Ask Slashdot: New Employee System Access Tracking?

New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?

In Theory - Thor

[Anonymous Coward]

There are a number of products build exactly for this....

IBM Has Tivoli Access Manager. It is as good as you expect a Enterprise IBM product to be :/ - ie not great....

Oracle has a product called Thor (now Oracle Identity Manager) which is built for this exact thing. Unfortunately it IS oracle, and all the shitty price and UI you expect from such a thing.

There is CA Identity Manager if you really hate yourself (It IS CA, and has all the fun and joy a CA product can give).

In short? There IS stuff build for t

Re:

[s.petry]

You missed at least a couple. Fox Technologies has a product called Boks for this, Oracle LDAP (formerly SunOne) is very good and has all of the API capabilities of any LDAP solution. If you wanted a different *NIX auth back end you could run P-GINA on your WIndows hosts and hae them auth elsewhere.

The reason these solutions are "meh" is nromally related to the huge disparitity in HR solutions and their implementations. Pluggine in to inventory systems creates more unique challenges.

Re:

[quetwo]

Oh, it CAN be done. You just have to have somebody on staff who is an expert at RADIUS, LDAP, AD-AUTH, Kerberos, OAuth and probably a dozen other protocols that deal with authentication and authorization. Oh, and then a proper security audit because if you do it in house, are you sure that you can't drive a MAC truck through it?

Having done the ROI estimate on such a project, we couldn't do it. And this was for a company that had at least standardized on products that use RADIUS and LDAP for all things th

Re:

[quetwo]

I for one have seen men and women working in IT with said skills. Besides, why would you even be using an authentication protocol your own staff has no clue about? That's just calling for trouble.

Also, the ROI estimates I've usually seen decision makers rely on are one dimensional plain simple characterizations that hardly reflect the real world we live in. It's an insanely complex task getting it right and all that money could be used in actually getting things done.

Sure, I've seen quite a few people with those skills. They don't work for me, and they probably don't work for the OP. If authentication is not in your line of business for your company, why are you making an internal product to do it? Oh, and it's a lot easier to implement a protocol like LDAP or RADIUS in an existing application than to build one from scratch. Knowing about 3DES TLS sockets is important, but let the professionals write the implementation.

If it was easy to do, the list would include hundreds of products -- many of them open source. That should give you a clue.

Building and open-sourcing custom solutions tailored for your personal needs is pointless. We're not talking about some universal it-does-everything solution, but a solution that will be tailored in-house to fit *your* unique combination of services and software. Nobody else would have the same needs as you.

Sure. Your business is a special snowflake for everything you do. I get it. No other business has ever tackled doing authentication management before ever -- and none of them have ever integrated with one of the common SaaS products before. It's a good thing you are spending multiple man-years building an internal product rather than focusing on stuff you can sell, implement, consult on, or you know, make money on. Spending 1 FTE year building something that can be bought off the shelf for $50,000 is

Re:

[Archangel Michael]

Standardize on LDAP and use AD to authenticate against. I know, Microsoft is the devil, but their LDAP stuff on AD is pretty secure and well documented. And quite frankly, their LDAP is best / easiest to deal with.

Parent +1

[wezelboy]

This is especially prevalent in the world of SSO, Directories and IDM. It can be done. But most companies are to cheap to pay someone to do it RIGHT.

Re:

[war4peace]

[Disclaimer: I am an Oracle employee but am not part of any customer-facing LoB]

OIM - Oracle Identity Management is a large-business solution. The UI is horrendous but it's one of the few Oracle products where that doesn't bother me, simply because you rarely access it.
No idea about their pricing, though. Keep in mind that even it won't be an all-in-all solution, there's always going to be the odd environment with its own account management which can't be linked to OIM unless you're willing to spend obscene

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[plopez]

HP has a number of products as well.

Competency

[thorntonmark]

Perhaps you could outsource this to a competent "IT services company".

Re:

[jon3k]

Name three that are good.

Onelogin

[JBMcB]

Our company uses OneLogin with a set of custom scripts to sync everything with AD and our internal systems. Works pretty well.

Re:

[JBMcB]

OneLogin is the authority, changes are pushed to AD which is just there to manage Windows credentials. All the web apps (which is pretty much all of our apps) authenticate off of OneLogin. You set your password through a custom portal that syncs up everything.

In small scale..

[Keruo]

For small scale implementation: Excel.

One excel per employee.
HR fills sheet which contains tick boxes for existing systems and sends filled form to IT.
IT opens accounts for that user per selection.
HR didn't file the form? No accounts.
HR missed certain box? Speak with manager and request access using normal request policies.

