What is service automation?

Service automation is a set of approaches, technologies, and systems that automate manual, routine service processes within organizations.

What is service automation?

Service automation involves technologies and processes that streamline and automate repetitive tasks and workflows within service delivery.

ITSM stands for IT Service Management and is an approach to managing and delivering IT services within an organization. ITSM focuses on structuring processes and standardizing practices.

Service Automation

Service automation is a broad term for methods, techniques, and systems that automate manual, routine service processes. This includes activities ranging from customer interactions and data processing to scheduling and report generation. With service automation, organizations work more efficiently, improve the user experience, reduce costs, scale capacity faster, and increase accuracy. Automation commonly uses workflow management systems, Robotic Process Automation (RPA), and artificial intelligence (AI).

Service automation is relevant across many domains and business processes. Significant gains can also be achieved in issuing and managing digital accounts, permissions, and other facilities through service management automation. In this article, we focus specifically on the service automation capabilities around Identity and Access Management.

service automation mogelijkheden binnen IAM

Service Automation Capabilities Within IAM

The service automation capabilities for Identity and Access Management become clear when you consider how accounts, permissions, and other IT facilities are manually issued in organizations. Below is an example of the steps involved:

Step 1. When a new employee receives a contract, an HR staff member enters their information in the HR systems. In addition to personal details, job role, department, work location, and skills are recorded.

Step 2. HR then sends an email to the IT service desk requesting that accounts be created in various systems, such as office systems (Office) and required business applications.

Step 3. Someone on the IT team then creates an Active Directory account, an email account, and an Office account. The correct folders and groups must also be assigned, depending on the person’s duties.

Step 4. For additional business applications, such as a CRM or ERP system, requests are routed to the application administrators. They create new accounts for the employee and ensure that the correct permissions are assigned. An account is also created in the HR system with access to the HR portal.

Step 5. As part of onboarding, physical items are also issued, such as a laptop, phone, and access badge. These must be configured with the correct settings and permissions.

Step 6. After onboarding, changes are still needed regularly. If someone takes on a new role or moves to another department, they may need different applications and permissions. HR must then submit a request to the IT service desk, which organizes the changes in the underlying systems.

Step 7. Someone may also need other software and access to specific folders, for example, for a project they are involved in. The relevant manager must submit a request to the IT service desk.

Altogether, this creates a tangle of manual processes. Even if each action does not take much time on its own, the overall turnaround time is usually significant due to the volume of emails, additional coordination when things are unclear, and correcting mistakes. Fully enabling someone’s IT accounts and permissions can easily take a week or more, and an IT staff member can spend multiple half-days per month handling all the manual changes. This is compounded by extra requests such as name changes or password resets.

This is where there is significant potential for service management automation. Within the IAM domain, the largest gain comes from automated provisioning. In our experience, about 80 percent of all actions can be automated, so that is our initial focus.

Moving Toward Standardization and Automation of Provisioning

In smaller or start-up organizations, it is common to use a copy-and-paste approach to create accounts when a new employee joins. You copy the data from an existing employee and adjust it for the new colleague. This quickly leads to discussions, since the new colleague has slightly different tasks or new applications have become available, and so on.

As your organization grows, you need to organize and standardize access management. This is not only more efficient but also required by laws and regulations. The GDPR, for example, requires that employees have access to personal data only when it is necessary for their role and duties.

Many organizations, therefore, maintain a role catalog that defines standard roles and associated policies for assigning software and permissions based on roles, departments, work locations, and qualifications.

An example: With the role ‘nurse’ in a hospital, you receive access to the Electronic Health Record, but your department determines which patient data you can access, and whether you can use the medication module depends on your qualifications.

Once you have implemented that standardization, you can fully automate account issuance and access permission management. In an IAM solution like HelloID, we use Attribute-Based Access Control for automated provisioning. This works as follows:

The source system for automatic provisioning is often the HR system. It contains up-to-date information (attributes) for every employee at any time.
Within the HelloID platform, business rules can be configured. Business rules determine which employees receive which accounts and permissions based on user attributes from the HR system, such as role, department, location, and more.
HelloID then instructs the various target systems to create the required accounts and set permissions.
If someone changes roles or departments, this generally also means they need different software and permissions. HelloID derives this from the business rules and instructs the target systems to implement the changes.
When someone leaves the organization, HelloID detects the change in the HR system and automatically instructs the target systems to block access and, after a defined period, remove the accounts.

Nearly everything performed manually in the previous section now runs fully automatically and completes within one day. Manually, the turnaround time was often several days.

Process Individual Requests Manually

We already noted that automated provisioning allows you to automate about 80 percent of your original manual IAM tasks. For some employees, especially in more operational roles, you can automatically grant all accounts and permissions based on roles, departments, and similar attributes. However, some people have a less clearly defined role, such as project managers. During provisioning, you grant them the standard office software, while the additional software and data they need depend on the projects they take on.

There must therefore be room for individual requests. For example, requesting a project management tool and access to the project folder. Other individual change requests are also possible. For example, when someone gets married and wants to add their partner’s name to the email address, or when someone wants to reset their password.

There are several ways to handle this, ranging from an email or phone request to the IT service desk to an online ticket in an IT Service Management system. However, most processing remains manual, so the last 20 percent of IAM tasks can still generate significant work. There are often additional steps behind the scenes. An individual license request must be approved by the individual’s manager and, in most cases, by the resource owner to avoid overissuing licenses. You also want to record individual requests, their approvals, and activation precisely for later audits. Finally, you often want such individual permissions to be active only temporarily. You do not want employees to accumulate licenses indefinitely, and you also want to control costs.

Service Automation for Individual Requests

Therefore, there is much to gain from automating the remaining 20 percent of individual actions. Using HelloID as an example, we do this with the Service Automation module. This module enables you to automate individual requests wherever possible. You save time, increase employee productivity, and improve employee satisfaction. At a high level, Service Automation offers two options:

Self-Service Products: These are for automatically requesting a specific permission, such as access to an existing (group) mailbox, project folder, or application. You can request this access yourself and have it approved. Each product includes an online approval flow that involves the responsible manager and/or product owner.
Delegated Forms: These forms are suitable for other change requests around accounts or account attributes. Examples include a form to change a password, or to create new folders or mailboxes. These requests require additional input, such as the names of the new folders or mailbox, which you provide via a delegated form.

20 percent of individual requests involve different types of products and requests, including individual mailboxes, groups, folders, licenses, permissions, and more. Each request type is slightly different, and you can automate them over time. A practical approach is to inventory your top 10 service tickets. Start with those, and gradually automate additional request types.

It also helps that we offer a three-step adoption model. Some changes are relatively large, so it is undesirable to roll them out across the organization immediately. We can therefore introduce new functions first to the service desk staff. From there, you can migrate further to managers or key users and, if desired, as a final step, introduce full end-user self-service. We outline the three steps here:

Step 1

Delegation to the Service Desk: Normally, requests must be processed in the back-end systems by specialized personnel with elevated admin rights. With Service Automation, less-experienced helpdesk staff can now process these requests independently. This service desk automation streamlines work, improves safety, reduces costs, and enables auditability.

Step 2

Delegation to Managers and/or ‘Resource Owners’: A next step is to shift change request handling to managers or key users. They can review requests within their team, activate the products, and enter and process delegated forms. Technically, this step is simple, but the organizational impact is greater. Managers now have greater control over their employees' application usage.

Step 3

Delegation to Users: The final step in end-user self-service. Through an online catalog with products and forms, employees can submit requests themselves that, after online review and approval steps by their manager(s) or product owners, are processed automatically in the relevant back-end systems.