The friction-filled identity lifecycle
Most every IT team—whether in a huge enterprise with frequent mergers and acquisitions, a rapidly growing startup, or a mid-size business adapting to constant disruption—struggles to keep pace with dynamic user access management as employees join, change positions, or leave the organization. Especially in the world’s largest organizations, overwhelmed IT departments often become a bottleneck to high-volume employee onboarding and offboarding. But what if you could eliminate identity lifecycle chores that slow things down behind the scenes, and be the hero who not only provides access to new hires on their first day, but also minimizes security risk by removing that access instantly when needed?
Given how critical business applications are to employee productivity, and how many apps the average company uses (at last count, large organizations deploy over 160), identity management should never be an afterthought. IT teams who’ve streamlined account provisioning and deprovisioning are making progress, but this core automation is not always sufficient. The process of managing identity lifecycles often extends far beyond “add an account” or “deactivate an account” actions, causing many teams to muddle through manual, error-prone tasks in order to fully create or or revoke accounts.
New employees get frustrated if it takes more than a day to receive the right level of access to all the applications, collaboration groups, and content libraries they need to get up to speed. Meanwhile, any delay in removing access for terminated users creates security risks, but deleting accounts prematurely can result in the loss of valuable corporate assets. If you still manage most of your identity lifecycle with email checklists, spreadsheets, or custom scripts that only a few people maintain (or even know about), you probably feel like you’re hitting a wall due to the heavy IT involvement required and difficulties with audit compliance.
Managing dynamic identities amidst rapid change
Once your team reaches its limit, there are ways you can lessen your identity lifecycle workload.
Okta Lifecycle Management
Many of our customers deploy Okta Lifecycle Management (LCM) to stay on top of identity changes. The solution includes pre-integrated provisioning for 190+ apps, a universal directory with lifecycle awareness, and prescriptive lifecycle orchestration. Its easy setup allows IT administrators to simply click a checkbox and automate repetitive tasks, such as creating, updating, or deactivating accounts. Increasingly, we’re finding that some companies need more flexibility to streamline deeper identity updates across their app ecosystem.
The Flexibility Challenge
IT teams are often stumped by how to efficiently and consistently manage complex joiner/mover/leaver (otherwise known as “JML”) scenarios. These more tedious identity tasks—including setting up different in-app entitlements for each application, creating time-based triggers to deactivate former contractor accounts or inactive users, or transferring files for deprovisioned users—are typically unique to each organization and, as such, are unsupported by most solutions in the marketplace today.
In order to address this identity challenge, many teams resort to a patchwork of brittle scripts in Windows PowerShell, Windows Task Scheduler, or other custom-coded solutions external to the identity platform. Alternatives like this eventually reduce human intervention, but also increase technical debt. Because they depend on many interrelated components (like custom code running on servers, third-party services, web apps, operating systems, firewall exceptions, etc.), these approaches to identity lifecycle management tend to break frequently.
Okta Lifecycle Management Workflows: The next advancement for lifecycle management
At Okta, we realize that customers want flexibility to create bespoke identity processes. IT teams don't want to maintain custom code or scripts, but these have been their only options until now. So we're introducing a no-code automation platform called Okta Lifecycle Management Workflows. This latest innovation enables admins to modernize ever-more-sophisticated identity-centric processes without leaning on developers. It provides a graphical drag-and-drop interface that combines triggers, logic, and time-based actions to build powerful “if-this-then-that” flows. As a result, anyone can easily stitch together app-specific provisioning and deprovisioning tasks.
For instance, with Okta Lifecycle Management Workflows, you can leverage Okta’s library of pre-built connectors for apps like Box, Slack, Salesforce, and more (or connect via public APIs) to tailor processes with deeper actions that meet your precise requirements. With out-of-the-box functions for flow control, branching, and data manipulation, Okta offers the power of code without code, and it is finally possible to orchestrate identity tasks that were previously just too hard to automate. By having this capability built-in to your identity architecture, your team will increase agility and decrease costs, all while facilitating constant business change and improving your company’s security posture.