Re:

[war4peace]

Shit idea.
Great for onboarding, sucks for when employee X leaves the company (automated inactivation of accounts). Horrible for security (automatic password expiration push). Horrible for rehires or people changing departments. Et Caetera.

Re:

[Keruo]

No reason why the same form couldn't be used for when the user is leaving.
Gives nice ticked boxes which indicate each system where accounts need to be closed.
Passwords should expire automatically every 30-60 days regardless the user is leaving or not.
Rehires or department change? Just refill the form on another sheet to match the new position.

Re:

[Thiez]

If passwords expire in just 30 days people will either stop picking good passwords or start writing them down (they'll probably do both). A password should be usable for several months at least.

Re:

[war4peace]

User leaves, nobody fills form because that's how human beings are, accounts remain active forever.
Passwords should expire every 90 days, but it's one thing when you have one SSO password which expires every 90 days or 30 different passwords which expire every 90 days each. Having to reset and remember 30 passwords, one every 3 days on average, is mind-numbing.
Rehires are tricky. Some companies have a data retention / e-mail address retention policy. it's impossible to enforce it with spreadsheets.

Before lo

Re:

[account_deleted]

Comment removed based on user account deletion

SSO

[wstrucke]

I think you use single sign-on and try to do a better job of choosing services that support it. LDAP authentication is fairly prolific these days.

Made for exactly this : PORTADI

[johnjones]

It's not a HR system but is a enterprise IAM plus it works great for small teams ( of 3 even )

https://www.portadi.com

More than happy to be a reference

Regards

John Jones

Tools

[tsunamiiii]

End of the day. Big or small, its not the tools its the business process that the tools are built around. Crawl, walk, Run; stop looking for the perfect solution. Start off with Excel get your process down so its clock work. New hire has accepted. This should be a cue for the hiring manager to start his process and not rely on HR. You don’t want HR allowing folks access to your production systems. Once its all down and working you look at what steps can be automated. Bite off chunks as they come at yo

As much as I hate to mention the "O" word ...

[CrackerJackz]

It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products (we have tons of databases, and Oracle owned "Health Sciences" apps, so we were already in bed with the devil to begin with) It uses SOA for workflows and approvals, and we built a series of templates for system access. Employee A starts the company as a Tech Writer? Automatically provision AD, OID, exchange, home directory, 5 shared folders, 3

Re:

[drinkypoo]

If you're gonna spend a million dollars or whatever you can probably do it with Tivoli, maybe even without customization but probably not. IBM loves customization.

Re:

[LDAPMAN]

NetIQ Identity Manager would have been much cheaper. I've done both and it's not even close.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mjwx]

It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products

We're an University of 30,000 students and 5,000 staff and we're getting rid of OIM because it cant do anything properly. After 3 years and literally millions of dollars it still cant communicate with Exchange, not only are we still employing the same number of people to do account provisioning (approx 14,000 new accounts per year) we're also empl

Lastpass?

[shri]

Can you use something simple like the group version of Lastpass / setup their accounts and manage their passwords / revoke access?

LDAP?

[guruevi]

Just use a centralized solution that is configured to give access and authorization to assets, they exist, it's called LDAP and you can plug whatever the hell information you want in them, even the HR-only information (such as tax records etc). You then just need to make sure your roles are defined within your organization and HR knows about which roles to give to a person.

If you're talking about giving people root/wheel access to certain boxes even when LDAP is broken, then you can still use LDAP as a source to feed into eg. an ansible/puppet script (or whatever configuration management system you decide to use) that runs every few minutes/hours/days and inserts/revokes access for those sysadmins.

Re:

[LDAPMAN]

Nice idea but not enough in the real world. There are lots of thing that don't work with LDAP and there are other things that need manual provisioning.

Re:

[guruevi]

That's where the managed script comes in. LDAP works with most things that have access controls and is designed for just that purpose.

Re:

[jon3k]

I wasn't convinced until I read your name, but now I'm a believer.

In all seriousness, you're correct. I've found in the real world you're using a combination of Active Directory (or some other LDAP) along with web based applications, and maybe even some compiled applications running locally. Some are behind the firewall, some aren't. You really need something that can support SAML along with form-filling that will also sync with AD to really cover the whole gamut. And even then some of it will be a ma

Re:

[jon3k]

Not possible. No business of any reasonable size is going to not purchase a particular software because it doesn't support a particular authentication mechanism. There are too many other requirements to write something off just because of no LDAP/RADIUS. There are far more complex reasons behind purchasing software of any real scale.

