Tips for Your Reorganization with IAM
Reorganizations come in many shapes and sizes. Sometimes they are limited to a few adjustments within a single department, but usually the changes are more significant. Entire departments are eliminated or merged, the job framework is rebuilt, or business processes are overhauled. Regardless of the goal and scope of a reorganization, success depends on preparation. You need to bring people along with the plans; larger changes may require a social plan, and an implementation plan must be developed. It is precisely during that implementation that your IT department plays an important role, and the IAM platform can be a valuable tool.
What is a Reorganization From an IAM Perspective?
You only find out during implementation whether a reorganization plan really works. That is the moment when people actually start in a new role, receive different tasks, and may move to another department. And while organizational consultants are puzzling over the complex relationship between people, responsibilities, processes, and departments, your IT team faces a similar challenge within the IT landscape.
Up to that point, the IT team had issued licenses, accounts, and permissions based on the existing operational model. Now you need to provide users, from an agreed moment onward, with different access rights that match their new role, department, or location. People expect a seamless transition, and the biggest fear is a stalled reorganization, leading to a massive stream of phone calls and messages to the service desk because ‘nothing works’.
The puzzle is even more complicated because you usually cannot plan a reorganization as a ‘big bang.’ In practice, teams and departments will transition to the new organization in phases, so converting accounts and application permissions must follow those same timelines. You may also want a period of ‘parallel running’; employees who already have access to new applications and data may also need temporary access to their previous systems. That way, people can gradually take over each other’s work and continue supporting one another. But not for too long to limit security risks.
Of course, manually processing all those changes is impractical. Fortunately, an IAM solution like HelloID can help significantly.
How Does IAM Help During a Reorganization?
HelloID automates account and permissions management using Role-Based Access Control (RBAC)[1]. This means you do not determine, for each user, which accounts and permissions they need. Instead, you automate this based on so-called ‘user attributes’ that are maintained in the HR application or another source system. Examples of such attributes include a person’s role, department, location, or earned diplomas. We then use business rules to derive from those attributes which accounts and permissions someone should receive. For example:
Users with the role ‘Sales manager’ receive an account on the CRM system, with permission to create and edit customer records.
With a limited set of these rules, you can largely automate permissions management. We call the complete set of business rules within the organization the role model.
This role model is also extremely useful when you are reorganizing. We do not need to determine, for each user, which accounts and permissions must be changed. On the contrary, we can implement most changes automatically by adjusting business rules, removing them, or creating new ones. This allows us to easily keep permission assignments up to date throughout the reorganization.
How Do You Use Business Rules in Your Reorganization Plans?
How does this work in practice? We will give a few examples.
1. Change of Role, Department, or Location
If employees move to another existing role, department, or location as part of a reorganization, this is processed automatically in HelloID. In the HR system, for example, someone’s department is changed, after which HelloID automatically adjusts the accounts and permissions based on the associated business rule or rules. This transition process always works this way, whether someone receives a different role individually or as part of a reorganization. In a reorganization, however, it usually involves more changes. HelloID detects the bulk changes and first asks the administrator for additional confirmation to prevent possible mistakes.
2. Leaving the Organization
As a result of reorganizations, colleagues may also leave the organization. First and foremost, this is of course a personal matter that should be properly supported by management and the HR team. However, HelloID can simplify the administrative processing that follows. With a properly configured offboarding process, you ensure that accounts are automatically blocked on time to prevent data leaks. If necessary, however, specific permissions can remain active temporarily so that former colleagues still have access during that period to, for example, pay slips and annual statements.
3. Adjusted Tasks and Responsibilities
As part of reorganizations, existing roles are often redefined, or departments receive different tasks. Within the HR system, nothing actually changes in that case, because someone is administratively assigned to the same role, department, etc. However, the work changes, and you may need different IT facilities. For that, the relevant business rule must be adjusted with different permissions. You can easily configure such changes within HelloID. If desired, you can also consider a transition period in which users receive both the old and the new permissions, to make the transition as easy as possible.
4. New Roles, Departments, or Locations
As part of the reorganization, the job framework may be expanded with new roles. New departments may also be created, and additional locations may be opened. In the HR system, employees can then be organizationally linked to such a new role, department, and/or location. If specific licenses and permissions are also associated with these, you can create additional business rules for them within HelloID.
Combination of Changes
These were some simple examples. In reality, all kinds of combinations are possible. People with identical roles may soon need slightly different permissions, depending on the specific department they work in. We can solve this by using business rules that no longer rely solely on that role as a condition, but also on someone’s department. Or a separate business rule may be needed per location because we also provision access badge settings from HelloID. The bottom line is that, based on the HelloID role model, we can support the transition from the old operation to the new one as effectively as possible.
