Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: New Employee System Access Tracking?

Posted by samzenpus on from the tracking-collar dept.

New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?

50 of 87 comments (clear)

  1. In Theory - Thor by Anonymous Coward · · Score: 1

    There are a number of products build exactly for this....

    IBM Has Tivoli Access Manager. It is as good as you expect a Enterprise IBM product to be :/ - ie not great....

    Oracle has a product called Thor (now Oracle Identity Manager) which is built for this exact thing. Unfortunately it IS oracle, and all the shitty price and UI you expect from such a thing.

    There is CA Identity Manager if you really hate yourself (It IS CA, and has all the fun and joy a CA product can give).

    In short? There IS stuff build for this exact problem, the downside there is nothing good which has been built for this problem :/

    1. Re:In Theory - Thor by quetwo · · Score: 2

      Oh, it CAN be done. You just have to have somebody on staff who is an expert at RADIUS, LDAP, AD-AUTH, Kerberos, OAuth and probably a dozen other protocols that deal with authentication and authorization. Oh, and then a proper security audit because if you do it in house, are you sure that you can't drive a MAC truck through it?

      Having done the ROI estimate on such a project, we couldn't do it. And this was for a company that had at least standardized on products that use RADIUS and LDAP for all things they offered auth for.

      If it was easy to do, the list would include hundreds of products -- many of them open source. That should give you a clue.

    2. Re:In Theory - Thor by war4peace · · Score: 1

      [Disclaimer: I am an Oracle employee but am not part of any customer-facing LoB]

      OIM - Oracle Identity Management is a large-business solution. The UI is horrendous but it's one of the few Oracle products where that doesn't bother me, simply because you rarely access it.
      No idea about their pricing, though. Keep in mind that even it won't be an all-in-all solution, there's always going to be the odd environment with its own account management which can't be linked to OIM unless you're willing to spend obscene amounts of time and money.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    3. Re:In Theory - Thor by plopez · · Score: 1

      HP has a number of products as well.

      --
      putting the 'B' in LGBTQ+
    4. Re:In Theory - Thor by finkployd · · Score: 1

      I'm an implementer of OIM (10 years now). OIM is an excellent framework for a provisioning tool, but the connectors are terrible (fortunately easy to build your own against the API) and the UI is useless. The most successful OIM implementations I've come across (or built) have been ones that used a custom UI and/or just made everything scriptable. The API is really the saving grace of OIM. It's confusing, but it is powerful.

      Sadly, I'm watching the product spiral downhill as of the last several versions.

    5. Re:In Theory - Thor by finkployd · · Score: 1

      That is terrible, I've been an OIM consultant for a decade and I've never once run across an implementation that did not use custom connectors (in several cases, exclusively custom connectors).

      The out of box connectors are amateurish at best.

    6. Re:In Theory - Thor by Archangel+Michael · · Score: 1

      Standardize on LDAP and use AD to authenticate against. I know, Microsoft is the devil, but their LDAP stuff on AD is pretty secure and well documented. And quite frankly, their LDAP is best / easiest to deal with.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    7. Re:In Theory - Thor by quetwo · · Score: 1

      I for one have seen men and women working in IT with said skills. Besides, why would you even be using an authentication protocol your own staff has no clue about? That's just calling for trouble.

      Also, the ROI estimates I've usually seen decision makers rely on are one dimensional plain simple characterizations that hardly reflect the real world we live in. It's an insanely complex task getting it right and all that money could be used in actually getting things done.

      Sure, I've seen quite a few people with those skills. They don't work for me, and they probably don't work for the OP. If authentication is not in your line of business for your company, why are you making an internal product to do it? Oh, and it's a lot easier to implement a protocol like LDAP or RADIUS in an existing application than to build one from scratch. Knowing about 3DES TLS sockets is important, but let the professionals write the implementation.

      If it was easy to do, the list would include hundreds of products -- many of them open source. That should give you a clue.

      Building and open-sourcing custom solutions tailored for your personal needs is pointless. We're not talking about some universal it-does-everything solution, but a solution that will be tailored in-house to fit *your* unique combination of services and software. Nobody else would have the same needs as you.

