Enforce Governance and meet Compliance for a zero-trust, least-privilege security posture
As part of the Phase 10.3 release, Hire2Retire now natively supports UKG Ready integration as an HR system, allowing organizations to integrate employee data directly with identity platforms such as Active Directory, Microsoft Entra ID, Google Workspace, and Okta.
This enables organizations to use UKG Ready as the primary HR data system, ensuring seamless synchronization of employee data across identity platforms through UKG Ready integration. Employee lifecycle events such as onboarding, role changes, and offboarding trigger identity actions automatically.
When new employees are added to UKG Ready, Hire2Retire creates their identity profiles across connected systems. As employees move within the organization, their access and account details are updated accordingly. When employees leave, access is revoked in a timely and controlled manner. This reduces delays in access provisioning and minimizes manual intervention from IT teams.
The UKG Ready integration starts with configuring UKG Ready inside the Identity module, as shown below. Administrators can register it as the HR system using API-based configuration.
The connection uses OAuth client credentials, which enables secure data exchange and allows Hire2Retire to fetch employee records. The OAuth client credentials flow handles authentication between systems without requiring user interaction. The integration supports event-based triggers such as new hires, updates, and terminations, ensuring that identity changes are processed as they occur.
Once configured, Hire2Retire begins pulling employee data through the UKG Ready integration and tracking changes over time. Employee data is fetched using API-based polling, ensuring that updates in UKG Ready are reflected in identity systems at regular intervals. The integration supports both full data sync and delta sync, allowing organizations to fetch complete employee records or only incremental changes based on the last updates.
The data synchronization process relies on structured API calls to fetch employee records along with associated attributes required for identity creation. These APIs return both summary and detailed employee data, which is then processed and normalized before being pushed to target identity systems. This ensures that identity profiles are created using complete and consistent data sets across directories.
In addition, the integration tracks changes over time using delta-based comparisons. This allows the system to identify updates such as job changes, department transfers, or status updates without reprocessing the entire dataset, improving efficiency and reducing processing overhead.
Organizations can define how identity processes run across different environments. This includes selecting target systems such as Active Directory, Microsoft Entra ID, Google Workspace, and Okta.
Each target system follows its own provisioning logic based on configuration. For example, Active Directory provisioning may include organizational unit placement and group membership assignment, while Microsoft Entra ID and Google Workspace provisioning focus on identity creation, licensing, and access configuration. These actions are executed based on predefined rules, ensuring consistent account creation and management across connected systems.
Administrators can also control where accounts are provisioned, how updates are handled, and when actions should take place using the UKG Ready integration. For example, account creation can align with the employee start date, while updates can trigger automatically when employee attributes change. This keeps identity processes aligned with HR data.
Once employee data is integrated, lifecycle rules define how identity lifecycle automation actions are triggered for creating, updating, and removing identities. Hire2Retire allows organizations to define lifecycle business rules, as shown below, that apply across onboarding, internal movement, and offboarding processes.
Lifecycle rules can also incorporate conditional logic based on employee attributes such as department, role, location, or employment type. This allows organizations to define granular policies for different user groups. For example, contractors may follow a different provisioning and deactivation flow compared to full-time employees.
These rules ensure that identity actions are not only automated but also context-aware, reducing the risk of over-provisioning or incorrect access assignments.
For onboarding, the system creates accounts and assigns access based on predefined conditions. During role changes, access permissions are updated to reflect new responsibilities. For offboarding, accounts are disabled, and access is removed based on policy.
In addition, organizations can enforce password rules, manage account states, and ensure compliance requirements are followed at each stage. These rules ensure consistent execution across lifecycle events.
Errors in employee data often lead to issues such as duplicate accounts, incorrect access, or incomplete records. Hire2Retire includes attribute mapping capabilities, as shown below, that allow organizations to map employee data from UKG Ready directly into identity systems. This includes fields such as name, job title, department, manager, employee ID, and contact details.
During configuration, administrators can also apply transformation rules to ensure that data is formatted correctly before provisioning. This helps maintain consistency across usernames, email formats, and directory attributes. Proper mapping reduces common issues such as duplicate identities, missing attributes, and manual corrections after provisioning.
Mapping configurations also support field-level validation to ensure that required attributes are present before provisioning begins. If mandatory fields are missing or incorrectly formatted, the system can flag these records for review or apply fallback logic where defined. This helps prevent incomplete identity creation and ensures higher data integrity across systems.
In environments with multiple identity targets, the same HR attribute can be mapped differently depending on system requirements. This flexibility allows organizations to maintain system-specific formats while using the same HR data across identity and target applications, supporting consistent identity management and user provisioning.
Once connected, Hire2Retire manages identity actions across the employee lifecycle. It supports processes such as identity validation, account provisioning, access updates, and controlled deactivation.
Workflows can include approval steps where needed, along with scheduling based on effective dates. For example, account activation can align with a joining date, while access changes can take effect during role transitions. Audit logs provide visibility into actions, helping track changes and support compliance requirements.
Each action within the workflow is logged with timestamps and execution details, providing a complete audit trail for identity operations. This visibility helps organizations track provisioning timelines, validate policy enforcement, and support compliance audits.
In addition, retry mechanisms can be configured for failed actions, ensuring that temporary system or network issues do not result in incomplete provisioning or missed updates. When UKG Ready is used as the HR system, updates are reflected across identity platforms as changes occur. This improves identity lifecycle automation and reduces delays in access management.
The addition of UKG Ready integration connects HR data directly with identity lifecycle management. By using employee data as the foundation for identity workflows, organizations can maintain consistency across identity and target systems. This integration reduces manual effort, improves identity management, and keeps access management aligned with employee records.
For a deeper look into this release, explore the Hire2Retire Phase 10.3 updates.
