Why HR Is—and Isn’t—Your Best Source for Identity Data

There was a time when the “identity” in “identity management” meant two things: who a person is, and what their business function is. So, naturally, user data for identity management came primarily from HR.

But things are different today. Identity data exists across a host of internal systems—directories, databases, applications, ERP—not to mention in systems maintained by external partners and hosted services. That’s not to say data from HR is of no use—but just that HR isn’t the only source of identity data. The following article explores how to use HR data effectively in identity and access management, from working efficiently with HR to combining data with information from other sources.

Uncovering Identity Data

The HR data repository, typically filled with information about positions, managers, departments, salaries, and performance, remains a valuable source of identity data. Follow these guidelines to make the most of opportunities to work with HR:

• Involve HR colleagues early in any identity management project, and identify an HR executive stakeholder.
• Understand HR processes and data, but make sure you understand the intention of each process, not just the process itself.
• Keep in mind that HR works with lines of business to define processes. This makes HR an invaluable resource for keeping identity projects business-relevant.
• Consider how you can add value to the HR team and its mission. Remember that identity isn’t just about securing access; it’s about making sure people have the right access to do their jobs and be productive.

Building a Federated Record Set

HR data can be combined with data from other sources to create a more complete, accurate record of a user’s identity. By applying a few rules about descriptive and relational data from infrastructure management, you can select various attributes of a person and populate them in a unified record within an identity management solution.

Here are a few guidelines to follow when building a federated identity management record set:

• Keep it simple. Don’t overthink how to collect the data (but make sure you protect that data in transit).
• Only take what you need. As with most data warehouses, any volume of information can easily become too large and too difficult to manage.
• Have a plan to utilize the data. Think how a person’s attributes will be used to describe who they are and what access they need. If data doesn’t drive a specific access requirement, you don’t need it.
• Leverage what already exists in HR and beyond. Payroll, corporate directories, organization charts, and other sources can all provide very rich data.

With a little planning, IT data security teams can use a current unification of the best attributes, from the best descriptive data sources (whether they are from IT, HR or a combination of both) to arrive at the definitive answer to “Who are my users?”

Watch this video to see how RSA Identity Governance & Lifecycle is helping Ameritas streamline access delivery and user lifecycle management for employees while improving audit performance.