Using Systems Thinking to Handle Errors In Your IAM Solution

August 7, 2019


Working in the trenches in HR and IAM operations, it is very easy to lose sight of the big picture. When dealing with events on a daily basis, every event and decision is usually assessed individually, only weighing its immediate effects. This often leads to losing sight of the relationships between process improvement work and system/service delivery. There are many elements needed to make an Identity Management solution work properly, and one of the most important is agreeing on how the HR system and processes will integrate with IAM to accomplish the user management and security objectives of the organization. The best way to achieve this is through Systems Thinking.

While traditional analysis focuses on the individual parts of the solution, like the HRIS system and the IAM system, Systems Thinking takes a broader view on how the individual parts interact with each other to help identify the cause of a problem. The real value of Systems Thinking emerges when used as a holistic perspective on your HR processes and IAM systems. It allows us to pinpoint the root cause of the actual problem, while also understanding the extended context that surrounds it. 


Let’s look at an example. What happens when your HR system cannot consistently send a given transaction to IAM?

We have seen situations where the HR system is not always able to successfully pick up a transaction to send it to the IAM system. These errors can be caused by a number of factors and should ultimately be addressed in the HR integration itself. However, when organizations are short-staffed and don’t have the HR resources to resolve the underlying issue, they need a stop-gap solution to address the situation. 

The question is, what is the best way to resolve the issue?

Generally, there are three options:

Option 1: Do Nothing - Have the HR system send transactions and continue to rely on manual error resolution.

Option 2:  Shift the Burden to IT - Stop sending the HR transactions and have the IAM system process all the transactions (e.g. run a script).

Option 3: Systems Thinking - The HR system sends the transaction AND the IAM system processes the missed transactions.

When these situations arise, we often see the HR team try to punt the entire problem to the IAM team. “We can’t get the integration to work. You own the user account, so you deal with it.” On the IAM side, there are other considerations, such as Audit Findings, that can occur when the user account is active in one system (IAM) but inactive in the other (HR). If we have a script that is relying on stale data, the odds of throwing an Audit Finding are high. Thus, a combination of security and audit concerns make Option 2 difficult for the IAM team.

If we have a 10% error rate from our HR integration, then 1 in 10 transactions fail and someone must manually re-process them. Not good. Running a script on the IAM side to process these transactions has a lower error rate, which is better, but still not ideal.

However, if we take a step back and examine our system using Systems Thinking, we can see that the best solution is clearly a combination of Options 2 and 3. By combining these two approaches, we can drive most of the errors out of the system. HR will continue to send the transactions. When 10% of those transactions fail, a script on the IAM side processes the users that were missed in the integration. The combined error rate is a small fraction of either approach as a standalone solution.


When we are stuck on a problem, it often helps to step back and look at the bigger picture – the overall system. We see things from different perspectives (HR, Security, IAM) and can discover new solutions that bring together disparate ideas into a more coherent whole. When we look at problems holistically, we can find opportunities for change that were previously hidden. The result is improved performance and better overall outcomes.

In an ideal world, your HR system will send all transactions to your Identity Management solution without error and IAM will effortlessly grant access to your users. Workers will show up on their first day of work with network access, an email account, and a set of applications to start doing their jobs. It's important that we know how to address problems from a holistic perspective when they occur instead of relying on workarounds.  


Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.


Photo credit: Medium

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us

More News