If you are using WorkDay, you are undoubtedly familiar with how arduous it is to onboard a new employee for all the cloud applications your business uses. You enter their important information like first name, last name, title, and email. You probably are also using a directory service like Active Directory (AD) and that sets up the groups the user will be added. If your new employee has a title of Director of Sales, you will add him to all Sales groups in AD. Next, you need to give the new employee access to all the applications he or she will be using. You need to add those accounts one-by-one and activate the user. You need to be conscious of license issues. It seems like you are doing a lot of repetitive work but you are in HR, and this is what you have to do as an HR rep.
One user is OK to deal with but what if you have 150,000 employees? How will you handle if the employee's title changes and you need to deprovision them from some apps and then provision them to new apps? What happens if the employment contract is terminated and you need to deprovisioned and deactivate everything? What happens if that employee is a contractor and comes back to work. I think you are starting to see a massive headache and inefficiency your HR department is encountering. It doesn't have to be this bad. All of the above and more can be managed quite easily by the powers of Okta Single Sign-On and Lifecycle Management.
So let's dive into how Okta can work with Workday and AD to make onboarding, offboarding and Lifecycle management much less time intensive so you can allocate your time to the things that need your attention. As a bonus, all the items mentioned below are all out of the box with Okta.
Onboarding a User
• A new employee can propagate to Okta from Workday automatically • Okta can be configured to automatically provision to a downstream application • Okta can update user attributes (*Think of a change to an employee title, role, department, phone number, or address change*)
All of the above changes will get automatically updated and synchronized in Okta and your downstream apps like Salesforce and service directories like AD.
When people leave your organization, Okta will deactivate them in your Profile Master, and this information will go through Okta and a downstream application.
Using Workday as the Profile Master In the HR as a master scenario Think of Profile Master as your source of truth or the top level directory where you can perform User CRUD (Creating, Reading, Updating, and Deleting users) operations.
You can easily access Okta's Universal Directory using this path in the Okta Admin Dashboard:
Okta Admin console > Universal Directory
Configure Workday for Provisioning inside Okta
• When you enable an app to support provisioning there will be an API integration • So you enter you application admin credentials in Okta and Okta will use that to validate the API and gain access to the application APIs and then the application can gain access to the Oka APIs • Configuration can be configured bi-directionally ○ Okta can push changes to Workday ○ Workday can push changes to Okta ○ Since Workday is our Profile Master we will set up provisioning from Workday to Okta • We are also using AD but in this case, think of AD as a downstream application (in can be a cloud app, on-prem app, custom homegrown app, in can be a directory or a database)
Hire an Employee
Let's walk through a scenario where you onboard a new employee in workday.
• In workday create a new hire • Give the user a first name, last name and email address. (*note: You need to have an email address in order to have an Okta account*) • Make the hire date today's date (*we want this to happen in real time*) • The user will be a Regular full time employ in the Sales department and the title is Director of Sales Operations and based in Los Angeles • Save • You now have onboarded this user in your Profile Master (Which is Workday) • Wait 30 seconds • Open Universal Director inside Okta to see that the user has automatically propagated
Provisioning in Okta and usually takes 30 seconds or less to create and activate users in Okta and then push this them to downstream applications.
How does Okta handle assigning applications to users?
Not only can we automatically onboard users but we also can make sure they have access to all applications they are supposed to are assigned to them automatically. Obviously, manually assigning and unassigning apps to new employees would be both inefficient and time-consuming.
View Groups in Okta
• You will see a list of all your groups • You can see if the Group was created in Workday, Active Directory or Okta • Groups can be imported from applications (like Workday), directories (like AD) or created indirectly from within Okta
There are Two types of Groups in Okta
• Everyone Group - by default everyone in your Okta tenant belongs in this group ○ Put all your apps that everyone has access to in this group and then Okta will automatically assign those apps to that user • Specific Groups ○ Only a subset of users, like a Sales or Marketing Group ○ You assign all apps to this group that users in this group will need
When onboarding a user Okta can automatically assign that user to a group they are supposed to be in and this, in turn, will make sure they automatically have access to the apps they are supposed to have access to. This can be done quickly using Group Rules. We can add rules and use Okta's Expression Language to say something like "if the user's title has the word 'Sales' in it, then assign them to the Sales group. The Expression Language gives you ultimate flexibility with assigning users to groups to mimic a company's existing organizational structure.
If you now look at the user you created in Workday they have now propagated to Okta. They are active, and Okta lets you know that Workday is the Profile Master. If you view the user attributes in Okta you will see they are the same as what you entered in Workday. You will see the user in the Everyone Group and the Sales group (that rule we created earlier is working!).
And if you view applications, you will see that all the correct apps have been assigned to this user. The beauty of this is if you have Lifecycle Management active for these applications then Okta will automatically create accounts for this user in those applications and the user can access those apps using single sign-on.
If you search for the user in AD you will see the user has also propagated to AD. Check the attributes in AD, and you will see the job title has propagated as well. They have been added to the Sales group, and this user will follow all AD policies for Sales. This user also has an AD account created an activated where they can use to access any AD resources.
Now here is the beauty of Lifecycle Management (LCM) in Okta. In Okta we add a new Group rule that says any user with a title that has the word Marketing should be moved to the Marketing group. If we update the user's title in Workday from Director of Sales to Director of Marketing. Then after 30 seconds, the user has a new title in Okta, which in turn removed them from the Sales group and to the Marketing group. The user has been unassigned from all Sales applications, and new accounts were created to add those applications in the Marketing group to this user. AD was also updated downstream.
If you terminate user in Workday, the user will be deactivated in Okta and unassigned from all Groups and applications. They also have been deactivated in AD. If you had Lifecycle management activated for each application, Okta will deactivate each account and free up the license for each application.
Reports in Okta
• We can get reports on particular apps. Who is assigned, when they were assigned and how they got assigned (groups based or individual or if users manually requested access to the app) • The system log generates a log for every single thing that happens in your Okta tenant
In Summary, Workday, AD and Okta make great bedfellows as they save your organization time and money and keep your software and data secure and help ensure employees have what they need to work when they need it and if they are no longer working for your company you can rest assure that they no longer have access to your applications and data. This would save you time in you have only 25 employees, but this could be a game changer if you have 150,000 employees.