So far in this series on identity management, the focus has been on activities and cleanups for data that is ultimately handled by identity manager. Now we shift the lens to focus on an element of role manager â€“ building hierarchies and managing vacancies. This is actually one of the big advantages that role manager has to offer, even though it’s not specifically access-related (except in a roundabout way).
What is vacancy management?
Vacancy management is identifying and proactively handling the vacancies created when people change positions/roles within the organization or leave altogether.
How many times has an access request or purchase order stagnated without approval because the approver left the company and a replacement wasn’t identified? In a large organization this is a daily occurrence. Vacancy management can proactively prevent this problem.
This is a challenge because vacancies are out of scope of the general HR focus on managing payroll. Â From an HR perspective, a vacant role requires no salary and no further consideration. But from an approval perspective, someone needs to be in the role â€“ even if it’s a temporary someone until the role is officially re-filled.
That is the power of vacancy management: vacant roles are proactively identified and workflows are triggered a workflow to solicit a replacement. Easy, right? Of course not! 🙂
As usual, there are a few gotchas, including setting up the approval hierarchies to begin with, and then defining the workflows for the actual vacancy management.
There are three hierarchies that influence vacancy management:
- Line management (i.e., the chain of command: individual contributor reports to team lead reports to manager reports to director reports to VP reports to CXO reports to CEO)
- Data/access ownership (e.g., the UNIX engineering manager approves root access)
- Cost center ownership
The first hierarchy â€“ line management â€“ may seem like it’s something that would be available from the HR system, but it may not be. This is a discussion that should be had with the HR team. Some HR systems only store management information at the director/cost center owner level or higher, which may not provide the needed granularity. Also, the HR system may not be updated with reports-to information very often. Some companies only do it if there’s a major re-organization or when annual salary increases need to be assigned.
Data and access ownership information is strictly an identify management construct, and hopefully some decent information is already available in this area â€“ it has to be if access is already being granted and audited. However, that information may need some “massaging” â€“ for example, are approvers documented by name or role?
We already touched briefly on cost center ownership last month by saying that it may not make sense to create a role for every cost center. In a large organization there can be literally thousands of cost centers, and they change all the time for reasons that only the finance people could ever explain.
Some decisions will need to be made on what level of granularity is appropriate for this hierarchy – this is also true for data and access ownership.
Once each of the hierarchies has been determined, workflows need to be developed to handle a vacancy when it occurs. The following questions need to be answered:
- Who does the workflow go to?
- What if the recipient of the workflow is also a vacant role?
- Are there default actions that can be taken and/or can any of the information be obtained in an automated fashion (e.g., from HR)?
- Once the workflow is completed and the vacancy has been filled, does anyone/any system need to be notified?
Each vacancy management workflow should be designed to handle any vacancy situation to ensure that it ends in success. This means being able to handle multiple tiers of vacancy (i.e., keep going up the food chain until someone is found), and also establishing some default actions that the system can take to either minimize the human interaction or augment it. It should be noted that the intended scope here is to address permanent vacancies â€“ those created by job changes and termination â€“ not temporary vacancies created by leaves of absence or vacations. Itâ€™s actually a little harder to deal with the latter â€“ itâ€™s important get the permanent vacancies right, and then tackle the temporary ones, if desired.
The final step in the workflow â€“ notification â€“ closes the loop on the entire process. Although role manager and identity manager can facilitate identifying a new person to fill a vacancy, neither system has any particular use for this information. The information is actually only relevant to other groups or systems â€“ for example, the finance managers and/or the finance system would need to know about a new cost center owner; the access services team or access provisioning workflows would need to know about a new data owner.
Notification can be as simple as an email confirmation, as efficient as a task issued by identity manager that must be marked completed (to ensure a closed loop), or as complex as a system integration to fully automate the update process.
This month, we’ll develop each hierarchy using these 5 steps:
- Determine the needed granularity
- Collect what data is already available
- Obtain the data that is not available
- Develop the workflows for filling a vacancy when it arises
- Establish the notification processes/integration with other groups/systems that have a need to know
Weâ€™ll begin in the next segment by working on the reports-to hierarchy and workflows.