This is the second part in a series on how to coordinate service management within an organization. In the previous article, we discussed how a service management office is important to set standards for IT service in all departments. Here, we talk about how to implement the concept of role-based provisioning.
When IT first became a part of the mainstream workplace, it was a given that not everyone would need, or even want, the most basic piece of IT - a computer. It was only as computers became ubiquitous and necessary that many businesses began to allow employees near equal access to applications and data.
Now, many organizations are beginning to implement something called role-based provisioning, which tailors access to specific roles within the organization. There are several practical benefits to role-based provisioning:
- Improved experience for managers: No more access forms they don’t know how to complete!
- Better onboarding experience for new hires: All access is ready on the first day.
- Better transfer/job change experience: Access is adjusted automatically.
- Access audit is performed by reviewing the IAM configuration by role and the overarching technical solution. It is no longer necessary to pull tickets to prove an individual has the right access
- Lowered risk of compromised data due to insufficient access controls
Here are some steps to take for implementing role-based provisioning
Step 1: Work with HR to define organizational roles
The first step to adopting a role-based provisioning model is to work with HR on understanding the structure of titles and job families in the organization. In short, a common data point must be identified as the key data point that represents the role.
The issue here is there could be thousands of titles. If those titles role up to a smaller number of job families, and if access can be successfully based on the job family, that will be sufficient. If it’s not, IT may need to work with HR to align job titles or job families to IT role profiles at the application level.
While this is the first step, it’s important to note that this step is where most organizations give up. This can be a time-consuming task, but it must be performed.
Step 2: Align the roles in the system
Once identified, the roles for each application can be configured in the Identity Access Management (IAM) System - be it Okta, SailPoint, or others. This enables the product to grant access to people based on their role. In simple terms, the IAM system needs to know that a “Help Desk Analyst” gets a particular set of applications, and the role granted within each application.
Step 3: Integrate HR to IAM
The final step is to integrate the HR or HCM system with the IAM system, which is generally a technical activity and typically expected by the IAM tools. Once done, when someone is hired, access will be automatically provisioned on their start date. When their job changes, an extreme pain point in many organizations, their access will be automatically adjusted on the effective date of the change.
Implementing role-based provisioning addresses large pain points in most large organizations and helps secure private data, but it can take a while to implement. However, the sooner it’s started, the sooner the business value is achieved.
Phyllis Drucker is an ITIL® 4 Managing Professional certified consultant and information leader at Cognizant’s Linium ServiceNow practice. Phyllis has more than 20 years of experience in the disciplines and frameworks of service management, as both a practitioner and consultant. She has served HDI since 1997, itSMF USA since 2004 in a variety of capacities including speaker, writer, local group leader, board member, operations director and recently completed her term as Chair for itSMF International. Since 1997, Phyllis has helped to advance the profession of ITSM leaders and practitioners worldwide by providing her experience and insight on a wide variety of ITSM topics through presentations, whitepapers, and articles and now her new book on the service request catalog, Online Service Management: Creating a Successful Service Request Catalogue (International Best Practice). Follow Phyllis on Twitter @msitsm.