Technical Brief: Oracle HRMS and Automation of Identity Provisioning

Author: Chandra Aitha

In most organizations, a primary responsibility of the Identity and Access Management group is to provision new users in Active Directory and Exchange, modify existing users, and terminate users in (almost) real-time when employees leave the organization.  Human Resources departments in modern enterprises commonly leverage Human Resource Management Systems including SAP, Oracle HRMS (Human Resources Management System), PeopleSoft, or a home-grown or customized solution to manage employee and contractor data.  To avoid redundant manual processes and tie in Active Directory and Exchange into the Human Resources Management System, automation of the workflow with custom coding using any proven open source framework is possible.

To achieve this, Kalles Group developed a custom systems integration solution deployed to support a client with employee status changes monthly in the thousands.  The process is initiated by the incoming feed from HRMS REST web services into IM, and ended with an active user account in the user store with a matching AD account.

The custom solution covers the following key functional tasks:

  • New hire from HRMS feed
  • Rehire from HRMS feed
  • Modify employee
  • Terminate an employee from HRMS feed

The scheduled jobs run every four hours (or less) without manual intervention to provision new hires, rehires and to handle employee modifications.  This reduces close to 100% of manual errors and significantly speeds up the hiring process.  Through a customized systems integration allowing HRMS changes to result in Active Directory account creation and modification, ample maintenance hours will be saved as core processes are properly defined.  In any systems integration project, especially those resulting in elimination of intensive manual processes, a short period for adjustment is recommended before formally closing the project.  In this particular case, two months was set aside in the charter for feedback and adjustment to optimize configuration and fully map technical specifications to achieve maximum benefit for stakeholders.

This custom solution can be used for any Identity Management solution with minimum changes to HRMS.  Additional benefits include the ability to:

  • Provision an employee well in advance to avoid waiting time.
  • De-provision an employee within 1-2 hours of termination to adhere to security policies.
  • Process automation to reduce manual errors and maintenance hours.
  • Send daily custom reports to track how the process is running.

Making the investment in building this type of automated provisioning capability in your organization can really pay dividends when operated at scale and assuming that the LOB application integration is designed and implemented effectively.    This is a one way to accomplish two things at once — lower global resource and support costs, and in uplift the overall security posture and compliance grade of your IT organization.