      Sure. Your business is a special snowflake for everything you do. I get it. No other business has ever tackled doing authentication management before ever -- and none of them have ever integrated with one of the common SaaS products before. It's a good thing you are spending multiple man-years building an internal product rather than focusing on stuff you can sell, implement, consult on, or you know, make money on. Spending 1 FTE year building something that can be bought off the shelf for $50,000 is not worth it, if that product for $50,000 can do everything for you already.

  2. Onelogin by JBMcB · · Score: 1

    Our company uses OneLogin with a set of custom scripts to sync everything with AD and our internal systems. Works pretty well.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:Onelogin by JBMcB · · Score: 1

      OneLogin is the authority, changes are pushed to AD which is just there to manage Windows credentials. All the web apps (which is pretty much all of our apps) authenticate off of OneLogin. You set your password through a custom portal that syncs up everything.

      --
      My Other Computer Is A Data General Nova III.
  3. In small scale.. by Keruo · · Score: 1

    For small scale implementation: Excel.

    One excel per employee.
    HR fills sheet which contains tick boxes for existing systems and sends filled form to IT.
    IT opens accounts for that user per selection.
    HR didn't file the form? No accounts.
    HR missed certain box? Speak with manager and request access using normal request policies.

    --
    There are no atheists when recovering from tape backup.
    1. Re:In small scale.. by war4peace · · Score: 1

      Shit idea.
      Great for onboarding, sucks for when employee X leaves the company (automated inactivation of accounts). Horrible for security (automatic password expiration push). Horrible for rehires or people changing departments. Et Caetera.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    2. Re:In small scale.. by DigiShaman · · Score: 1

      Basically adhere to SOP of IT/HR On-Boarding and Off-Boarding process.

      --
      Life is not for the lazy.
    3. Re:In small scale.. by Keruo · · Score: 1

      No reason why the same form couldn't be used for when the user is leaving.
      Gives nice ticked boxes which indicate each system where accounts need to be closed.
      Passwords should expire automatically every 30-60 days regardless the user is leaving or not.
      Rehires or department change? Just refill the form on another sheet to match the new position.

      --
      There are no atheists when recovering from tape backup.
    4. Re:In small scale.. by Thiez · · Score: 1

      If passwords expire in just 30 days people will either stop picking good passwords or start writing them down (they'll probably do both). A password should be usable for several months at least.

    5. Re:In small scale.. by war4peace · · Score: 1

      User leaves, nobody fills form because that's how human beings are, accounts remain active forever.
      Passwords should expire every 90 days, but it's one thing when you have one SSO password which expires every 90 days or 30 different passwords which expire every 90 days each. Having to reset and remember 30 passwords, one every 3 days on average, is mind-numbing.
      Rehires are tricky. Some companies have a data retention / e-mail address retention policy. it's impossible to enforce it with spreadsheets.

      Before long you'll have hundreds of Excel files everyone hates and nobody managing them.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  4. SSO by wstrucke · · Score: 1

    I think you use single sign-on and try to do a better job of choosing services that support it. LDAP authentication is fairly prolific these days.

  5. Made for exactly this : PORTADI by johnjones · · Score: 1

    It's not a HR system but is a enterprise IAM plus it works great for small teams ( of 3 even )

    https://www.portadi.com

    More than happy to be a reference

    Regards

    John Jones

  6. Tools by tsunamiiii · · Score: 1

    End of the day. Big or small, its not the tools its the business process that the tools are built around. Crawl, walk, Run; stop looking for the perfect solution. Start off with Excel get your process down so its clock work. New hire has accepted. This should be a cue for the hiring manager to start his process and not rely on HR. You don’t want HR allowing folks access to your production systems. Once its all down and working you look at what steps can be automated. Bite off chunks as they come at you and end the pursuit for the perfect system, it doesn’t exist.

