Enforce Governance and meet Compliance for a zero-trust, least-privilege security posture
1950+ Employees
Cardenas Markets is one of the largest Hispanic grocery chains in the Western United States. It operates in three distinct store domains under one parent company. They have nearly 2000 employees working across store operations, distribution, and corporate functions.
Each of these three chains runs its own on-premises Active Directory (AD) domain controller, all of which sync on a shared Azure AD tenant. They were using ADP as an HR source of records, SolarWinds for the IT Service Desk system, and Azure Active Directory to manage user identities. But the lack of connection between these systems created a ton of manual work for IT admins, leading to operational inefficiencies and data errors.
By integrating RoboMQ’s Hire2Retire, Cardens Markets automated its employee lifecycle management and identity provisioning. Resulting in nearly 90% reduction in manual efforts and up to 60% cost savings.
Cardenas Markets is the largest and fastest-growing Hispanic grocery chain in the US, operating 50+ stores across California, Nevada, and Arizona, plus Los Altos Ranch Markets and Cardenas Ranch Markets. Founded in 1981, it is popular for authentic Hispanic products, specializing in:
Cardenas Markets is committed to providing the most authentic and freshest products that celebrate life, family, and culture.
Cardenas Markets had no automated integration between the ADP (HR system) and the hybrid Active Directory environment. Whenever HR updated or added employee data in ADP, nothing happened downstream until the tickets were created for the IT team to act on it manually.
Every task, including User account creation, group assignment, OU placement, and Azure AD sync, required IT tickets on SolarWinds by HR.
This challenge was further increased by the three-domain structure followed across Cardenas Markets. How?
Before provisioning any account, IT first had to determine which on-premises domain controller the employee belonged to based on their location and brand. After that, they had to execute the correct steps in the right environment and verify the change made to Azure AD.
Even during offboarding, IT admins entirely depended on HR for timely reminders, as there were no event-driven triggers for deprovisioning.
This led to several challenges for Cardenas –
Cardenas Markets implemented RoboMQ Hire2Retire, an employee lifecycle management and Identity Governance and Administration (IGA) platform, as an integration layer between ADP and the Hybrid AD environment.
With Hire2Retire, ADP becomes the single source of data for employee lifecycle events. So, whenever there’s a new event (hire, role changes, or offboarding) in ADP, it automatically triggers corresponding provisioning actions across the correct on-premises AD domain in real time. That too, without requiring the IT team to receive, interpret, and manually process any requests.
Hire2Retire also provides IT admins with a complete, timestamped audit trail for all provisioning activity across all three chains.
Hire2Retire monitors ADP for Joiner, Mover, and Leaver events. Whenever HR creates, updates, or offboards an employee record in ADP, Hire2Retire detects the change to trigger the corresponding workflows without manual intervention from IT.
Hire2Retire uses business rules set by Cardenas to determine which of the three on-premises AD domain controllers should receive provisioning. It is done based on the employee’s location, brand, and job profile.
When there’s a new hire, role change, or termination, Hire2Retire automates provisioning and deprovisioning processes. On hire, it creates AD accounts, places them in the correct Organizational Unit (OU), and assigns the security and distribution groups. If there’s an attribute change, Hire2Retire automatically updates the title, department, manager, and display name. On termination, it deactivates the user’s account on their last working day, with no manual dependencies.
Hire2Retire detects the mover event in ADP when an employee moves between chains and updates all relevant attributes and group memberships. It also migrates the employee account to the correct domain where required. During rehiring, employee data is matched with the existing disabled account to avoid duplicate entries, keeping the Active Directory clean.
With ADP as an authoritative data source, routine provisioning work runs automatically. This frees IT teams from repetitive tasks and enables them to focus on security, infrastructure, and high-priority work.
Before, it was three brands, three domains, and an overworked IT team with tons of manual work. Now, Hire2Retire has automated the entire employee lifecycle management process. So, they are no longer the mutual link between HR and identity systems.
Cardenas Market was facing a common but complex problem. HR systems were not connected with identity management systems. The multi-domain environment required IT teams to manually orchestrate actions for every employee event. Resulting in a slower onboarding, inconsistent offboarding, and an exhausted IT team.
Hire2Retire resolved that by connecting ADP (HR System) to the hybrid AD environment. It enables automated domain routing based on business rules while maintaining a complete audit trail. All of that without changing how HRs used ADP or adding additional tools for IT to manage.
RoboMQ is not affiliated, associated, authorized, endorsed by, or in any way officially connected with any of HR systems that it provides integration with and are mentioned in this case study. All product and company names are the registered trademarks of their original owners.
1950+ Employees
