Provisioning administration

This topic outlines the tasks that are part of the role of an administrator responsible for the HelloID Provisioning module.

Monitoring

Monitor HelloID using the built-in mechanisms:
- Review evaluation, blocked actions, and reconciliation summary notifications; see Notification events
- Review and resolve Provisioning Incidents:
  - Restart the Agent services. Make sure the necessary domains are whitelisted.
  - Resolve merge suggestions for persons who are skipped for processing.
  - Review Blocked persons and, if necessary, add missing data to the source system.
  - Resolve Blocked actions.
  - Resolve Blocked imports.
  - Resolve and retry failed entitlement actions: Troubleshoot entitlement actions.
  - Resolve failed Source imports.
- Review HelloID's provisioning activities via the Provisioning ( Provisioning dashboard:
  - Persons > History
  - Business > Entitlements > History
  - Source > Snapshots
  - Target > Snapshots
- Review Provisioning reports.
Monitor the use of licenses via the License widget on the Admin dashboard.
Monitor all connected systems: Source systems), Target systems, and other systems (such as Exchange) that are used in Provisioning actions and events.
Manage persons excluded from the business rules (see Business > Exclusions).
Monitor and manage accounts and entitlements outside of HelloID.
If Governance is available, you can use the Reconciliation feature for this. Check the Reconciliation reports. Resolve issues found in the target systems, and manage Exclusions.
Monitor the organization for changes that may affect the configuration of HelloID Provisioning.
The Provisioning configuration helps you discover and regularly check the relevant details of your HelloID Provisioning configuration.

Troubleshooting

Tip

A number of issues that arise frequently are described in detail in FAQ: Provisioning.

Account/permission issues. For example: a missing or disabled account; a missing permission (account access, group membership, shared folder, access to building, etc.); an infinitely waiting permission action; a wrongly correlated account.

Depending on the issue:

Person aggregation issues. Note that it may not be immediately apparent whether a problem is caused by a person aggregation issue. Duplicate accounts, a missing account, and incorrect employee data in an account could all potentially be traced back to a person aggregation issue.

Suggested action

On the Provisioning dashboard, go to

See

Manually merge persons

Manually unmerge persons

Replace main person with non-main person: Manually replace a main person in a merge set

Source > Aggregation > Manual > Select person > Add person

Source > Aggregation > Manual > Select merged person > Remove person

Source > Aggregation > Manual > Select person > Transfer main person

Aggregation basics

An error has occurred in a target system.

If the error has led to failed entitlement actions, Run an enforcement or retry failed entitlement actions one by one: go to Business > Entitlements > History > Retry action.

An error has occurred in a source system.

After the source system error is fixed and (in on-premise systems) the Agent is running, any related provisioning issues should be resolved automatically during the next scheduled import and enforcement. If necessary, run a manual import and enforcement.

Suggested action

On the Provisioning dashboard, go to

See

Run a manual import

Run an enforcement

Source > Systems > Start import

Business > Evaluation > Enforce (button)

Manual imports

Enforcement

Some personal information in a target account is wrong, e.g. the job title, employee number, or manager.

Suggested action

On the Provisioning dashboard, go to

See

Correct the person's personal or contract data in the respective source system

Check for a person aggregation issue

If an account update has failed, troubleshoot the issue and Update all accounts.

Source > Aggregation

FAQ: Provisioning

Troubleshoot entitlement actions

An action that is not an entitlement action has failed; e.g. an onboarding email was not sent.

Possible causes:

An error in the connected system (for example: the email system).
A broken connection with another system, either physically, or programmatically. In the latter case, the script needs to be updated; it is recommend to engage a HelloID consultant.
Data is missing from the source. For example, when a contract has not started yet, an onboarding email cannot be sent if a private email address is not included in the source data. The solution may be to Map an additional field or Make a field required.

Accounts are missing data; e.g. the signature under an email is missing a job title.

Possible causes:

Data is missing from the source system. Add the missing data into the source system, Map an additional field, and/or Make a field required.
The data is not included in the target mapping. Update the target mapping for the Active Directory, Azure AD or PowerShell v2 system.
The account update action failed for this system, or for a system it depends on. Try running Update accounts for the affected system(s). To find the root cause, Troubleshoot entitlement actions.

Help desk tasks/maintenance

An existing account must be linked to a person in HelloID.

Accounts are linked with a person automatically if correlation has been set up for the target system.

Suggested action

On the Provisioning dashboard, go to

See

Set up correlation for the target system

Target > Systems > Edit target system > Correlation

Active Directory: Correlation
Azure AD: Correlation
PowerShell v2: Correlation

Link the account using the Import entitlements report

Correct the correlation value in the target account

Business > Entitlements > Import

Import target system entitlements

Azure AD: Manually correlate an accountManually correlate an account

An account or permission membership in a target system needs to be preserved, and should no longer be managed via the business rules in HelloID.

