We’ve talked a lot about the importance of the HR system to identity management. Without the right integration between identity management and HR, there is no hope for any sort of automation or data reliability. Unfortunately, it’s not as easy as simply building a connector between the two systems. The HR system itself is an ugly monster that must be “trained” to work with identity management. Given the nature of the beast, getting the HR system to work with identity management could be one of the most difficult parts of the journey.

What the HR system is… and isn’t

The HR system is the source of record for payroll. The HR system is not the source of record for access.

Let me say that again: HR decides who gets paid, not who should have access.

This distinction is critical – here’s why…

Identity management relies on HR for information about new, transferred, and terminated users. However:

  • New hire issues: some HR departments do not enter employees into the HR system until after they have started working, to make sure they show up for work. Otherwise, they run the risk of paying someone who never worked. If this is the case, auto-provisioning new access will not be possible if access is needed on the first day of work – unless some workarounds are applied.
  • Transfer issues: HR systems can track and report on employee transfers, but:
    • The HR system can’t tell you if the employee needs to keep their previous access for a while to train someone else, or if they’re doing two jobs.
    • What might be considered a transfer from an access perspective (e.g., someone going from Accounts Payable to Accounts Receivable) might not be considered a transfer from an HR perspective (both positions are in the Accounting department).

Both of the above make handling transfers pretty complicated – not impossible, just really tricky.

  • Termination issues: an employee is terminated in HR when they stop getting paid, but employees don’t always stop getting paid on the day they stop needing access:
    • Most employees will get some sort of severance if they are laid off or even fired, so they may still show as active in the HR system for days, weeks, or even months after they were escorted out of the building.
    • Employees who resign or retire might take a paid leave of absence or vacation on their way out, again making them active in the HR system for days, weeks, or months after walking out the door.

Relying solely on the HR termination date for access removal opens the organization up to potential security threats from unhappy employees for quite a while.

As if all of the above weren’t enough, the HR system may not be update-to-date or “clean”. Sometimes, line management and even job information data is missing or outdated. It’s also possible that new information is slow to be entered into the system. These limitations will eventually limit the capabilities of the identity management enterprise.


This month, the goal is to develop relationships with the right people in HR (likely the expert system administrators, not necessarily the reps and recruiters themselves, although it might be both) to identify the following:

  • How/when new hires are entered into the system (and how job candidates are handled)
  • How/when transfers are handled in the system
  • Termination process and reasons
  • Reliability of data in general, and accessibility of the data for use by other systems.

In the next article, we’ll begin by tackling the new hire process.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.