Top
Welcome

Thank you for taking time to visit my blog. My name is Drew Olson and I hope to use this space to share ideas and generate conversation regarding identity and access management

This form does not yet contain any fields.
    Recent Postings

    Entries in Active DIrectory (2)

    Monday
    May022011

    Why you Should Use Employee Numbers in Active Directory 

    DateMonday, May 2, 2011 at 10:51AM

    Organizations that are in the process of cleaning up their Active Directory or linking other systems such as face libraries, print badges etc., are often confronted with the problem that the employee ID number is not listed consistently in the Active Directory. In many cases this is a show-stopper; it prevents them from recognizing Active Directory as the central account database. This will result in problems once they start linking all the identities across the organization.

    The situation:

    You have an HRM system with 1,000 employee names, which may include double records for service contracts, functions, departments and managers. You also have an Active Directory containing 2,300 accounts, in which over the years various different IT agents have manually created user accounts based on their personal interpretation of naming standards. There is a need to clean up the Active Directory or to use it as the central account database.

    The challenge:

    First step, you could determine which of the 2,300 accounts have been assigned to employees who are no longer in service. This means that you must link employees in the HRM system to accounts in the Active Directory. If the employee ID or citizen service number is not listed in the Active Directory, you will not need a unique key to set up this link. Manually entering employee IDs or the citizen service numbers for all Active Directory accounts is a time-consuming task.

    The solution:

    Tools4ever’s UMRA solution and consultancy services will allow you to align the HRM system and Active Directory in the space of a single day. The employee ID numbers are added to the Active Directory in the shape of attributes that are invisible to end users. We provide support for any combination of naming convention (100+) ever used to create accounts, including any subsequent requests for partner names or naming conventions, and to align these with the HRM system. Experience shows that we are always able to achieve an alignment level of 85-90%, which leaves only a small list of accounts that will have to be processed manually.

    Would you like more information? Visit our website: User Provisioning from the HRM system.

    AuthorDrew Olson | Comment1 Comment |
    tagged , , in
    Wednesday
    Mar232011

    Practical Scenario: PowerSchool Data Synchronization 

    DateWednesday, March 23, 2011 at 1:45PM

    School districts these days are facing serious challenges that require balancing increased technology demands and a suprisingly tech savvy user base, with reduced budgets and staff cuts. Recently though, I was approached by a school district that has decided a new user provisioning process could help them address these issues. 

    Their current situation:

    • 12,000+ students/staff with network accounts
    • PowerSchool Student Information Sytsem
    • Google Apps for students, Exchange 2007 for staff
    • 9 IT Staff (3 admins)
    • Scripts create Active Directory from provided data file, run usually at beginning an end of semesters
    • Sysadmin who wrote the scripts left district two years ago
    • User accounts also created in about 6 other systems including library, e-learning, etc.

    This scenario is not at all uncommon, but what amazed was the amount time this district spent each year managing user accounts.  The scripts really were only run about once a year but still involved manual updating due to a new naming convention that was implemented.   Because, no one could figure out the process the previous admin had scripted, so hours upon hours were spent making these updates.  Updating and removing users from the system, again, was a manual process and often neglected.  Active accounts remained on the network for past users and most updates were never made until someone was calling IT, unable to work. Needless to say, this process created a lot wasted time and resources and also opened up the door to some serious access issues.

    This district thought, and I agreed that a more automated approach to user management would really help them free up this time and close some current security holes.  With a school district, implementing an automated system, via a connector to PowerSchool for example, doesn't have to be difficult if proper planning and data is available.  Tools4ever's User Management Resource Administrator really makes this planning and data synchronization a much more manageable process.

    The solution proposed was the UMRA suite, and outlines a two-step phased approach as follows:

    Phase 1: creating a link with the PowerSchool system and Google Apps

    • Information on new student/employee, transfers and graduations/departures can be retrieved from their current status in PowerSchool, then compared with Active Directory and Google Apps
    • Accounts created or updated as required multiple times a day, with any changes to information or status updates performed consistently and timely. Notifications and information can be sent to IT, end users, or any other appropriate party
    • Phased departures; user accounts are disabled on the last day of service. The account with resources will be deleted after x number of days.

    Phase 2: linking third-party applications

    • Phased creation of automatic links with each application and provisioning process as appropriate depending on user role and system
    • The application manager is notified via e-mail of any changes

    To learn more about how a phased UMRA solution can benefit your organization, visit our website: www.tools4ever.com

     

    AuthorDrew Olson | CommentPost a Comment |
    tagged , , , , in