  7. As much as I hate to mention the "O" word ... by CrackerJackz · · Score: 1

    It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products (we have tons of databases, and Oracle owned "Health Sciences" apps, so we were already in bed with the devil to begin with) It uses SOA for workflows and approvals, and we built a series of templates for system access. Employee A starts the company as a Tech Writer? Automatically provision AD, OID, exchange, home directory, 5 shared folders, 3 sharepoint sites, and the QA logging application. (You get the idea) It also has the ability to provide self service, so if the previously mentioned user wants access to the Oracle Health Sciences cluster, he clicks the button next to it on the menu ... and the OHS Admin, and his manager get emails with links to approve. Getting buy in from the business for this kind of spend took almost 2 years, and 9+ months to implement (defining workflow, approvers etc takes waaaay longer then you think it will!) The legal dept is also in love with the idea they can now request access reports for users, which makes the process of external audits go from days or information gathering .... to an automated email. At least for us (medium sized company, ~10,000 employees, currently growing at a rate of 75 a week) this has been a long trip... its not something you can simply bang out over a weekend with a 6 pack of Mtn. Dew and a spare server.

    1. Re:As much as I hate to mention the "O" word ... by drinkypoo · · Score: 1

      If you're gonna spend a million dollars or whatever you can probably do it with Tivoli, maybe even without customization but probably not. IBM loves customization.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:As much as I hate to mention the "O" word ... by LDAPMAN · · Score: 1

      NetIQ Identity Manager would have been much cheaper. I've done both and it's not even close.

    3. Re:As much as I hate to mention the "O" word ... by finkployd · · Score: 1

      ForgeRock IDM or MidPoint are cheaper (read: open source) than both. But neither have quite the feature set yet.

    4. Re:As much as I hate to mention the "O" word ... by mjwx · · Score: 2

      It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products

      We're an University of 30,000 students and 5,000 staff and we're getting rid of OIM because it cant do anything properly. After 3 years and literally millions of dollars it still cant communicate with Exchange, not only are we still employing the same number of people to do account provisioning (approx 14,000 new accounts per year) we're also employing a large team of developers who spend more time rolling back failed changes than developing new ones (jury is still out on whether this is a good thing). When Oracle recently turned around and said we needed to license another product to get Exchange connectivity it was the straw that broke the camels back.

      Not only this, Oracle is adamant that it cant be virtualised using VMWare. This means we need to keep around massive amounts of iron for the two times a year we do student intakes.

      Not only is OIM not even remotely close to cheap, it's not even remotely close to functional.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  8. Lastpass? by shri · · Score: 2

    Can you use something simple like the group version of Lastpass / setup their accounts and manage their passwords / revoke access?

  9. LDAP? by guruevi · · Score: 3, Interesting

    Just use a centralized solution that is configured to give access and authorization to assets, they exist, it's called LDAP and you can plug whatever the hell information you want in them, even the HR-only information (such as tax records etc). You then just need to make sure your roles are defined within your organization and HR knows about which roles to give to a person.

    If you're talking about giving people root/wheel access to certain boxes even when LDAP is broken, then you can still use LDAP as a source to feed into eg. an ansible/puppet script (or whatever configuration management system you decide to use) that runs every few minutes/hours/days and inserts/revokes access for those sysadmins.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:LDAP? by LDAPMAN · · Score: 1

      Nice idea but not enough in the real world. There are lots of thing that don't work with LDAP and there are other things that need manual provisioning.

    2. Re:LDAP? by guruevi · · Score: 1

      That's where the managed script comes in. LDAP works with most things that have access controls and is designed for just that purpose.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:LDAP? by jon3k · · Score: 2

      I wasn't convinced until I read your name, but now I'm a believer.

      In all seriousness, you're correct. I've found in the real world you're using a combination of Active Directory (or some other LDAP) along with web based applications, and maybe even some compiled applications running locally. Some are behind the firewall, some aren't. You really need something that can support SAML along with form-filling that will also sync with AD to really cover the whole gamut. And even then some of it will be a manual process (eg that website that won't save passwords and doesn't support SAML).

      It's a big complex problem and no one has solved it 100%.

  10. Parent +1 by wezelboy · · Score: 1

    This is especially prevalent in the world of SSO, Directories and IDM. It can be done. But most companies are to cheap to pay someone to do it RIGHT.

