Automated processes help address the longstanding pain point of creating and de-provisioning accounts for campus constituents.
It is a dilemma I imagine a lot of universities have faced at one point or another (and maybe still do)…how does a new hire acquire access to university resources? For years we made it very difficult for our clients to get the access needed to perform their job functions. New hires would be sent on a journey from one office to another to piece together whatever access they needed. And if they don't ask for something, then they simply don't get it. But how does a new hire know what to ask for? Well, if one fails to request something initially, you would just need to go back to that other office again and request it. It becomes a very long, confusing, and understandably frustrating process for our clients. Recognizing this issue, the Information Services & Technology team at Boston University decided it was time to improve our services and take action based on clients' feedback—and our clients were asking why it is so hard not only to get access to the resources they need but also to figure out whom to go to!
Our initial focus was streamlining a process for determining the privileges new hires would be entitled to when they begin work here. We created workgroups that included individuals from teams outside the Information Services & Technology department to establish a baseline of the fundamental access that the majority of employees require to do their jobs. This entailed a team spending a week in a room brainstorming and collaborating—we ate together, drew pictures together, wrote on big Post-it boards together, and really worked together. We gathered current state for our faculty and staff and developed onboarding case studies. Additionally, we discovered where the pain points were through feedback from clients, which allowed us to develop documented business requirements based on all we learned. As part of our business requirements, we established automated "birthright" privileges for employees, to be deployed as part of the new-hire process, eliminating the need to submit individual requests and allowing employees to be operational on day one. We established a working partnership with our clients to help us be better positioned to serve their needs.
In gathering this information, we were able to validate the current processes and exploit additional opportunities for improvement. This allowed us to define process alternatives that better aligned with the business.
In addition to streamlining access, we faced the pressing question of how and when employee access is removed. Being a member of a university and attempting to remove access is not an easy thing! An individual could be both a student and an employee. Just because one may no longer be an employee does not mean that individual's account can be disabled outright. We had to understand different types of affiliations an individual could hold with the university and understand the appropriate level of privileges needed for these affiliation types in order to determine when de-provisioning an account was possible.
We then gathered our metrics and information to build detailed business requirements. After establishing the business requirements, we came to our next challenge—what tool can we use to put this all together? We needed a way to identify our different populations and both provision and de-provision access. This would require our organization to introduce something new to the work environment…an identity management solution.
Incorporating an identity management solution into our environment allowed us to support the complete account life cycle, from timely provisioning to de-provisioning of account access and entitlements. We were able to reduce the number of business processes for obtaining and removing access that our faculty and staff would go through. And, most important to our clients, the process was simplified and automated to allow for a much better client experience.
We are by no means done. Faculty and staff were just the start of the changes we made. With our new identity management solution, we are able to look at the other affiliations in our organization: affiliates/guests, students, and alumni. We have also completed a thorough review of our affiliate/guest population and implemented provisioning via a new form. That form initiates an automated account-creation process, generates an email account, and provides the ability to request specific access, as well as offers a self-service password-reset portal (coming soon for faculty and staff!). Our next steps are completing our affiliation population to include de-provisioning and to start the planning process for our student population. In addition, we are always looking to enhance the faculty/staff experience, hopefully with self-service passwords not too far down the road.
This is part of a collection of resources related to how colleges and universities can take advantage of business process redesign efforts to become more agile. For the full set of resources and tools on this topic, go to Continually Improving Business Process Redesign Efforts.
Tammy Pruneau is Manager of Identity and Access Management at Boston University.
© 2018 Tammy Pruneau. The text of this work is licensed under a Creative Commons BY 4.0 International License.