During the process of onboarding new hires, it is crucial to ensure they are in the right security groups and only have access to systems necessary for their role. However, manually assigning these privileges risks making errors that could compromise your security privileges. Hire2Retire prevents these security issues through role-based access provisioning that ensures an employee’s role and profile dictate their access to security groups, keeping system access on a “need-to-know basis.” This article will show you how to set up role-based access provisioning in Hire2Retire.
The best way to keep your security access provisioning on a “need-to-know basis” is to make system access role and profile dependent. Hire2Retire accomplishes this by automatically assigning security group access in Active Directory (AD) based on an employee’s role in their integrated HR system profile. For example, you can set up a security group for the sales department that gives any members in that role access to sales systems and not marketing or IT systems.
After setting up an integration with a compatible HR system and mapping profile attributes to AD, you can map employee attributes to related security groups. Use attributes like “Job Title,” “Department,” and “Location” to divide access privileges based on an employee’s role, brand or subsidiary, and department. Once you have created your preferred mapping rules you can export these rules for future use.
Using role-based access provisioning can go further than simply assigning system access. You can use security groups to drive single-sign-on (SSO) access privileges as well as which licenses and accounts should be created for an employee. For Hire2Retire customers integrating with Azure AD, role-based access provisioning can be applied to Office 365 groups, giving you the power to dynamically assign access to the entire Microsoft licensing umbrella at a granular level.