Skip to main content

HelloID

Provisioning administration

This topic outlines the tasks that are part of the role of an administrator responsible for the HelloID Provisioning module.

Monitoring

  • Monitor HelloID using the built-in mechanisms:

  • Monitor all connected systems: Source systems), Target systems, and other systems (such as Exchange) that are used in Provisioning actions and events.

  • Manage persons excluded from the business rules (see Business > Exclusions).

  • Monitor and manage accounts and entitlements outside of HelloID.

    If Governance is available, you can use the Reconciliation feature for this. Check the Reconciliation reports. Resolve issues found in the target systems, and manage Exclusions.

  • Monitor the organization for changes that may affect the configuration of HelloID Provisioning.

    The Quick Reference: Provisioning configuration helps you discover and regularly check the relevant details of your HelloID Provisioning configuration.

Troubleshooting

Troubleshoot Provisioning incidents and issues. See Troubleshooting Provisioning for resolution steps and additional resources.

For Active Directory errors, see: Troubleshoot an AD target system.

A number of frequently asked questions are answered in FAQ: Provisioning.

Help desk tasks/maintenance

1.

Link an existing account to a person in HelloID

Accounts are linked with a person automatically if Correlation has been set up for the target system.

Set up correlation for the target system

provisioning.png Provisioning dashboard > Target > Systems > Edit target system > Correlation

Manually correlate an account

Fix a wrongly correlated account

provisioning.png Provisioning dashboard > Business > Entitlements > Import

Manually correlate an account to a person

Fix a wrongly correlated account

Link an account to a person (Import entitlements report)

2.

Preserve an account or permission membership

You may want an account or permission membership to be no longer managed by HelloID. For example, when a person is no longer entitled to the account or permission according to the business rules, and you do not want it to be deleted.

  • Unmanage the entitlement. Ensure that the person does not fall within any Business rules that grant the account or permission; otherwise, it will be granted during the next enforcement (re-correlated, if the account's correlation value matches the person's correlation value) and managed again by HelloID.

  • If none of a person's accounts and permissions should be managed by HelloID, you can Manually exclude a person from the business rules.

If Governance is available: The unmanaged entitlement will appear in - and can be excluded from - future Reconciliation reports.

3.

Update AD account attributes

When an employee’s personal information changes, for example, after a marriage or divorce, related user account attributes such as User Principal Name (UPN) and sAMAccountName must be updated accordingly.

  1. In HelloID, in Active Directory's Target mappings, ensure all necessary attributes are mapped to the Update event. If an attribute's value is typically not modified during an update, but can still change in the target system - and those changes should be propagated to dependent systems - map that attribute to the Update event with mapping type None.

  2. Rename the user object in Active Directory to match the new name (cn, displayName). Update UPN and email for consistency, leaving aliases to maintain delivery.

  3. Force an update: Update an account or Re-enforce an entitlement.

    Alternatively, updating the person's data in the HR source system should trigger an update of the account and subsequently of accounts in any depending systems.

4.

New entitlement to be managed by HelloID

When a new entitlement (membership, folder, etc.) needs to be managed via the business rules:

  • Add the entitlement to one or more existing Business rules if users that must be granted the entitlement match the conditions of the existing business rule(s). Otherwise, Add a business rule. Make sure to respect the Performance limits.

  • If Governance is available, you may want to set up a Toxic policy for the new entitlement.

5.

Organizational structure changes

When the organizational structure changes (e.g., new departments or roles are introduced), this can affect the organization's authorization matrix.

Organizational data, such as departments, roles, and user attributes, is often used in Conditions in Business rules. Update existing rules or create new ones as needed.

Major organizational changes may impact more than just the business rules. In such cases, working with a HelloID consultant is recommended.

Tip

If you need help designing business rules, Tools4ever provides paid role mining sessions led by experienced HelloID consultants. This service is available only in select regions.

Advanced configuration and scripting

The following administration tasks require a thorough understanding of HelloID and/or programming skills and will usually be handled by a HelloID expert.

1.

Add a new source system

Adding a new source system is necessary when an HR system, roster system, or other software that contains source data is replaced or added.

Add a source system

Set up person aggregation

If necessary, adjust the business rules

If necessary, adjust the primary contract calculation

If necessary, adjust the primary manager determinant

On the provisioning.png Provisioning dashboard, go to:

Source > Systems > Add system

Source > Aggregation

Business > Rules

Source > Systems

Source > Systems

Source systems 

Person aggregation 

Business rules 

Set the primary contract determinant 

Set the primary manager determinant 

2.

Add a new target system

Add a new target system to automatically grant or deny access to a new application, system, or physical workspace. For example, when key cards to enter a building or floor are introduced; on-premise Exchange is replaced with Microsoft 365; new employees need immediate access to Slack, GitHub or Atlassian products; the provisioning of accounts in Exact Online or TOPdesk must be automated.

Other reasons to introduce a new target system are the need to reduce security risks and ensure compliance with regulations like GDPR, HIPAA, and ISO 27001. For example, when employees leave the organization, their SAP, ServiceNow, GitLab, or TopDesk account must be deactivated automatically.

Add a target system

Add the accounts and/or permissions to new or existing business rules

If necessary, also add fields to the source mapping

On the provisioning.png Provisioning dashboard, go to:

Target > Systems > Add system

Business > Rules > Add/edit rule

Source > Systems > Edit system > Person and Contract tabs

Target systems 

Business rules 

Source mappings 

3.

Create or update post-action script

Creating or updating post-action scripts is necessary when an account-related entitlement action in an Active Directory system should execute PowerShell code in [→Active Directory target systems].

Create or modify a post-action script

provisioning.png Provisioning dashboard > Target > Systems > Edit AD system > Account tab

Post-action scripts 

4.

Target system (API) changes

Modify scripts in a PowerShell v2 system.

Add or edit an action script

Add or edit a script that imports permissions

Add or change sub-permissions

Modify person/department scripts (e.g. add missing data)

On the provisioning.png Provisioning dashboard, go to:

Target > Systems > Edit system > Account

Target > Systems > Edit system > Permissions

Source > Systems > Edit system > System

Account scripts 

Import permissions script (PowerShell v2 target systems) or Import permissions script (PowerShell v1 target systems)

Sub-permissions (PowerShell v2 target systems) or Sub-permissions (PowerShell v1 target systems)

Persons import script 

Departments import script 

In this section: