Workforce Mover Process

Workforce Mover Process

Process Map

Workforce Mover Process Map

Description

The Workforce Mover Process is the process that receives announcements by designated authorities of workers’ job changes within the organization and adapts their identities and access permissions accordingly.

The process's fundamental goals are to sustain the organization’s productivity while assuring security.

Key Requirements

  • Sustain the organization’s productivity by assuring a smooth transition of the worker from her original job to her new job

  • Facilitate knowledge transfer activities during the transition period, which may require the controlled retention of some access permissions linked to the original job during the transition.

  • Mitigate operational risks caused by inadequate segregation of duties during the process.

  • Mitigate security risks caused by privilege creep.

  • Assure clear accountability during the process.

Modes

  • Planned Mover: This is the default mode in contrast with the Unplanned Mover mode. It takes place when the mover is announced early enough for the normal process to take place. Acceptable delays for planned mover should be documented in the IAM Workforce Policy.

  • Unplanned Mover: This is an exceptional mode in contrast with the Planned Mover mode. This mode takes place when the circumstances are such that the mover is not announced in advance within expected delays. For example, the move has already been implemented without announcement, or the move takes place immediately, or the move must be implemented faster than normally expected. In this mode, the pressing urgency of the situation may lead to errors, inefficiencies, and/or security issues. A mature process should be able to cope with this mode and implement adequate controls to correct errors and security issues.

Triggering Events

*. Employee demotions and promotions may but do not necessarily imply a job change. In effect, demotions and promotions can be limited to the worker’s title or rank within the organization, without changing the nature of the job and its related authorizations.

Inputs

  • The identity of the mover

  • The worker’s new function and related information, incl. her new manager

  • The planned date for the move

  • Conditional: special needs of access retention during a prolonged period to assure a smooth transition and knowledge transfer

Timeline

  1. Mover Decision

  2. Mover Announcement

  3. Preparation Period

  4. Effective Move Date

  5. Transition Period

  6. Process Completion

Key Activities

  • Mover Announcement: This starts the Workforce Mover Process. The announcement must be made by the organization’s designated authority, which is often the worker’s previous and/or new manager.

  • Update & Propagate Identity Attributes: Update the worker’s identity attributes to reflect her new job, including her new manager if the new job reports to a different manager. Because the manager often plays a key role by approving his direct reports' access requests, the change of the worker’s manager identity attribute must be simultaneous with the effective change of accountability for the worker’s access permissions. The update of identity attributes should be automated from authoritative sources, e.g. the HR Information System for employees. Then, this information may need to be propagated within the information system to assure consistency.

  • Role Engineering: If the worker’s new job is a newly created function within the organization, or if that function is reorganized, role engineering may be required to set up or adapt business roles.

  • SoD Policy Enforcement: If the organization has SoD requirements making the worker’s previous and new job partially or completely incompatible, assure that these requirements are complied with during the process or implement mitigating controls.

  • Facilitate knowledge transfer and a smooth transition: When necessary and within the limits of SoD and security requirements, identify the identities and access permissions linked to the worker’s previous job that will be needed after the move date during a period of time to assure a smooth transition and adequate knowledge transfer, and post-pone their revocation to the end of the transition period.

  • Identification and revocation of obsolete identities, roles, and access permissions: Assure that the identities and access permissions that are no longer required by the worker’s new job are identified and revoked. Business roles constitute a key facilitator for this activity.

  • Identification and provisioning of new identities, roles, and access permissions: Assure that the identities and access permissions required by the worker’s new job are identified and provisioned. Business roles constitute a key facilitator for this activity.

  • Review or recertification of access permissions and roles: Depending on the organization’s access review and recertification policy, trigger the required reviews or recertifications. In general, this involves both the participation of the worker’s previous and new managers.

Main Output

  • Completed Mover

Alternative Outputs

After the mover announcement which marks the original intention of changing the worker’s function, circumstances may change before process completion, leading to the following alternative outputs:

  • Canceled Mover: When the announced change of function is canceled and the worker finally stays at his original function.

  • Mover to Leaver: When the announced change of function is canceled because the worker leaves the organization.

  • Mover to Mover: When the newly announced function is modified for yet another function.

The exceptional nature of the above alternative outputs may lead to errors, inefficiencies, and/or security issues. A mature process should be able to smoothly manage the process transition and implement adequate controls to correct errors and security issues.

Key Indicators

Document the Workforce Movers indicator (# of unplanned movers, etc.)

Version

1.0 Draft

Process Map

IAM Process Map

Parent Process

Related Processes

  • Access Recertification

  • Role Engineering

 


Quotes

Quotes are only available to subscribed members.

Bibliography

See Also

 


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.