  11. Cloud Solution it by btroy · · Score: 1

    You've got a couple of challenges as you grow fast. Not only tracking set up of access, but also making sure it is gone if/when the person leaves that is taken away along with any assets they may have received from the company. So treat a new employee as an action ticket. Each piece of access has to be recorded (could be a spreadsheet - that's a simple solution or even a simple Access or equivalent database, you could do something like that in an evening. Just secure it, back it up and back it up. Things to think about - what they need to get started (computer maybe) and basic access to get in - keep records of those physical assets and they're enrollment into the domain - additional software (how are you going to manage the licenses - if it isn't opensource) - what access do they need beyond basic to get their job done, do they need access to your customer database, etc. Another option is the use a Cloud Product - I've used Tivoli Service Request Manager (TSRM) successfully for tracking on-boarding and getting equipment and later de-boarding when necessary. This also gives you a legal record of what was set up for that person and what needs to be torn down. Just a thought.

  12. Internet 2 Grouper by langedb · · Score: 1

    We use Grouper an OSS project by Internet 2 which is designed to provide distributed access control to an institution. Http://grouper.internet2.edu.

  13. Lots of ways by df00z3756 · · Score: 1

    Whatever manager requested the hire...ask for a setup like person. They likely need access similar to their peers. Use separate ldap groups for resource access, and role definitions. Role groups go inside resource access groups. I just finished writing a script to tie management of ad groups to the hris system, by jobcode and deptcode. Security and application managers can decide what roles get access to their apps. Going to trial it with a few apps. Going to need some change control on the hris system if we are really going to try to do some sort of rbac.

    1. Re: Lots of ways by df00z3756 · · Score: 1

      Additionally a lot of sass providers support SAML, which makes it easy to manage cloud hosted app access. Simplesamlphp is my favorite. Shibboleth also works. There are commercial solutions like Ping and Okta.

    2. Re:Lots of ways by LDAPMAN · · Score: 2

      "Set up like" is a horrible model. It leads to over provisioning of access and poor governance.

    3. Re:Lots of ways by mjpaci · · Score: 1

      Where the hell are my karma points when I need them?

      +2 to you LDAPMAN.

      I work at a large company that has acquired (and not fully integrated) other companies over the years. To say that it's a complete mess when it comes to identity management is an understatement.

  14. Sailpoint? by XXeR · · Score: 1

    Look into http://sailpoint.com/

    1. Re:Sailpoint? by finkployd · · Score: 1

      Sailpoint has probably the best UI and access certification system around. Unfortunately their provisioning engine is a rebranded BMC Control-SA as I understand it. If that is still the case, no thank you :(

    2. Re:Sailpoint? by finkployd · · Score: 1

      Excellent, I'll have to check that out.

  15. Re:Competency by jon3k · · Score: 2

    Name three that are good.

  16. UCS (Univention Corporate Server) by tanati · · Score: 1

    UCS is good at offering several authentication services (LDAP, Kerberos, AD/Samba4, SAML) for a central user database, has APIs to both automize user workflows based on informations provided by HR systems and integrate / provisioning other systems (like databases etc.), scales do to integrated multi-server-support -- and is fully open source and free. See https://www.univention.com/pro...

  17. Re:LDAP by jon3k · · Score: 1

    Not possible. No business of any reasonable size is going to not purchase a particular software because it doesn't support a particular authentication mechanism. There are too many other requirements to write something off just because of no LDAP/RADIUS. There are far more complex reasons behind purchasing software of any real scale.

  18. Not my area of expertise but ... by quietwalker · · Score: 1

    What I've seen is that most companies are windows based and use active directory to centralize the vast majority of their permission management system. Almost every professional system out there then integrates into it via some LDAP mechanism, and it's usually relatively easy to switch in house apps over as well.

    There's two other cases I've seen that aren't related explicitly to a person:
        - required local accounts
        - service accounts

    There's always a lot of cases where you need a local account - like on networking hardware - but usually those are given general purpose accounts rather than linked with an individual. Service accounts, on the other hand, are used by software. Think database passwords. Companies usually end up using some sort of certificate authorization to access a database authentication token (be it username/password or other), and then use that to connect.

