Workflow and Automation for Account and Password Management

  • July 27, 2015
  • Feature

By Dean Wiech, Tools4Ever

In the fast paced world of manufacturing, any type of automation process that reduces time, effort and errors is usually a positive addition. This is especially true when the processes that revolve around the IT department, are repetitive and directly relate to data and network security.

Let’s take a more in-depth look at the processes that IT personnel are tasked with when it comes to employees and their need for network access. When an employee starts with the company they need network access, an email account, to be added to appropriate distribution groups, access to specific application they need to perform their jobs, and access to file shares where relevant information is stored. As their tenure with the company continues, chances are their responsibilities and position will change, requiring different application and data access. They also, most definitely, will forget a password once or twice. At some point, they will retire or leave the company and their accounts will need to be disabled and deleted to insure they can no longer access sensitive information or systems.

All the above processes are typically performed in a manual or only semi-automated fashion. While electronic forms and emails may have replaced paper in most cases, the end result is still a manual process resulting in an IT professional entering data into the network directory service, creating an email account and provisioning the employee into potentially dozens of applications. The same is true when the employee changes jobs or leaves the company – an IT professional must manually touch each system to update or remove access rights.

A similar situation occurs if an employee forgets their password. A call to the help desk is placed and the password is reset to a temporary one, with the employee changing it to a permanent one after logging in.  Studies have shown that upwards of 40 percent of all calls to the help desk are password related and the direct costs and loss of productivity can be staggering for organizations.

The advent of workflow and automation systems for identity and access management (IAM) have made tremendous strides over the last few years in mitigating and eliminating the manual processes associated with the user account lifecycle and password management. In an ideal world, an authoritative source, typically the HR system, is linked by the IAM system to the network directory, email and all other applications. When a new employee is added to the HR system, a process is initiated to provision the user in all applicable systems, distribution groups and data shares. This is typically done using a role-based access control (RBAC) template. This template looks at a person’s title, department and location to determine what the appropriate access and systems they should be permissioned to utilize. A similar process happens when an employee changes position or is promoted – the RBAC matrix is used to verify what permissions should be added and which should be removed. 

When an employee is denoted as terminated in the HR system, a separate process executes to insure that all permissions and application access is removed in a timely and secure fashion. As part of this disable or delete process, it is also possible to perform other important actions. An auto reply email can be set to notify senders that the individual is no longer with the company and emails can automatically be forwarded to the manager or a replacement employee. If there is data in a personal share on the network, the data can be archived and rights given to an appropriate person for review, copying and eventual deletion if warranted.

While the above processes are a great time saver, as well as increase security by controlling access to data and applications, they rely on the employee’s information being in the HR system prior to the actual first day of work. In an ideal world, this always happens, but in the real world it may not. The hiring manager usually brings someone on board to start the next day and the HR department doesn’t get all the paper work for a few days or, a contract employee is brought on and the HR department never hears about it.

In these cases, a combination of a workflow system and automation provide optimal results. This allows a hiring manager to easily complete an online web form with pertinent information. A workflow process then sends it to another manager for approval. The data is then routed to HR for additional information, and finally to the IT department for review and final approval. When this final approval is granted, an automated process is executed for commitment in the network and relevant applications. Once the information is entered into HR, another automated process occurs to verify the data entered on the web forms is accurate and any necessary changes take place with notification via email back to interested parties. 

Now that the issues of user account lifecycle management is addressed, let’s take a quick look at the password management process. As previously mentioned, a forgotten password results in more calls to the help desk than any other issue. An employee cannot access the network and cannot be productive until the reset occurs. If the employee is working the third shift, or on a weekend, the help desk may be running with minimal staffing and delays could be long.

Many commercial products are available in the marketplace to remove this onerous task form the help desk and place it back on the employee. These solutions allow employees to enroll in the self-service product by selecting a series of challenge questions and providing answers. If a password is forgotten, they simply click a link on the login screen which prompts them for their user name and to provide answers to the challenge questions. Once completed, they are then prompted to enter a new password that complies with complexity and history requirements present in the network, and are then immediately logged in.

Taking this one step further, many companies are also synchronizing the network password to all the other applications a person is authorized to use. By doing so, they are effectively reducing the number of passwords a person needs to remember from, on average, six to eight, down to one. This further reduces the need to call the help desk if they are logging into a seldom used application and have forgotten that password, as they are now all the same.

In summary, workflow and automation procedures for identity and password management can reduce time spent, increase security and reduce the workload on the help desk considerably. The end result being a more efficient IT staff that is focused on helping run the business rather than being inundated with mundane, repetitive tasks that can easily be automated or delegated.

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions. 

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..