Ad Hoc Changes with Service Automation
After this, a post-implementation support period begins. In practice, after a reorganization, things will still regularly go missing, even though someone needs them in the new situation. In any case, with business rules, you can usually automate only about 80% of all permissions. The remaining 20% is usually granted individually. Employees often have secondary duties; for example, they may be emergency response officers, which cannot be derived from HR data. And for staff personnel, IT needs often depend less on their role or department and more on the specific projects they are working on.
With the HelloID Service Automation functionality, you can support such individual and ad hoc adjustments. Through this module, you can create online forms that allow helpdesk employees, for example, to handle the most common user requests easily. Employees can also request certain facilities independently through a self-service portal, after which the review and processing are automatically completed. This ensures that after the reorganization, employees can quickly receive any missing items.
Fine-Tuning the Reorganization with Governance Tools
Once we have been working in the new organization for some time, we will likely have resolved many missing or incorrect settings through the service desk or the self-service portal. Then it becomes time to reassess the existing situation. Is the role model still current? Do business rules need to be adjusted or added? Over time, clutter may have developed because permissions were granted manually during the hectic reorganization, even though they were not structurally needed.
To evaluate the current permissions situation, HelloID now includes extensive governance features in addition to logging and reporting capabilities. For example, with Role Mining, you can identify logical relationships between users, their roles, and the permissions granted. This allows you to refine and optimize the role model further. The Toxic Policies solution prevents the assignment of conflicting access rights. And with Reconciliation, we have a useful tool to easily detect and correct permission sprawl within systems. There is also a Recertification function that periodically re-evaluates permissions granted individually. This helps prevent ad hoc permissions from remaining active in your IT environment longer than necessary.
Reorganization Topics by Sector
An IAM platform like HelloID is a useful tool for reorganizations. With automated provisioning, we ensure that updated organization, role distribution, and activities can be easily translated into new accounts and access rights. Service Automation then helps fine-tune permissions management at the individual level, and with the Governance features, we can continue to improve and optimize this over time.
There are, of course, specific challenges for each industry. The priorities of a healthcare organization are naturally different from those of a retailer. We therefore gathered some examples of points to consider by sector.
Government Organizations
For government organizations, compliance, integrity, and segregation of duties must remain guaranteed even after reorganizations. Permissions management within so-called case management systems, in particular, requires significant attention so that employees retain access only to the files for which they are responsible. This is especially important because these systems often collect and process sensitive personal data of citizens. To operate with integrity, clear segregation of duties is essential, and organizations must set an example by adhering to privacy and information security standards.
Healthcare Organizations
In healthcare organizations, Identity and Access Management must pay particular attention to granular access controls for patient data. The starting point is the so-called ‘least privilege’ concept, where everyone has access only to the medical personnel data needed for their own work. What makes this even more complex is that many contract workers are used; people often have multiple contracts, and schedules change continuously. The integration of scheduling systems, for example, therefore requires additional attention. Logging and auditing access to those medical systems are also crucial.
Educational Institutions
Educational institutions often combine multiple education types, programs, or faculties. This involves different groups of employees, students, and pupils, as well as educational processes, for which specific systems and ‘identity lifecycles’ are managed. At the same time, there must be flexibility to provide temporary teachers and substitutes with the right data quickly. Because students, especially minors, are a vulnerable group, their privacy must be protected with extra care. Because many changes must be implemented each year simultaneously, or even every semester, this requires additional attention.
Retailers
Retail is naturally focused on speed and dynamics in a market with often relatively small margins. Workforce management is also dynamic, with many temporary and part-time employees, so your IAM must be set up to allow you to implement changes quickly and easily. Many employees need access to POS systems, inventory management, and logistics applications, so it is important to prevent errors and misuse. As supply chain integration becomes more common, partners' and suppliers' access to applications and data must be properly managed and monitored. The secure handling of consumers’ personal data also requires additional attention.
Nonprofits
For nonprofit organizations, it is very important that personal and financial data in CRM and donor systems, among others, are protected effectively. Significant attention is also needed to provision and manage the various user types. In addition to regular employees, there are usually many volunteers and external parties involved, and many project-based and temporary accounts are often in use. Outsourcing IAM processes to the cloud is especially important here to keep IT costs under control.
Want to Learn More About HelloID?
In this blog, we have given some examples of how you can use HelloID to transfer existing accounts and access rights to the new situation during a reorganization. At the same time, there are many other scenarios. For example, you can relatively easily connect new applications through one of the connectors. Various merger scenarios are also possible, such as combining HR data from two organizations. Have you managed permissions manually so far? Then, a reorganization may be the ideal moment to introduce an IAM solution.
Would you like to discover what HelloID can mean for your organization? Visit the HelloID page or request a demo directly