Cloud Solution it

[btroy]

You've got a couple of challenges as you grow fast. Not only tracking set up of access, but also making sure it is gone if/when the person leaves that is taken away along with any assets they may have received from the company. So treat a new employee as an action ticket. Each piece of access has to be recorded (could be a spreadsheet - that's a simple solution or even a simple Access or equivalent database, you could do something like that in an evening. Just secure it, back it up and back it up. Thin

Internet 2 Grouper

[langedb]

We use Grouper an OSS project by Internet 2 which is designed to provide distributed access control to an institution. Http://grouper.internet2.edu.

Lots of ways

[Dylan Edward]

Whatever manager requested the hire...ask for a setup like person. They likely need access similar to their peers. Use separate ldap groups for resource access, and role definitions. Role groups go inside resource access groups. I just finished writing a script to tie management of ad groups to the hris system, by jobcode and deptcode. Security and application managers can decide what roles get access to their apps. Going to trial it with a few apps. Going to need some change control on the hris sys

Re: Lots of ways

[Dylan Edward]

Additionally a lot of sass providers support SAML, which makes it easy to manage cloud hosted app access. Simplesamlphp is my favorite. Shibboleth also works. There are commercial solutions like Ping and Okta.

Re:

[LDAPMAN]

"Set up like" is a horrible model. It leads to over provisioning of access and poor governance.

Re:

[mjpaci]

Where the hell are my karma points when I need them?

+2 to you LDAPMAN.

I work at a large company that has acquired (and not fully integrated) other companies over the years. To say that it's a complete mess when it comes to identity management is an understatement.

Sailpoint?

[XXeR]

Look into http://sailpoint.com/ [sailpoint.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

UCS (Univention Corporate Server)

[tanati]

UCS is good at offering several authentication services (LDAP, Kerberos, AD/Samba4, SAML) for a central user database, has APIs to both automize user workflows based on informations provided by HR systems and integrate / provisioning other systems (like databases etc.), scales do to integrated multi-server-support -- and is fully open source and free. See https://www.univention.com/pro... [univention.com]

Not my area of expertise but ...

[quietwalker]

What I've seen is that most companies are windows based and use active directory to centralize the vast majority of their permission management system. Almost every professional system out there then integrates into it via some LDAP mechanism, and it's usually relatively easy to switch in house apps over as well.

There's two other cases I've seen that aren't related explicitly to a person:
- required local accounts
- service accounts

There's always a lot of cases where you need a

Is it April Fool's day?

[xxxJonBoyxxx]

>> We are a fast-growing IT services company with dozens of systems...We struggle to track this

Funniest thing I read all day. Thanks for the laugh!

FoxPass

[smontgomerie]

Check out https://www.foxpass.com/ [foxpass.com] a new startup that just launched addressing exactly this problem.

Re:

[arensand]

I am the author of Foxpass. It was designed to solve exactly these pain-points with its cloud-hosted LDAP and RADIUS systems. Plus it ties into Google Apps, which many companies use as their de-facto root identity. Foxpass plus a SAML provider (i.e.) Okta is a great way to really close to single-sign-on everywhere (internally and externally), without running the services yourself.

I Built It

[Rastl]

As part of a very long term project I built exactly what the article says doesn't exist - a way to track onboarding and offboarding in a single system. One reason why it was a long term project is that it took that long for the systems and departments to catch up and buy into central tracking.

My system passed every internal, external, and federal audit. It is still running five years after I left the company. I was hired back as a consultant to integrate the parent data when the company was purchased bec

Need tracking, not central Auth

[mushero]

Original Poster here - yes, these are all good suggestions and we should add more LDAP (we have large multi-thousand host LDAP systems now), but a lot, if not most of these systems we need, especially various SaaS tools, don't support this well, if at all. So a full SSO system is a real challenge - we are looking at AD integration next year to handle the ones that can.

But I don't really need this today - what I need is to TRACK all the system access, in part just to know what systems Johnny in Ops Engineer

New thing called Linux

[WhiteHorse-The Origi]

Dude Linux does that. try useradd... Oh you're locked into proprietary systems that don't work with ISO standards? Sucks to be you, just get out of tech now and save everyone the headaches

InBold Business Platform

[inBold]

The problem of having dozens of systems and many different login credentials is a problem that we are trying to solve with our online business platform. Here's a quick video that explains what we do: https://www.youtube.com/watch?... [youtube.com] Feel free to check out our website too: http://www.inboldsolutions.com... [inboldsolutions.com] I look forward to feedback also.