We’re all on the clock
Wednesday, August 29, 2012 at 02:53PM Before heading to the airport for my latest trip (I’m in Ohio at this moment), I was packing my computer bag, and my driver showed up 45 minutes too early. Whenever I call the same people I’ve used the last quarter-century, their computer always says I should get picked up two-plus hours before my flight. I always dial that back to a little over an hour. In this instance, it didn’t take.
And I tend to stick to the same hotel chain, to build up those wonderful points, but they’ve mucked up my last two reservations. On one, they reserved only one room instead of two (I was traveling with a colleague), and on the other they had me coming in on the wrong night.
These are big names, not fly by nights, so I expect better.
Things have to happen on time. There are expectations to be met. There are requirements to be fulfilled. People have to get what they need, in order to do their jobs. When people leave, they have to lose those same things. And if policies change, those policies have to be pushed out for accurate enforcement.
Timely provisioning is a huge value. For internal users, it means faster time to productivity. Obviously, this is a good thing for their managers as well. For external users, it means a better customer experience. “I paid for this, when can I access it?” Easier access means greater usage, which in some situations translates to better revenue.
If we properly align Oracle Identity Manager to the in-house HR app, for example, a new employee can be enabled on Day One at 9 am. A scheduled reconciliation task can pick up on the expected start date, and when the status changes to “hired” it can have that user up and running and ready to produce. When that user gets transferred, OIM can also pick up on the status change, provide new entitlements, and wipe out the old ones, without missing a beat.
And of course there are terminations. The nice ones, where Joe is retiring at 5 pm on Friday, means Joe’s expected termination date is picked up by OIM, and he keeps his access until the last minute, so he can properly hand off his assets and pending jobs before getting loaded at the bar with his old colleagues.
And when you have the ugly terminations, you may not wait for the HR status to be updated. You go straight to OIM and hit “disable” on Joe’s account and make those access rights go away immediately, on every single target system, so that he can’t backdoor his way in.
OIM uses BPEL to drive workflow tasks, which are gathered in a logical workflow definition to fit every situation. Request is made or HR status is updated, so OIM initiates the workflow to automatically provide a mailbox and an AD account, before notifying approvers downstream that they need to okay (or reject) additional access. Provisioners are also notified that they need to fat-finger accounts for target systems that haven’t been hooked up yet. People who haven’t done their jobs get nagged on a timely basis before requests are escalated to a backup manager.
One question I ask my prospective OIM clients is, “What’s your SLA on terminations?” Meaning, what is the expectation on timeframe for blowing away all access for a terminated user? Often I am given a concrete number. But sometimes people look at me and scratch their heads. The answer is, we get it done when we can. I tell them, they SHOULD be looking at seconds, or minutes at most. Hit the button, and watch those permissions go away, right away. Workflow drives this to completion.
Accomplishing these critical tasks on time won’t get you a cookie. It’s the very least that’s expected of you.