The key identity and access management challenges you need to address to ensure successful HCM SaaS deployment.
So, your organisations’ on-premises Human Capital Management (HCM) solution is due an upgrade and your HR department have made the decision to move their HCM system into the cloud, using something like Workday, SuccessFactors, ADP or BambooHR. There is no disputing the many benefits of cloud-based SaaS HCM solutions, such as, employee self-service, faster onboarding/offboarding of new users, better employee engagement and reduced costs and administration time.
HCM systems are one of the most widely-adopted technologies in business, but despite their popularity, implementation and adoption challenges remain. As with any new system deployment, however easy the vendor may make it sound, there are some important challenges you should consider to ensure successful integration with existing IAM systems and to maintain critical security and access governance procedures.
Here is our list of the top 5 HCM SaaS deployment challenges you need to address to avoid identity synchronisation headaches and access governance pitfalls:
HR, rightly so, should be the department that knows first about joiners, movers and leavers (JML), so it makes sense to update and maintain all this information in the Cloud HCM system. You want the HCM SaaS solution to be the new authoritative source, the ‘single source of truth’ for employee identity, but can you get the data in easily? Have you considered how to deal with the migration?
You may well encounter data quality issues upon migration of data and records into your new HR solution. Common issues include (but are not limited to) incomplete / incorrect staff records or a mismatch between IT accounts and HR accounts, or your Active Directory having vastly more ‘dormant’ accounts from a lack of directory maintenance.
You may also need assistance in securely and reliably writing back information from your current authoritative source (Active directory or other) to the new HCM SaaS solution. A common example of this is with writing back telephone numbers and email addresses (we do this a lot).
Now that your cloud HR tool is the authoritative source the IT department will want to get timely and detailed data out quickly and easily, to feed the hungry IAM system and provision access for JML processes.
The first hurdle to overcome with HCM SaaS solutions is that programmatic interfaces to these new cloud systems are often not designed for bulk data transfer, but more likely to only support the “tell me which employee you are interested in and I’ll give you that information” model (an API based only around single employees’ queries). SaaS applications can sometimes be a little too simplistic in terms of reporting functionality, often because they are designed with a more commercially orientated front-end and UI, as opposed to their more detailed (and sometimes a little less snazzy) IAM counterparts.
As a starting point, it’s well worth taking a look at the Microsoft tutorials for automatic user provisioning with Workday.
We recognise that no organisation is the same, however, so it’s also possible that your organisation may need to configure a more unique interface, where you can extract full or delta employee information to fit your own processes.
When can HR make JML information available to IT for provisioning of accounts? Can IT provision accounts before the user start date (that would be nice!).
With regards to joiners – any delays in synchronisation (even just overnight) will mean disruption and a less than optimal day one experience for a new starter, as they struggle to log in to key systems. Processes need to be fully automated to avoid manual procedures and human error. And avoid admin tasks from both HR and IT department where possible.
With regards to movers and leavers – the goal is to enable proper maintenance processes, to ensure data governance and control over user access and security.
If you can’t get the info out easily and on time, then this will create big synchronisation headaches for IT and HR.
Most of the new SaaS HCM systems provide all the core functionality for role-based security, but many are not comprehensive enough to deal with more advanced access requirements, such as time limited access permission, protecting privileged access accounts or monitoring privilege escalations. You may well need to integrate your HCM solution with tools such as PIM/PAM to effectively grant ‘just in time’ administrator access.
HR and employee ‘self-service’, for maximum productivity, is a great idea! You want to provide it. Employees want it. We want to help you to achieve it!
Self-service is a huge driver and benefit of HCM SaaS solutions, but how can you integrate and secure it properly in a manner that compliments your existing IAM Strategy?
A typical first reaction from an HR solution provider is “we have our own secure access model that makes this really easy for you” – let me translate for you “we have our own user accounts database” – We don’t think you want that.
We would strongly recommend that you aim to integrate your HR solution with Azure AD rather than opting for the HCM supplied ‘self-service’ access accounts database, as otherwise you are dealing with yet another ID store (another account to manage and protect).
For Workday integrations with Azure AD you should start by reviewing the Microsoft tutorial “Azure Active Directory integration with Workday”. Or, if you’re looking at an alternative HCM SaaS Solution, like SuccessFactors, then take a look more integration guidance here.
Once you have integrated your SaaS HCM solution with your existing Azure AD, you will be able to control access, enable easy self-service with single sign-on (SSO) and manage/synchronise your accounts from just one central location. Once the HCM solution is integrated with Azure AD, we would also recommend implementing MFA for extra security.
Before selecting your HCM solution, you should check the Azure Active Directory Application Gallery to see if your chosen cloud HR solution already supports Azure SSO.
If not, all is not lost because Microsoft also support SSO to applications which are not (yet) in the application gallery. Your options would be SAML, password-based SSO or federated (or linked access) access (ADFS etc.).
Lastly, have you also thought about how to get users into your SaaS HCM solution if not all your users are ‘connected’? (For example, non-computer facing staff, contractors, freelancers.) In this instance, it may be necessary to integrate your SaaS HR tool with both a cloud directory like Azure AD and an on-premises Active Directory… this is where it can get a little more complicated.
So now you have your authoritative source for employees sorted, and you can provision users to your on-premise and cloud-based applications, all configured for secure SSO (naturally), but, upon launch, how do you securely distribute a user’s first set of credentials to them?
Print them out? Email them? Leave a sticky not on their desk? Or tell their line manager what they are?
This a where a clever little tool called Access Centre Activation can come in very handy to allow simple and secure management of initial password setting, flexible methods of authentication and reduced chances of users setting weak or insecure passwords.
Whether you are contemplating implementing or have already implemented a SaaS HR solution and would like help configuring it as an authoritative source for your IAM solution, or if you need help providing secure SSO to your HR (or any other) cloud-based solution, we can help.
If any of the above challenges resonated with you, then we would love to talk further at one of our monthly identity roundtables.
Alternatively you can apply for a complimentary half-day Identity and Access Management Envisioning Workshop and benefit from a detailed 1-2-1 discussion on your challenges and possible solutions.
Automate the management of users, control corporate access and achieve business security. Book your free half-day Identity and Access Management Envisioning Workshop today.Apply for a free workshop
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.
Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".Continue to ThirdSpace
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.