Understanding the role of HR in identity and access management

Posted by Richard Hunt on 27 July 2018
Richard Hunt

photo-1526062316359-870159813355-921363-edited

The importance of identity and access management (IAM) has increased dramatically over the last few years. As a result of multiple cloud applications, hybrid enterprise software landscapes and the rise of bring your own device (BYOD), employees are now accessing a much greater number of systems - and they no longer have to be in the office to do so, or be dependent on the office-based PC.

 

It doesn’t end there. Alongside this increasingly complex environment, other factors such as more stringent compliance and a greater emphasis on risk management mean that organisations must work harder than ever to control who can access what, and when.


However, when it comes to who has responsibility for IAM in a large enterprise, and to what degree, there is often disagreement. In essence, this responsibility must be shared between the ‘golden triangle’ of IT, HR and line of business managers.


Ultimately, IAM needs to ensure access rights are controlled in such a way as to balance the need for security and compliance, while ensuring employees are able to be as productive as possible. All three functions have a responsibility to get this right – and the workload should be shared appropriately. Yet the roles of each of these functions within this process are all too often misunderstood and wrongly assigned.


In fact, the job of provisioning and taking way access normally falls to an IT department – but they don’t necessarily know who’s who in the organisation, or who should have access to what. That’s where HR comes in working with the line of business.


But to truly understand the role and value of HR in this process, it’s important to recognise that IAM is not just about creating and securing access. It's about making employees productive from day one by ensuring they can access the systems and applications they need to do their jobs. Any time lost in that process will directly hurt your organisation’s bottom line.


So, what exactly should HR be doing in relation to IAM? And how can organisations embed an efficient and effective process to ensure responsibility is shared across the board?


Here’s three key points that will help you establish the role of HR in identity and access management and ensure the best possible outcome is achieved.



Take a look at your own HR department


HR – as the custodians of employee data - must be directly involved in the IAM process. In conjunction with line of business managers, they should provide the necessary information to IT in regards to an employee’s defined job role and responsibilities. The line of business should set the standard system access requirements for each defined role and individual, while HR should be the authoritative source of what ‘jobs’ have been defined, working with the business to ensure this all stays current.


In simple terms, this is what HR should be doing in regards to IAM. But you must compare this to what is actually happening in your organisation and assess exactly what role HR is playing in your own IAM process. It’s very possible that HR is taking on more responsibility than is necessary or sensible - or perhaps too little and leaving the provision of employee data to individual departments.


 

Define a clear IAM process


So much has recently changed in the nature of IAM that it would not be surprising if provisioning is a little disorganised, with lines blurred around who is doing and providing what. So, it often falls to HR, IT and the line of business to sit down and establish a firm IAM protocol and a clear understanding of how the process will work in practice.  


Make sure that everyone understands the end-to-end process and how each function should step-in and out of a seamless workflow – and then clearly establish where responsibility starts and ends for each department.


SP - Should expand to highlight where IAM and HR are intrinsically linked. E.g. New Joiners require access provisioning but also, when someone moves jobs, that should trigger recertification of their access as a minimium to check that they do not carry their existing access into a new and potentially different job role? Most notably, leavers! Common issues arise when people leave organisations. Who should be monitoring this? Is it the line manager’s responsibility to tell people? What if the line manager spots an opportunity to continue to have the account which had “special access” and so its not in their interests to reduce their control over a particular activity! Normally, leavers are captured by not running the payroll for them and so HR would know but how would IT access teams know when to deactivate or remove the leaver’s accounts?

Also, Re-organisations and restructuring - If HR are changing the org structure, then that might mean changing job descriptions. If that is the case, then shouldn’t the newly defined jobs have different requirements for system access? Thus, security and IAM integration is required.


 

Introduce automation


Assessing the role of HR and coordinating the way IAM works across departments also gives you the chance to introduce automation into the process.


You may be spending unnecessary amounts of time and money – and increasing risk – by relying too much on people to manage the process. And this human effort will largely fall on the shoulders of IT.

But an overreliance on manual processes to carry out necessary work introduces the risk of human error, which can result in mistakes with far reaching repercussions – both in terms of delaying access provision, fraud and compliance issues.


So it is wise to examine where automation can be introduced to lower the manual aspect of the process and help avoid compliance irregularities.   


Many IAM tools have built in features to integrate access management activities from HR event triggers. SAP in particular has this inherently available within their Access Control product to be able to directly integrate with SAP HCM and also SuccessFactors Employee Central. You can learn more about this by reading our recent guide to integrating SAP Identity Management and SAP GRC here.

 

 

In summary


HR obviously has considerable oversight across your employee data – and it’s their job to collate and use this information where appropriate.


But HR cannot simply be expected to spoon-feed IT with identity data, so it’s important to completely understand the role HR plays in this area and the scope and limitations they are subject to.


A full appreciation of HR’s involvement and responsibilities within IAM can result in a more productive and harmonious working relationship between HR, IT and line of business. It can also lead to successfully implementing automation into your IAM processes, which can save you time and money, reduce risk, and enable employees to work more productively and securely.

Topics: IAM AccessManagement Identity&AccessManagement

We would love to hear your thoughts. Please leave a comment.