We started developing workflows in last month’s activity to manage vacancies. Relatively speaking, vacancy management workflows are comparatively simple and provide business-relevant quick-wins, which give credence to the IAM program. Since a full IAM implementation is typically a multi-year process, being able to point to tangible benefits along the way (other than, “hey – check out all the infrastructure we’ve installed!”) will keep management interested and budgets flowing.

This month, we continue down the workflow path by considering the more traditional workflows:

  • Provisioning and de-provisioning (I like to abbreviate this as “de/provisioning”)
  • Non-employee management
  • User or access recertification

These workflows can be significantly more complex than the vacancy management workflows described last month. But as with vacancy management, decisions need to be made as to the level of automation that will be implemented as this may impact product selection. For example, if the organization relies heavily on mainframe applications and a high degree of automation is desired for mainframe de/provisioning, then this should be front and center on the requirements list, as not all products handle mainframe integration equally.

Workflows, if designed and implemented correctly, can also provide significant ROI in terms of de/provisioning speed, reduced effort for audits, elimination of future user cleanups, and decreased costs for things like licenses and equipment.

Let’s look at the benefits of each workflow type in a little more detail.


As discussed before, there are two categories of “things” when it comes to de/provisioning: those things that can be automated (e.g., access – it just depends how much money and effort you’re willing to spend on the automation), and those things that can’t be automated (e.g., equipment – a new laptop will never float down the hall to the waiting hands of a new employee, someone has to deliver it or at least call the employee to come pick it up).

Clearly, any de/provisionable items that are automated save time and effort if the system can automatically do something in a few seconds that might take a human being minutes to do. The trade-off is the complexity of the integration as compared with the expected usage. An application with ten users will likely never have de/provisioning automated – it’s probably too expensive. Then again, if it’s a critical application and likely to get overlooked since the access changes rarely, maybe it’s a prime candidate.

Items that can’t be automated are still great candidates for inclusion into a workflow, because it builds accountability and helps with tracking. The workflow would simply trigger manual tasks in this case, but by requiring the person completing the task to mark the item done in the system and tracking that, it helps with the following:

  • Identification of what equipment was provided (or collected back)
  • Monitoring of Service Level Agreements (SLAs)
  • Accountability – the individual is less likely to mark the task complete if it isn’t, since they know it could come back to haunt them.

Although out of scope of this series, consideration should be given to integrating IAM with the asset management system to help with tracking of equipment and licenses over time.

Non-employee management

There are two types of non-employees at most companies: those that are there for a limited time (such as temps, consultants, etc.) to provide specific expertise on a project or act in a staff augmentation capacity, and those that are there indefinitely, because they are some sort of business partner (supplier, outsourcer, vendor technical support, etc). As such, workflows must be designed to support both conditions.

Ultimately, non-employee management is a special-case user recertification, which is discussed below. It’s helpful to begin with non-employee management for two reasons:

  • It’s a relatively small and simple sub-set of user recertification, so it’s a good place to start and get some experience
  • It’s a valuable quick-win, since non-employees tend to be a significant blind spot because non-employees are typically not centrally managed in an HR-like system as employees are.

In fact, managing non-employees will be of value not only to the access services or security group because it provides better control over a group of users that is generally less trusted, but it will also be of value to other groups – like HR if they’re trying to reign in management of non-employees from a presence perspective, and finance if they’re having trouble determining when non-employees come and go (to ensure they’re being paid – or not – appropriately).

User/Access Recertification

Many companies still do user or access recertification by hand – generating and emailing unintelligible spreadsheets to business managers asking them if the people on the list still report to them and if the access on the list is still appropriate. Not only is the initial data collection and distribution arduous, but the effort increases dramatically when the managers come back with countless questions in their attempt to understand the access listed, or when their frustration with the process leads them to become unresponsive, requiring repeated follow-up.

Many IAM products offer automation for recertification, but not all solutions are equally elegant. The top systems offer a variety of benefits:

  • Web-based view of individuals and their access
  • Individuals have already been compared against HR to ensure that they’re current (and if vacancy management is already in place, then the HR records can be trusted and “user” recertification is no longer necessary)
  • Access is presented in business terms, not as technical permissions, so that reviewers understand what they’re certifying
  • Whatever changes are indicated by the reviewer automatically trigger automated or manual implementation tasks which are tracked to completion and logged for easy reporting
  • Non-responsive reviewers are reminded automatically, and the line management hierarchy is used for automated escalations
  • Reports for the auditors are easy to generate

Sounds great, doesn’t it? At a large company, this workflow set can easily save several FTEs worth of work for several months each year.


This month, we’ll discuss each workflow set in part, with three objectives in mind:

  1. Identifying ways in which the workflow set could be developed. There aren’t any right answers here. The goal is to ensure that some thought has been put into what the right answer is for your specific situation
  2. Populating the requirements list accordingly – this is where a lot of ROI can be found, if the right product is selected that can support the requirements. It’s critical to make sure that the requirements list is well-updated this month
  3. Considering some prep-work that could be done in advance of obtaining a system.

We’ll begin in the next segment by working on the de/provisioning workflows.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.