Optimize Licenses by Performing Usage Inspections during Employee Transitions
by: Moshe Panzer, Founder & CEO, Xpandion
We are all familiar with the Joiner-Mover-Leaver processes. In short, they are three separate scenarios – when employees are recruited, when they change their positions inside the company and last but not least when employees leave the organization and their user accounts are terminated. Many articles have discussed these processes in detail, but most have left out the opportunity to increase security levels and simultaneously cut the licensing costs involved. If you think about automating JML processes, why not use this opportunity to really take it to the next level?
Challenges in the JML Processes
Organizations who have not automated the joiner-mover-leaver processes suffer from an abundance of manual work including paper forms and constant email correspondence. People also forget that in many cases manual work increases the chances of human errors and therefore significantly reduces the security level. In addition, manual work can result in employees forgetting to perform major tasks such as updating license tables or changing the license type when employees change positions. These errors impact directly on the organizational licensing costs and therefore costs are much higher than they should be.
Add Extra Security
After speaking to numerous clients and hearing their experiences about the JML processes the best advice we can give to you is – “automate as much as you can”. When there is no manual work, there’s no option to bypass the system. So, here is how it should and can work. The “joiner” process should be triggered automatically by the HR system, Active Directory or by a web form that is filled out by HR team. The next step in the process is that user accounts should open automatically in all the relevant systems and report the status to the designated manager. Passwords should also be created automatically and be sent to the new employees’ smartphone, to ensure that nobody else receives the login credentials. In the same spirit of automation the “mover” process should be identified and the system should automatically send an email to the new manager that reads – “A new employee has joined your team and they have access to sensitive information. Do they still need all of the permissions below?” An important hint here: many times reducing the employee’s permissions will in turn reduce their license level. Lastly, for the “leaver” process, when a user account is terminated in the Active Directory, the automated system should also close the account in all other systems – including on-premise applications as well as cloud applications such as SalesForce and Office365.
Automate License Updates and Save Costs
If the JML process is automated you have an additional opportunity to optimize employee licenses. In the “joiner” process, the managing system should automatically choose the lowest level license that will still allow the employee to fulfill their daily tasks in each application. The company should invest some time and effort in creating this scenario because in many cases we have seen that organizations choose to allocate new users a license that is a higher level than they actually require. A company is able to avoid this by automating the license selection step which then creates an optimized situation at the most critical point of SAM.
When employees move within the organization, the managing system will inspect their license type automatically and change it to the lowest possible license according to their new role and needs. Often the step of allocating new licenses is forgotten during the “mover” process, which creates an un-optimized situation and additional unnecessary licensing costs. Last and most important is to make sure that when an employee is terminated their license is reallocated or released and put in the license bank until it is needed. This as well can and should be done automatically in all of the relevant applications – including those that are inside the organization (on-premise) and equally as important applications that are on the cloud like SuccessFactors, SalesForce and Office365. Closing inactive accounts must be a priority for the automated system in order to not be a victim of unnecessary charges being passed down by cloud applications.
To read more about how to fully automate JML processes with Xpandion, click here