Unmanage the entitlement.

If the person is in scope of a business rule that grants the account and the account's correlation value matches the person's correlation value, the account will be correlated to that person again during the next enforcement. To prevent this, ensure that the person is no longer in scope of the Business rules that grant the account.

If Governance is available: The unmanaged account will appear in - and can be excluded from - future Reconciliation reports.

An employee’s personal information changes, such as after a marriage or divorce. This makes it necessary to update user account attributes like the User Principal Name (UPN), sAMAccountname, etc..

In HelloID, in Active Directory's Target mappings, ensure that all necessary attributes are mapped to the Update event. If an attribute's value is typically not modified during an update, but can still change in the target system - and those changes should be propagated to dependent systems - map that attribute to the Update event with mapping type None.
Rename the user object in Active Directory to match the new name (cn, displayName). Update UPN and email for consistency, leaving aliases to maintain delivery.
Updating the person's data in the HR source system should trigger an update of the account and subsequently of accounts in any depending systems. To force an update, Update an account or Re-enforce an entitlement.

A new entitlement (membership, folder, etc.) needs to be managed via the business rules.

If the users that must be granted the entitlement match the conditions of one or more existing Business rules, the entitlement can be added to the existing business rule(s). Otherwise, Add a business rule. Make sure to respect the Performance limits.

If Governance is available, you may want to set up a Toxic policy for the new entitlement.

The organizational structure changes; e.g. a new department or role is introduced, impacting the organization's authorization matrix.

Departments, roles and similar organizational data and user attributes are likely used in Conditions in Business rules. Adjust and/or create business rules as needed.

These data may also be used in Sub-permissions scripts in PowerShell v2 connectors. Adjust the scripts as needed.

Major organizational changes are likely to impact more than just the business rules. In these cases it is recommended to work with a HelloID consultant.

Tip

If you need help designing business rules, Tools4ever provides paid role mining sessions led by experienced HelloID consultants. This service is available only in select regions.

Advanced configuration and scripting

The following administration tasks require a thorough understanding of HelloID and/or programming skills and will usually be handled by a HelloID expert.

Add a new source system. This is necessary when an HR system, roster system, or other software that contains source data is replaced or added.

Suggested action

On the Provisioning dashboard, go to

See

Add a source system

Set up person aggregation

If necessary, adjust the business rules

If necessary, adjust the primary contract calculation

If necessary, adjust the primary manager determinant

Source > Systems > Add system

Source > Aggregation

Business > Rules

Source > Systems

Source systems

Person aggregation

Business rules

Set the primary contract determinant

Set the primary manager determinant

Add a new target system to automatically grant or deny access to a new application, system, or physical workspace. For example, when key cards to enter a building or floor are introduced; on-premise Exchange is replaced with Microsoft 365; new employees need immediate access to Slack, GitHub or Atlassian products; the provisioning of accounts in Exact Online or TOPdesk must be automated.

Other reasons to introduce a new target system are the need to reduce security risks and ensure compliance with regulations like GDPR, HIPAA, and ISO 27001. For example, when employees leave the organization, their SAP, ServiceNow, GitLab, or TopDesk account must be deactivated automatically.

Suggested action

On the Provisioning dashboard, go to

See

Add a target system

Add the accounts and/or permissions to new or existing business rules

If necessary, also add fields to the source mapping

Target > Systems > Add system

Business > Rules > Add/edit rule

Source > Systems > Edit system > Person and Contract tabs

Target systems

Business rules

Source mappings

Create or update a post-action script. This is necessary when an account-related entitlement action in an Active Directory system should trigger a (different) action. For example, an email must be sent to the IT department to provide hardware when an account is created, or a ticket must be created instead of sending an email.

Suggested action	On the Provisioning dashboard, go to	See
Create or modify a post-action script	Target > Systems > Edit AD system > Account tab	Post-action scripts

A target system (API) changes.

Modify scripts in a PowerShell v2 system.

Suggested action

On the Provisioning dashboard, go to

See

Add or edit an action script

Add or edit a script that retrieves permissions

Add or change sub-permissions

Modify person/department scripts (e.g. add missing data)

Target > Systems > Edit system > Account

Target > Systems > Edit system > Permissions

Source > Systems > Edit system > System

Retrieve permissions script

Sub-permissions

Account scripts

Persons import script

Departments import script

In this section:

HelloID

Provisioning administration

Monitoring

Troubleshooting

Tip

Help desk tasks/maintenance

Tip

Advanced configuration and scripting

Search results