In this edition of The Production Line, it’s part deux of our mini-series about HR-driven provisioning. HR integrations are a key element of Okta Lifecycle Management (LCM), and Okta has a number of pre-built options including Namely, BambooHR, UltiPro, SuccessFactors. But the provisioning value Okta customers have found is the option to use one of these tools—or none of them, through CSV mastering.
HR-driven provisioning: A quick history
If you’re an admin, you are well aware of the trials and tribulations of provisioning users. But there are a lot of terms used for these operations: onboarding and offboarding, lifecycle management, deprovisioning, and user provisioning are all commonly used terms for the process of adding or removing employees to an organization.
These processes have always been necessary for medium to large-sized organizations and have almost always been manual. The innovation of linking HR process with IT teams brought on HR-driven provisioning, which naturally came about as IT teams typically get their data (new hires, terminated users, promoted employees, etc.) from HR. This data was communicated to IT in very manual, error-prone ways such as CSV files, emails, scripts, and ticketing systems. The surge in contractors and other temporary workers only escalated the risks of this patchwork approach.
Although HR systems such as PeopleSoft developed along with IT systems, they were usually based in an on-premises infrastructure. This software was usually not well integrated with the IT systems in place, which forced the manual, patchwork communication described above.
HR-provisioning options of every stripe
Once SaaS apps became more widely adopted, these HR systems exposed APIs, allowing connections with other SaaS applications. These developments ushered in an environment where connecting apps became easy and commonplace, and born-in-the-cloud apps sealed the deal, setting the stage for total automation.
As noted in our “quick history”, the need for an HR system of any kind was, and is, based on the size of your organization. While a start-up with an employee base that fits into a small room may fare well with a well-crafted spreadsheet, an employee count inching into the triple digits will start having problems without some kind of system in place. Tools such as Namely, BambooHR, UltiPro, SuccessFactors, have created these systems, and can be differentiated based on factors like the size and existing infrastructure of the procuring organization.
The Okta platform allows for HR-provisioning options of every kind, size and/or level of integration. If you can't find your particular solution within our existing integrations, it's not a problem. Okta allows third party apps to build top of the platform. For example, Namely, an HR solution suited to small to medium-sized businesses, did not have a native connector for Okta. But many Okta customers used the app, and wanted a way to drive provisioning, with signals from Namely, via Okta. Through guidance and partnering, Namely's team built a connector for Okta, benefiting all joint customers. So, despite our large catalog of app integrations, you're not forced to use any of them—you can still reap the benefits of your particular HR solution.
One size can fit all
What’s proven most helpful to customers is the flexibility of the platform. It’s open, offering different ways to input and pull data. So if we don't supply a connector to your particular HR system, there are still options available via one of 3 mechanisms: a CSV directory, a script that calls APIs, or partnering.
CSV Directory (mastering from a CSV file)
A CSV (comma separated values) is a common way to store tabular data, and these files are often used to migrate and organize a workforce. Coupling this option with Okta allows you to import users into your org, then go on to determine what happens when a user is deactivated or reactivated.
Write a script that calls Okta's APIs
Did you know you can use the power of APIs to mimic the functionality of out-of-the-box Okta integrations? You can write a script that polls for changes (e.g., a new hire is added or a current user is terminated) in your HR system. When these updates occur, an Okta API is called to process the changes. This can apply to cloud or on-premises systems, as your HR data can directly connect to Okta, then on to directories like Active Directory, with bidirectional sync. Your users can then be assigned to all the cloud or on-prem apps downstream.
As in our Namely example above, partnering is an option that can reap cross-functional benefits. Aquera is an Okta partner that extends the user provisioning and governance coverage of identity management platforms. For apps that have no formal integration with Okta, Aquera can build integrations on top of our platform, extending Okta's capabilities. These offerings can be provisioning or mastering connectors.
What’s the customer reaction to the feature?
And then came Workday
Interested in HR provisioning, but primarily using Workday? We’ve got a post for that. Check out our previous post, The Production Line: Workday as a Master to get the details on this popular integration.
The world of HR-provisioning is huge and we can only scratch the surface here. For a deeper, more technical dive into HR-driven provisioning, check out our our Considerations for an HR-Driven IT Provisioning Solution Checklist.