New use cases for identity automation
Let’s dig into four ways Okta Lifecycle Management Workflows can automate tricky identity scenarios to
generate real value for your business:
1. Take granular actions during onboarding and offboarding
Okta Lifecycle Management Workflows helps automate those tedious identity tasks that extend beyond basic account creation and deletion. You can establish flows to systematically add the appropriate user roles and permissions during provisioning, creating more thorough identity profiles from day one. These processes might entail:
• Creating a personal Box folder for each new employee and adding them to the appropriate shared folders based on their department
• Setting a new sales rep’s territory in Salesforce and sending a message to their manager once complete
• Adding people to relevant Slack channels based on their role and function
• Specifying how new passwords should be generated and disseminated, and notifying admins and managers once all accounts are set up
Similarly, Okta Lifecycle Management Workflows can streamline complex deprovisioning activities. When someone leaves the company, you might:
• Transfer their Box files and Salesforce contacts to a manager, thereby saving assets that the user created during his time at the company
• Set an away message in GSuite, O365, or Slack, and forward incoming messages to a manager (while freezing the employee’s access to those apps and scheduling account deletion after 30 days)
• Convert their Zoom license from paid to free
• Retain their payroll access for a year and deactivate after a year
• Create a service ticket in ServiceNow to alert admins that manual tasks need to happen
2. Resolve identity creation conflicts
Many companies have several fragmented stores of user data due to acquisitions, multiple locations, and different teams that manage user data (e.g., HR and IT). And it’s all too common for large enterprises to have multiple employees with identical names (as anyone named Mary Smith or Michael Johnson can probably attest), which is a problem when you create usernames or email addresses from their first and last names. With Okta Lifecycle Management Workflows, you can deploy no-code logic to clean up that mess by:
• Connecting to any source of truth to import data
• Catching conflicts during identity creation (e.g., by querying Okta for existing user names)
• Resolving conflicts via a custom algorithm (e.g., by appending a number to the end of a username or inserting a middle initial between the first and last names)
3. Define identity processes based on time, role, and other factors
Of course, the identity lifecycle includes more milestones than employee start and end dates. You can also utilize Okta Lifecycle Management Workflows to kick off various tasks at the right times based on specified context. This might involve granting conditional access, pausing processes, or taking different actions depending on key user attributes, such as a person’s role or team membership. Consider use cases like:
Making permissions changes to several apps at once when an employee transfers positions or departments within the company
Granting requests for certain apps, but only after checking a third-party system to see if a user has the correct set of permissions
Enabling time-bound access for contractors
Facilitating activity-based permissions (e.g., if a user is inactive for 30 days, send an email warning, and if there’s no activity within 7 days, deactivate their account)
Postponing creation of accounts until a prior step is complete (e.g., email is activated)
4. Distill and share identity insights
IT admins often receive data requests that sound simple, but end up consuming a lot of time. Thanks to Okta Lifecycle Management Workflows, you no longer have to manually extract data from Okta via APIs or syslogs, and tediously reformat it in consumable ways. Instead, you can set up a task that routinely extracts and combines relevant data, and then emails it to the right people on a set schedule. You might build workflows to:
Create tables and store changes in user lifecycle states or other identity transactions across multiple apps, and share those with relevant stakeholders across your organization
Provide your compliance team with a list of Okta admin accounts that attempted to authenticate from known proxied IP addresses
Regularly call out to a third-party system, like Salesforce, to get a report of all users who have not signed in during the previous 30 days
How Okta Lifecycle Management Workflows unlocks business value
As the examples above illustrate, there are several benefits that come with automating more and more of your organization’s identity lifecycle management processes using a modern, no-code automation platform like Okta Lifecycle Management Workflows.
Increase IT agility
By empowering less technical people to create or modify workflows without any code at all, Okta Lifecycle Management Workflows reduces IT time spent on manual identity management, and frees admins and architects for more value-added work. This approach offloads the development and maintenance of connectors, and promotes the reuse of common provisioning patterns, so your team can avoid technical debt and be more productive and responsive to the business’ changing needs.
Since Okta LCM Workflows lets more non-developers orchestrate identity-related tasks, you obviate the need for developers and lengthy development processes. Instead, you can quickly and efficiently configure combinations of triggers and actions for almost any identity scenario or requirement your business dreams up. This saves time for IT admins, and promotes customized automation that can easily be maintained.
Lower total cost of ownership
With Okta Lifecycle Management Workflows, you’ll replace one-off code and scripting with a highly available, reliable, and repeatable approach—reaping cost savings that grow over time. By retiring cobbled together integrations built with expensive, clunky legacy tools, you can consolidate your lifecycle automation into a single identity-centric solution.
NTT Data adopts scalable, automated lifecycle management
NTT DATA Services’ 120,000 employees deliver infrastructure, applications, and business process services to 85% of the Fortune Global 100. The company’s “One NTT” vision aims to enable the entire organization to operate with a unified approach. In support of this initiative, its IT team deployed Okta Lifecycle Management Workflows to automate the employee lifecycle and take the complexity out of identity creation. The platform powers the company’s entire onboarding and offboarding process, which optimizes costs and frees human resources to focus on other initiatives.
Okta Lifecycle Management Workflows helps NTT DATA make risk assessment painless for users through a central identity hub, which resolves identity conflicts by applying sophisticated automation and logic to attributes such as email addresses. It allows the team to define workflows based on user type and geography, making regulatory compliance seamless and eliminating manual processing errors. Moving forward, NTT DATA will also streamline processes such as granting access to retirement benefits.
I can take a project that might have had 50 people associated with it, and bring it down to two, which has given me enormous efficiency gains. For my team, the power comes in how they can automate simplistic tasks in a no-code style environment,” said Steve Williams, enterprise chief information security officer at NTT DATA. “Workflows is going to be a huge game changer for us. We’re really looking forward to having one orchestration engine drive the employee experience from start to finish, and seeing our employees have access to what they need post-retirement.
Advantages of no-code lifecycle management
In the pressure-cooker environment of today’s digital economy, IT teams must extract every ounce of efficiency they can from their technology solutions. Okta Lifecycle Management Workflows helps by breaking down identity complexity and advancing lifecycle automation, so IT teams can avoid the headaches of creating, maintaining, and hosting custom code. With app connectors that go beyond the standard create-read-update-delete actions of most identity integrations, Okta Lifecycle Management Workflows exposes even more of an app’s APIs to support rich logic, better timing controls, and multiple actions across multiple apps. With these powerful automation capabilities in your back pocket, you’ll be able to shift more focus towards innovation that’s core to your business.
Soon, Okta Workflows will extend to other identity tasks as well. For example, development teams who manage the customer identity journey could automate customer-centric flows surrounding consent and marketing—like adding a customer to certain campaigns in your marketing automation system, or logging their consent agreements for regulatory compliance. Or, your security team might use Okta Workflows to orchestrate rapid system responses to security incidents.
To learn more about how you can add Okta Workflows to your identity cloud, visit https://www.okta.com/workflows.