User Onboarding, Offboarding, and Everything in Between

July 31st, 2017   /     /   product and technology

Can you rely solely on automation to bring new employees onboard, and to offboard them when they leave?

Automation can be critical to onboarding employees quickly and efficiently, granting them access to what they need and only what they need to perform their job. Automation is even more critical when people part ways with the organization and need to have their application access removed, providing a thoroughness that manual efforts can’t match. Fail to remove access in time or miss a key access point, and you’re looking at a security violation and possible damage to your organization and customers, not to mention a potential compliance violation. In fact, one in five organizations report data breaches as a result of incomplete deprovisioning.

Those are what I call the “blind spots” of the traditional onboarding and offboarding process.

As a former identity & access management (IAM) administrator, I used to struggle with those blind spots. On the one hand, I wanted to empower business managers, allowing them to manage their applications while we in IT served as the governance layer, making sure that access was appropriately monitored and removed when employees left the organization. But how would we control applications that were manually provisioned? There were plenty of applications that didn’t support an automated process, whether legacy applications, form-fill applications, or apps that required admin-level configuration.

So how are we at OneLogin shedding some light on those blind spots?

For the last few months, we’ve been working with customers on a new compliance feature called Task Lists, which includes user Onboarding and Offboarding workflows that you can use to track automated and manual tasks.

You can use this feature to ensure that none of a user’s application accounts are left behind. When users join or leave an organization, OneLogin automatically generates a list of tasks, including those that require an administrator’s attention and manual intervention.

For onboarding, we automatically assign roles and give application access based on your OneLogin mappings. If any of those applications require admin approval or manual assignment, we create a manual task for the admin to complete. Once you complete a task, simply check it off your list and move on.

In the case of offboarding, we automatically deactivate the user without deleting them (to ensure that you don’t lose user-related data), suspend the user’s app access, stop mappings from running on the user, and list all of the applications that require manual deprovisioning. We leave the final “delete user” step as a manual one for you or another admin to take.

All administrators with super admin privilege will be notified of every user who requires onboarding or offboarding. Also, every task gets logged as an event, providing you with an audit trail for each step of the way. You can send these events to a SIEM system of your choice, including Splunk, ELK, and Sumo Logic.

It takes just one click to turn the feature on and configure it! Just log in as an administrator and click the Notifications bell in the menu bar.

Here at OneLogin, governance and compliance are vital priorities. OneLogin Task Lists is just one of many upcoming governance features that we can’t wait to show you!

OneLogin Task Lists is now available to customers on the OneLogin Unlimited Plan; to learn more, check out the OneLogin Task Lists documentation.

About the Author

Tal Herman is a Lead Product Manager for all things identity at OneLogin focusing on core Identity features and functionality with emphasis on usability and simplicity. Prior to joining OneLogin, spent 10 years building and helping enterprise customers deploy various identity and governance tools on premise and in the cloud.

View all posts by Tal Herman