HCM: The New Source of Truth for Identity Management

June 28th, 2016   /     /   product and technology, security and compliance, smarter identity

What’s the response in your organization when …

  • A new hire needs to have all the right tools available on day 1?
  • A promoted employee needs a new tool while the IT person to help is on vacation?
  • An employee leaves the company and their access needs to be immediately removed from all systems?

Do you have a seamless way to handle these common requests? Or, like many organizations, are your processes difficult and dependent on multiple teams to fulfill?

We often hear that HR and IT teams maintain employee information by each manually entering it into their respective systems, such as their HRIS and on-premise directory (e.g. AD or LDAP), and communicating through shared spreadsheets or ticket systems.

“Everyone in the system is always relying on another team to update their piece of the puzzle.” –Oscar Rodriguez, Implementation Consultant at OneLogin

The most accurate employee status is in HCM.

Sometimes we get buried in complexity and overlook the fact that the HR team is typically the first to know when an employee’s status changes, such as when a new hire is starting, someone changes roles, or an employee will be leaving the company. This means the HR team, and by extension the Human Capital Management (HCM) system, has the most accurate and up-to-date information about employee status.

Then, naturally, it makes a lot of sense for identity management to also begin and end with your HCM.

Using the HCM as your source of truth is often easier said than done though. Most ways of integrating IT and HR systems still leave you relying on multiple teams and manual, error-prone steps.

How do you integrate IT and HR systems?


Perhaps you’ve set up an FTP server and created a translator to integrate data from the HCM to the directory. Maybe you’ve written custom scripts between AD and applications to automate some of the user provisioning process.

However, these setups often are the source of errors in HR-IT integration. And as users and apps come, change, and go, the integrations become more and more complex. Implementing and maintaining deep integrations among the various systems on your own quickly becomes tedious, costly, and ineffective.


Some IDaaS vendors, such as OneLogin, offer thorough integration to synchronize user information from HR across all systems. For example, the OneLogin platform is able to easily integrate HCM with the IT directory by using flexible mappings to assign access and pass over user attributes. So when a user is created, updated or deleted in the HCM, OneLogin passes over that user information to the IT directory and changes access rights and permissions to applications accordingly in real-time, eliminating manual steps.

Watch the OneLogin Professional Services team explain how they helped a global media holding company with over 20,000 employees design, plan and implement HR-driven identity automation.


The OneLogin platform provides organizations with the power and flexibility in automating user provisioning and deprovisioning, so they can more successfully manage user identities and access.

Start simplifying your onboarding and offboarding processes. Sign up for a demo.

Learn the 5 steps to HR-driven identity management using Workday.

Learn the 5 steps to HR-driven identity management using Workday.

Get the Whitepaper
About the Author

Nathan is a Solution Architect at OneLogin focusing on partnerships with global systems integrators and software vendors. A Berkeley graduate and a New Yorker, he is also an avid fan of the New York Yankees.

View all posts by Nathan Chan