    Depending on your company's password management policy, these last two cases can be hard to manage. Like rotating passwords on a periodic basis. I've yet to find any sort of commercial solution that works for these due to the specific nature of the problem - each scenario is unique enough that no general solutions work. As far as I've seen, in house software and dedicated IT teams tend to handle these.

  19. Is it April Fool's day? by xxxJonBoyxxx · · Score: 1

    >> We are a fast-growing IT services company with dozens of systems...We struggle to track this

    Funniest thing I read all day. Thanks for the laugh!

  20. FoxPass by smontgomerie · · Score: 1

    Check out https://www.foxpass.com/ a new startup that just launched addressing exactly this problem.

    1. Re:FoxPass by arensand · · Score: 1

      I am the author of Foxpass. It was designed to solve exactly these pain-points with its cloud-hosted LDAP and RADIUS systems. Plus it ties into Google Apps, which many companies use as their de-facto root identity. Foxpass plus a SAML provider (i.e.) Okta is a great way to really close to single-sign-on everywhere (internally and externally), without running the services yourself.

  21. I Built It by Rastl · · Score: 1

    As part of a very long term project I built exactly what the article says doesn't exist - a way to track onboarding and offboarding in a single system. One reason why it was a long term project is that it took that long for the systems and departments to catch up and buy into central tracking.

    My system passed every internal, external, and federal audit. It is still running five years after I left the company. I was hired back as a consultant to integrate the parent data when the company was purchased because it worked so darn well.

    What does it take? It takes C level buy in and endorsement to build and maintain. It takes the ability to get user data out of existing systems to track accounts. It requires a way for supervisors to request the access specific to their needs. It needs to get current and accurate HR data for MACD (move-add-change-delete) processes. It has to be linked with some sort of tracking application such as a ticketing system so there's accountability and tracking.

    It can be done. It has been done. It's not an off the shelf solution and it isn't something that can be done in a month. It's hard work, it requires dedication to keeping it current with new systems, and it's worth every minute and penny spent.

  22. Need tracking, not central Auth by mushero · · Score: 1

    Original Poster here - yes, these are all good suggestions and we should add more LDAP (we have large multi-thousand host LDAP systems now), but a lot, if not most of these systems we need, especially various SaaS tools, don't support this well, if at all. So a full SSO system is a real challenge - we are looking at AD integration next year to handle the ones that can.

    But I don't really need this today - what I need is to TRACK all the system access, in part just to know what systems Johnny in Ops Engineering, etc. needs access to at what level, to notify the system owners to add/remove that, to track who added access and when, etc. as this happens over several days/weeks for new employees.

    And to manage changes, which are of course frequent as this fall we add at least one new system per week - the cloud and SaaS is great, but managing users is not (assuming the system owner even reads the docs, manuals, sets roles correctly, etc.).

    Today we have a huge XLS for this with common all-employee systems like HR, ERP, Email, etc. then per department blocks, then per role, then special stuff. It's pages long, and each item ties to an SOP, system access owner, etc.

    And this is all just business systems, totally separate from our customers' operational systems, AWS/Alibaba/Rackspace/etc. IAM integrations, and our real work, which is totally separated and managed differently (hence the big LDAP systems, ticket integration, password managers, etc.)

    So thinking we need to build a basic auth-like system but just that tracks users, roles, systems, roles in those systems, requests, approvals, changes, etc. But would have hoped this already existed.

  23. New thing called Linux by WhiteHorse-The+Origi · · Score: 1

    Dude Linux does that. try useradd... Oh you're locked into proprietary systems that don't work with ISO standards? Sucks to be you, just get out of tech now and save everyone the headaches

  24. InBold Business Platform by inBold · · Score: 1

    The problem of having dozens of systems and many different login credentials is a problem that we are trying to solve with our online business platform. Here's a quick video that explains what we do: https://www.youtube.com/watch?... Feel free to check out our website too: http://www.inboldsolutions.com... I look forward to feedback also.