Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Businesses IT Technology

Ask Slashdot: New Employee System Access Tracking? 87

New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: New Employee System Access Tracking?

Comments Filter:
  • by Anonymous Coward

    There are a number of products build exactly for this....

    IBM Has Tivoli Access Manager. It is as good as you expect a Enterprise IBM product to be :/ - ie not great....

    Oracle has a product called Thor (now Oracle Identity Manager) which is built for this exact thing. Unfortunately it IS oracle, and all the shitty price and UI you expect from such a thing.

    There is CA Identity Manager if you really hate yourself (It IS CA, and has all the fun and joy a CA product can give).

    In short? There IS stuff build for t

    • [Disclaimer: I am an Oracle employee but am not part of any customer-facing LoB]

      OIM - Oracle Identity Management is a large-business solution. The UI is horrendous but it's one of the few Oracle products where that doesn't bother me, simply because you rarely access it.
      No idea about their pricing, though. Keep in mind that even it won't be an all-in-all solution, there's always going to be the odd environment with its own account management which can't be linked to OIM unless you're willing to spend obscene

      • I'm an implementer of OIM (10 years now). OIM is an excellent framework for a provisioning tool, but the connectors are terrible (fortunately easy to build your own against the API) and the UI is useless. The most successful OIM implementations I've come across (or built) have been ones that used a custom UI and/or just made everything scriptable. The API is really the saving grace of OIM. It's confusing, but it is powerful.

        Sadly, I'm watching the product spiral downhill as of the last several versions.

    • by plopez ( 54068 )

      HP has a number of products as well.

  • Perhaps you could outsource this to a competent "IT services company".
  • Our company uses OneLogin with a set of custom scripts to sync everything with AD and our internal systems. Works pretty well.

  • For small scale implementation: Excel.

    One excel per employee.
    HR fills sheet which contains tick boxes for existing systems and sends filled form to IT.
    IT opens accounts for that user per selection.
    HR didn't file the form? No accounts.
    HR missed certain box? Speak with manager and request access using normal request policies.
    • Shit idea.
      Great for onboarding, sucks for when employee X leaves the company (automated inactivation of accounts). Horrible for security (automatic password expiration push). Horrible for rehires or people changing departments. Et Caetera.

      • by Keruo ( 771880 )
        No reason why the same form couldn't be used for when the user is leaving.
        Gives nice ticked boxes which indicate each system where accounts need to be closed.
        Passwords should expire automatically every 30-60 days regardless the user is leaving or not.
        Rehires or department change? Just refill the form on another sheet to match the new position.
        • by Thiez ( 1281866 )
          If passwords expire in just 30 days people will either stop picking good passwords or start writing them down (they'll probably do both). A password should be usable for several months at least.
        • User leaves, nobody fills form because that's how human beings are, accounts remain active forever.
          Passwords should expire every 90 days, but it's one thing when you have one SSO password which expires every 90 days or 30 different passwords which expire every 90 days each. Having to reset and remember 30 passwords, one every 3 days on average, is mind-numbing.
          Rehires are tricky. Some companies have a data retention / e-mail address retention policy. it's impossible to enforce it with spreadsheets.

          Before lo

    • Basically adhere to SOP of IT/HR On-Boarding and Off-Boarding process.

  • I think you use single sign-on and try to do a better job of choosing services that support it. LDAP authentication is fairly prolific these days.
  • It's not a HR system but is a enterprise IAM plus it works great for small teams ( of 3 even )

    More than happy to be a reference


    John Jones

  • End of the day. Big or small, its not the tools its the business process that the tools are built around. Crawl, walk, Run; stop looking for the perfect solution. Start off with Excel get your process down so its clock work. New hire has accepted. This should be a cue for the hiring manager to start his process and not rely on HR. You don’t want HR allowing folks access to your production systems. Once its all down and working you look at what steps can be automated. Bite off chunks as they come at yo
  • It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products (we have tons of databases, and Oracle owned "Health Sciences" apps, so we were already in bed with the devil to begin with) It uses SOA for workflows and approvals, and we built a series of templates for system access. Employee A starts the company as a Tech Writer? Automatically provision AD, OID, exchange, home directory, 5 shared folders, 3
    • If you're gonna spend a million dollars or whatever you can probably do it with Tivoli, maybe even without customization but probably not. IBM loves customization.

    • by LDAPMAN ( 930041 )

      NetIQ Identity Manager would have been much cheaper. I've done both and it's not even close.

      • ForgeRock IDM or MidPoint are cheaper (read: open source) than both. But neither have quite the feature set yet.

    • by mjwx ( 966435 )

      It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products

      We're an University of 30,000 students and 5,000 staff and we're getting rid of OIM because it cant do anything properly. After 3 years and literally millions of dollars it still cant communicate with Exchange, not only are we still employing the same number of people to do account provisioning (approx 14,000 new accounts per year) we're also empl

  • by shri ( 17709 ) <shriramc@gm[ ].com ['ail' in gap]> on Tuesday August 25, 2015 @08:14AM (#50386771) Homepage

    Can you use something simple like the group version of Lastpass / setup their accounts and manage their passwords / revoke access?

