Mastering Identity Management: When Your HRIS System Falls Short

May 26, 2016

Identity Management (IAM) is built around the concept of establishing a “Gold Standard” data set for each user that is: 1) accurate, 2) actively maintained, and 3) available. In IAM, answering the question “Who are you?” depends on having access to the most current information for each user (employee or contractor) on the network. Usually, the majority of user identity information comes from your Human Resources software (HRIS), because the HR system contains most of the interesting worker information (e.g., name, manager, position, division, department, title, etc.) and the expectation is that this data is generally well-maintained. When HRIS system serves this purpose, it becomes the “Authoritative Source” where its data is trusted above all other systems; its data feeds the IAM solution which in turn creates and manages user accounts in applications and systems. Building an IAM solution for the first time, however, often reveals issues with HRIS data and user management processes that can stall your IAM implementation. The question is: can we define a common approach to improve the quality of HRIS data so that our IAM solution succeeds?

Departments that have traditionally operated independently have also adopted a set of bad habits by circumventing standardization, using less-than secure tools, and ‘thinking locally, not globally’. When an organization tries to centralize data management and provisioning processes, these departmental ‘islands of identity’ are exposed like a reef at low tide; requiring great effort to harmonize user data across systems and rehabilitate broken processes. At some point, local administration must give way to central management to maintain and synchronize high quality user data to the organization’s systems.


A mid-sized organization had been operating with a de-centralized model, where each line of business managed its own HR processes and user administration tasks. While there was a central HR function and HRIS system, departments largely relied on their own manual processes to manage promotions, position changes, and user data in its systems. Departmental processes were loosely coupled with the central HR function, and departmental changes such as promotions were not always updated in the enterprise’s HRIS system. The end result was that employees had a title, position, and preferred name in their local system that did not match their information in HRIS. While this model served the local departments well, it worked against implementing a central IAM solution to automate routine user administration tasks.

For this organization, the most current user information, such as job title and manager, were stored in local systems and not reflected in the HRIS. Thus, any attempt to push HRIS data into the departmental systems would result in changes to the users’ records that would negatively impact users’ access and data.

The best practice is to maintain worker data through a central set of processes in the HRIS system (the Hub), which is then pushed to systems and applications via connectors (the Spokes). By centralizing user data, the organization can establish a set of standard processes and policies to automate user account management by synchronizing high-quality data to its systems.

If your HRIS system is not an authoritative source for answers to your user identity questions, what should you do?

  1. Identify weaknesses within user management processes that caused the need for IAM in the first place and address them. (For example, terminated users are not removed from applications and systems.)
  2. Re-establish relationships with departments and individuals that regard the IT department as a barrier to their mission (Stakeholder assessment/engagement)
  3. Position HR as the single gatekeeper for user data in the workplace in partnership with IT
  4. Conduct annual data and process audits to identify ongoing issues and address them
  5. Evaluate what data elements can be managed at the department level and synchronized back to the HRIS system to give departments some control
  6. Develop a culture of innovation within IT to deliver more value to the organization each year. IAM leaders must focus on creating and maintaining strong peer-to-peer relationships with LOB executives, identifying new opportunities to deliver value, and developing and communicating a clear vision for the future

In the end, your HRIS system is the logical choice as an authoritative source. In a decentralized environment, the challenge is to change the culture and pull as much of the user data management to the center as possible. The steps outlined above are the foundation to establish a virtuous cycle of data flow and process improvement; one feeds the other. Once data quality and service levels improve, application and system owners from across the organization will want to tap into that data for their own user management needs.

More News