For years, our user provisioning process had been a manual nightmare. When a new employee was hired, HR would enter their information into UKG (our HR system), then send an email to IT with the person’s details. The Help Desk would manually create an Active Directory account and then would have to manually provision users and access rights to over 15 different business applications from Salesforce and GenesysCloud to our security tools, project management systems, and more. Each application had its own access request process, and the Help Desk was spending hours on every new hire just clicking through different admin consoles. It was slow, error-prone, and didn’t scale as the company grew.
The challenge was that our identity data lived in multiple places with no single source of truth. Active Directory had username and email address, but job titles in AD were often outdated or inconsistent. UKG had the authoritative HR data – correct job title, department, team, manager, hire date, employee ID – but UKG couldn’t generate usernames that followed our naming conventions. OKTA sat in the middle trying to synchronize everything, but it was fighting conflicting information from multiple sources. Previous attempts to automate provisioning had failed because nobody had solved the fundamental question: which system should be the source of truth for which attributes?
I architected a solution that switched our source of truth from Active Directory to UKG for everything except the user’s UPN, Email, and Username – those three stayed generated by Active Directory because they needed to follow our specific naming conventions and domain structure. But all the other attributes that actually described the person – Last Name, First Name, Job Title, Department, Team, Manager, Hire Date, Employee ID – were all sourced directly from UKG. This meant when HR entered a new employee in UKG, OKTA would automatically pull that authoritative HR data, combine it with the username/email that Active Directory generated, and automatically provision the person into all the appropriate applications based on their job title and department.
Now, new hires got access to all their applications on day one without minimal interactions from the Help Desk Team. When someone got promoted and HR updated their job title in UKG, the job title was changed in a vast majority of our apps, and when an app supported it I had their permissions change to match those needed by their new role.
When someone left the company and HR terminated them in UKG, OKTA automatically deprovisioned them from every connected application within minutes.
The Help Desk was on track to shave off 2-3 hours of work for each new hire and it streamlined terminations and off-boardings so much that we saw a drastic reduction in orphaned accounts.
As time went on I implemented even more apps into OKTA and pushed for as much integration as the new app supported.
I took automated user provisioning and role based access controls (RBAC) from being used in edge case user management to the new standard for user management.