  • LDAP? (Score:4, Interesting)

    by guruevi ( 827432 ) <evi&evcircuits,com> on Tuesday August 25, 2015 @08:34AM (#50386889) Homepage

    Just use a centralized solution that is configured to give access and authorization to assets, they exist, it's called LDAP and you can plug whatever the hell information you want in them, even the HR-only information (such as tax records etc). You then just need to make sure your roles are defined within your organization and HR knows about which roles to give to a person.

    If you're talking about giving people root/wheel access to certain boxes even when LDAP is broken, then you can still use LDAP as a source to feed into eg. an ansible/puppet script (or whatever configuration management system you decide to use) that runs every few minutes/hours/days and inserts/revokes access for those sysadmins.

    • by LDAPMAN ( 930041 )

      Nice idea but not enough in the real world. There are lots of thing that don't work with LDAP and there are other things that need manual provisioning.

      • by guruevi ( 827432 )

        That's where the managed script comes in. LDAP works with most things that have access controls and is designed for just that purpose.

      • by jon3k ( 691256 )
        I wasn't convinced until I read your name, but now I'm a believer.

        In all seriousness, you're correct. I've found in the real world you're using a combination of Active Directory (or some other LDAP) along with web based applications, and maybe even some compiled applications running locally. Some are behind the firewall, some aren't. You really need something that can support SAML along with form-filling that will also sync with AD to really cover the whole gamut. And even then some of it will be a ma
  • You've got a couple of challenges as you grow fast. Not only tracking set up of access, but also making sure it is gone if/when the person leaves that is taken away along with any assets they may have received from the company. So treat a new employee as an action ticket. Each piece of access has to be recorded (could be a spreadsheet - that's a simple solution or even a simple Access or equivalent database, you could do something like that in an evening. Just secure it, back it up and back it up. Thin
  • We use Grouper an OSS project by Internet 2 which is designed to provide distributed access control to an institution. Http://
  • Whatever manager requested the hire...ask for a setup like person. They likely need access similar to their peers. Use separate ldap groups for resource access, and role definitions. Role groups go inside resource access groups. I just finished writing a script to tie management of ad groups to the hris system, by jobcode and deptcode. Security and application managers can decide what roles get access to their apps. Going to trial it with a few apps. Going to need some change control on the hris sys
    • Additionally a lot of sass providers support SAML, which makes it easy to manage cloud hosted app access. Simplesamlphp is my favorite. Shibboleth also works. There are commercial solutions like Ping and Okta.
    • by LDAPMAN ( 930041 )

      "Set up like" is a horrible model. It leads to over provisioning of access and poor governance.

      • by mjpaci ( 33725 )

        Where the hell are my karma points when I need them?

        +2 to you LDAPMAN.

        I work at a large company that has acquired (and not fully integrated) other companies over the years. To say that it's a complete mess when it comes to identity management is an understatement.

  • Look into []

  • UCS is good at offering several authentication services (LDAP, Kerberos, AD/Samba4, SAML) for a central user database, has APIs to both automize user workflows based on informations provided by HR systems and integrate / provisioning other systems (like databases etc.), scales do to integrated multi-server-support -- and is fully open source and free. See []
  • What I've seen is that most companies are windows based and use active directory to centralize the vast majority of their permission management system. Almost every professional system out there then integrates into it via some LDAP mechanism, and it's usually relatively easy to switch in house apps over as well.

    There's two other cases I've seen that aren't related explicitly to a person:
    - required local accounts
    - service accounts

    There's always a lot of cases where you need a

  • >> We are a fast-growing IT services company with dozens of systems...We struggle to track this

    Funniest thing I read all day. Thanks for the laugh!

  • Check out [] a new startup that just launched addressing exactly this problem.
    • I am the author of Foxpass. It was designed to solve exactly these pain-points with its cloud-hosted LDAP and RADIUS systems. Plus it ties into Google Apps, which many companies use as their de-facto root identity. Foxpass plus a SAML provider (i.e.) Okta is a great way to really close to single-sign-on everywhere (internally and externally), without running the services yourself.
  • As part of a very long term project I built exactly what the article says doesn't exist - a way to track onboarding and offboarding in a single system. One reason why it was a long term project is that it took that long for the systems and departments to catch up and buy into central tracking.

    My system passed every internal, external, and federal audit. It is still running five years after I left the company. I was hired back as a consultant to integrate the parent data when the company was purchased bec

  • Original Poster here - yes, these are all good suggestions and we should add more LDAP (we have large multi-thousand host LDAP systems now), but a lot, if not most of these systems we need, especially various SaaS tools, don't support this well, if at all. So a full SSO system is a real challenge - we are looking at AD integration next year to handle the ones that can.

    But I don't really need this today - what I need is to TRACK all the system access, in part just to know what systems Johnny in Ops Engineer

  • Dude Linux does that. try useradd... Oh you're locked into proprietary systems that don't work with ISO standards? Sucks to be you, just get out of tech now and save everyone the headaches
  • The problem of having dozens of systems and many different login credentials is a problem that we are trying to solve with our online business platform. Here's a quick video that explains what we do: [] Feel free to check out our website too: [] I look forward to feedback also.

Always leave room to add an explanation if it doesn't work out.