Managing Contractor Identities: Outsiders on the Inside

red-pill-blue

“This is your last chance. After this, there is no turning back. You take the blue pill — the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill — you stay in Wonderland and I show you how deep the rabbit hole goes.”
– Morpheus, The Matrix

Did you know that only 5 percent of organizations use the Contractor Module inside of their HRIS system?

The need to establish a centralized repository of contractor information is of paramount importance to provide basic security and access controls, support regulatory compliance, and prevent the loss of data and intellectual property.

Contractors provide organizations with the flexibility to bring in needed skills on a project by project basis – staffing up when more labor is needed and rapidly drawing down teams when project work is completed. The challenge with Contractors is how to manage their identities and access efficiently and effectively. This post explores the pros and cons of using different systems to manage the contractor identities within the organization. We rapidly come to the conclusion that there is no ‘one size fits all’ solution when it comes to establishing a Contractor System of Record.

System of Record

Strengths

Struggles

HRIS system
  • ‘Fit for Purpose’ – HRIS system is designed to manage employees & contractors
  • Leverages HR expertise to manage Contractor lifecycle and supporting processes
  • HRIS reporting tools
  • One place to manage supervisory relationships for all workers
  • Takes advantage of existing data collection/data quality tools
  • One System of Record for all employees and contractors; Single integration to IDM
  • Availability of HR portal to provide workflow and self-service tools
  • Need to stay within Legal Requirements around what data is collected for contractors and how their relationship to the organization is defined in HRIS
  • Additional cost for Contractor module may be high/prohibitive
  • Potentially complex integration with IAM system
Contractor Database
  • Easy to set up
  • Straightforward to integrate with IAM solution
  • Ability to enforce an End Date
  • Can set up a Web front end to collect contractor data from managers, finance, or HR
  • Difficult to link the contracting process to the onboarding process, for example, if you require the PO to be complete before the contractor is onboarded
  • Management of the Contractor Database falls to IT (usually)
  • Data Entry/Data Quality issues
  • Matching users between systems (no GUID, names may vary, etc.)
IDM system
  • Easy to set up a separate user directory for contractors
  • Leverage web-based tools and workflows for data collection and approvals
  • Ability to integrate with finance/contracts system (Copy over end date and other relevant data)
  • Ability to enforce an End Date
  • IT winds up as de facto manager of contractor onboarding
  • No events to trigger off of (e.g., no Hire, Transfer, Terminate)
  • Script-based polling for end dates to terminate and disable contractors is unreliable
  • Process and data ownership falls outside of HR team
  • Potential security concerns from  administering contractor identities directly in IAM system
Vendor Management System
  • Manage contracts and contractors in the same system
  • Includes basic workflow functionality for reviews and approvals
  • Out of the box VMS reporting on Contractors
  • Usually poor at managing contractor identities. Duplicates are very likely, causing security issues
  • VMS systems are designed to manage vendors and Statements of Work, not workers. Processes may not be suitable for purpose.

Most organizations begin managing their contractors in silos on a department by department basis. Manual processes to collect a minimum amount of data and establish network and account access for these users undermines information security, does not scale, and is difficult (if not impossible) to audit. While there are clearly pros and cons with each potential System of Record listed here, the need to establish a centralized repository of contractor information is of paramount importance to provide basic security and access controls, support regulatory compliance, and prevent the loss of data and the intellectual property.

Managing Non-employee Identities

If you enjoyed this article, please comment below and share with your network. For daily IAM and Cybersecurity insights, follow @Idenhaus.


Idenhaus Consulting specializes in Identity and Access Management (IAM), helping our clients solve the most challenging IAM problems. Contact us for more information.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top