If you are using WorkDay, you are undoubtedly familiar with how arduous it is to onboard a new employee for all your business's cloud applications. You enter their essential information like first, last, title, and email. You are also using a directory service like Active Directory (AD), and that sets up the groups the user will be added. If your new employee has the title of Director of Sales, you will add him to all AD sales groups. Next, you must give the new employee access to all the applications they will be using. You need to add those accounts one by one and activate the user. You need to be conscious of license issues. You are doing a lot of repetitive work, but you are in HR, which is what you must do as an HR rep.
One user is OK to deal with, but what if you have 10,000 employees? How will you handle it if the employee's title changes and you need to deprovision them from some apps and then provision them to new apps? What happens if the employment contract is terminated and you must deprovision and deactivate everything? What happens if that employee is a contractor and comes back to work? You are starting to see a massive headache and inefficiency your HR department is encountering. It doesn't have to be this bad. All of the above and more can be managed quite easily by the powers of Okta Single Sign-On and Lifecycle Management.
So, let's dive into how Okta can work with Workday and AD to make onboarding, offboarding, and Lifecycle management much less time-intensive so you can allocate your time to the things that need your attention. As a bonus, all the items mentioned below are out of the box with Okta.
Onboarding a User
• A new employee can propagate to Okta from Workday automatically • Okta can be configured to automatically provision to a downstream application • Okta can update user attributes (*Think of a change to an employee title, role, department, phone number, or address change*)
All of the above changes will get automatically updated and synchronized in Okta and your downstream apps like Salesforce and service directories like AD.
When people leave your organization, Okta will deactivate them in your Profile Master, and this information will go through Okta and a downstream application.
Using Workday as the Profile Master In the HR as a master scenario Think of Profile Master as your source of truth or the top level directory where you can perform User CRUD (Creating, Reading, Updating, and Deleting users) operations.
You can easily access Okta's Universal Directory using this path in the Okta Admin Dashboard:
Okta Admin console > Universal Directory
Configure Workday for Provisioning inside Okta
• When you enable an app to support provisioning there will be an API integration • So you enter you application admin credentials in Okta and Okta will use that to validate the API and gain access to the application APIs and then the application can gain access to the Oka APIs • Configuration can be configured bi-directionally ○ Okta can push changes to Workday ○ Workday can push changes to Okta ○ Since Workday is our Profile Master we will set up provisioning from Workday to Okta • We are also using AD but in this case, think of AD as a downstream application (in can be a cloud app, on-prem app, custom homegrown app, in can be a directory or a database)
Hire an Employee
Let's walk through a scenario where you onboard a new employee in workday.
• In workday create a new hire • Give the user a first name, last name and email address. (*note: You need to have an email address in order to have an Okta account*) • Make the hire date today's date (*we want this to happen in real time*) • The user will be a Regular full time employ in the Sales department and the title is Director of Sales Operations and based in Los Angeles • Save • You now have onboarded this user in your Profile Master (Which is Workday) • Wait 30 seconds • Open Universal Director inside Okta to see that the user has automatically propagated
Provisioning in Okta and usually takes 30 seconds or less to create and activate users in Okta and then push this them to downstream applications.
How does Okta handle assigning applications to users?
We not only automate user onboarding but also ensure that they are automatically assigned access to all the applications they need. Clearly, manually assigning and unassigning apps to new employees would be both inefficient and time-consuming.
View Groups in Okta
• You will see a list of all your groups • You can see if the Group was created in Workday, Active Directory or Okta • Groups can be imported from applications (like Workday), directories (like AD) or created indirectly from within Okta
There are Two types of Groups in Okta
• Everyone Group - by default everyone in your Okta tenant belongs in this group ○ Put all your apps that everyone has access to in this group and then Okta will automatically assign those apps to that user • Specific Groups ○ Only a subset of users, like a Sales or Marketing Group ○ You assign all apps to this group that users in this group will need
When onboarding a user Okta can automatically assign that user to a group they are supposed to be in and this, in turn, will make sure they automatically have access to the apps they are supposed to have access to. This can be done quickly using Group Rules. We can add rules and use Okta's Expression Language to say something like "if the user's title has the word 'Sales' in it, then assign them to the Sales group. The Expression Language gives you ultimate flexibility with assigning users to groups to mimic a company's existing organizational structure.
If you now look at the user you created in Workday they have now propagated to Okta. They are active, and Okta lets you know that Workday is the Profile Master. If you view the user attributes in Okta you will see they are the same as what you entered in Workday. You will see the user in the Everyone Group and the Sales group (that rule we created earlier is working!).
And if you view applications, you will see that all the correct apps have been assigned to this user. The beauty of this is if you have Lifecycle Management active for these applications then Okta will automatically create accounts for this user in those applications and the user can access those apps using single sign-on.
If you search for the user in AD, you will see that the user has also been propagated to AD. Check the attributes in AD, and you will notice that the job title has propagated as well. They have been added to the Sales group, and this user will adhere to all AD policies for Sales. Furthermore, this user has an AD account created and activated, which they can use to access any AD resources.
Now, here's the beauty of Lifecycle Management (LCM) in Okta. In Okta, we add a new Group rule that specifies that any user with a title containing the word 'Marketing' should be moved to the Marketing group. If we update the user's title in Workday from 'Director of Sales' to 'Director of Marketing,' then, after 30 seconds, the user's title in Okta changes. As a result, they are removed from the Sales group and added to the Marketing group. The user is unassigned from all Sales applications, and new accounts are created to grant access to those applications within the Marketing group. AD is also automatically updated downstream.
If you terminate a worker in Workday, the user will be deactivated in Okta and unassigned from all groups and applications. Additionally, they will be deactivated in AD. If you had Lifecycle management activated for each application, Okta will deactivate each account and free up the license for each application.
Reports in Okta
• We can get reports on particular apps. Who is assigned, when they were assigned and how they got assigned (groups based or individuals or if users manually requested access to the app) • The system log generates a log for every single thing that happens in your Okta tenant
In Summary, Workday, AD and Okta make great bedfellows as they save your organization time and money and keep your software and data secure and help ensure employees have what they need to work when they need it and if they are no longer working for your company you can rest assure that they no longer have access to your applications and data. This would save you time in you have only 25 employees, but this could be a game changer if you have 150,000 employees.