.
http://www.merriam-webster.com/dictionary/onboard
If you wanted a verb, you could have used "initiate" or "set up".
What I've seen is that most companies are windows based and use active directory to centralize the vast majority of their permission management system. Almost every professional system out there then integrates into it via some LDAP mechanism, and it's usually relatively easy to switch in house apps over as well.
There's two other cases I've seen that aren't related explicitly to a person:
- required local accounts
- service accounts
There's always a lot of cases where you need a local account - like on networking hardware - but usually those are given general purpose accounts rather than linked with an individual. Service accounts, on the other hand, are used by software. Think database passwords. Companies usually end up using some sort of certificate authorization to access a database authentication token (be it username/password or other), and then use that to connect.
Depending on your company's password management policy, these last two cases can be hard to manage. Like rotating passwords on a periodic basis. I've yet to find any sort of commercial solution that works for these due to the specific nature of the problem - each scenario is unique enough that no general solutions work. As far as I've seen, in house software and dedicated IT teams tend to handle these.
>> We are a fast-growing IT services company with dozens of systems...We struggle to track this
Funniest thing I read all day. Thanks for the laugh!
Windows 10
Not the best, but it does work
http://www.heatsoftware.com/
Check out https://www.foxpass.com/ a new startup that just launched addressing exactly this problem.
As part of a very long term project I built exactly what the article says doesn't exist - a way to track onboarding and offboarding in a single system. One reason why it was a long term project is that it took that long for the systems and departments to catch up and buy into central tracking.
My system passed every internal, external, and federal audit. It is still running five years after I left the company. I was hired back as a consultant to integrate the parent data when the company was purchased because it worked so darn well.
What does it take? It takes C level buy in and endorsement to build and maintain. It takes the ability to get user data out of existing systems to track accounts. It requires a way for supervisors to request the access specific to their needs. It needs to get current and accurate HR data for MACD (move-add-change-delete) processes. It has to be linked with some sort of tracking application such as a ticketing system so there's accountability and tracking.
It can be done. It has been done. It's not an off the shelf solution and it isn't something that can be done in a month. It's hard work, it requires dedication to keeping it current with new systems, and it's worth every minute and penny spent.
Original Poster here - yes, these are all good suggestions and we should add more LDAP (we have large multi-thousand host LDAP systems now), but a lot, if not most of these systems we need, especially various SaaS tools, don't support this well, if at all. So a full SSO system is a real challenge - we are looking at AD integration next year to handle the ones that can.
But I don't really need this today - what I need is to TRACK all the system access, in part just to know what systems Johnny in Ops Engineering, etc. needs access to at what level, to notify the system owners to add/remove that, to track who added access and when, etc. as this happens over several days/weeks for new employees.
And to manage changes, which are of course frequent as this fall we add at least one new system per week - the cloud and SaaS is great, but managing users is not (assuming the system owner even reads the docs, manuals, sets roles correctly, etc.).
Today we have a huge XLS for this with common all-employee systems like HR, ERP, Email, etc. then per department blocks, then per role, then special stuff. It's pages long, and each item ties to an SOP, system access owner, etc.
And this is all just business systems, totally separate from our customers' operational systems, AWS/Alibaba/Rackspace/etc. IAM integrations, and our real work, which is totally separated and managed differently (hence the big LDAP systems, ticket integration, password managers, etc.)
So thinking we need to build a basic auth-like system but just that tracks users, roles, systems, roles in those systems, requests, approvals, changes, etc. But would have hoped this already existed.
Dude Linux does that. try useradd... Oh you're locked into proprietary systems that don't work with ISO standards? Sucks to be you, just get out of tech now and save everyone the headaches
The problem of having dozens of systems and many different login credentials is a problem that we are trying to solve with our online business platform. Here's a quick video that explains what we do: https://www.youtube.com/watch?... Feel free to check out our website too: http://www.inboldsolutions.com... I look forward to feedback also.