Industry standards are facing significant financial and governance challenges. Here's the deck from a related presentation given during my recent visit with the STAR standards community.

This isn't the last post in my current provisioning series. I promised the last post would focus on a few architectural ideas for handling provisioning and de-provisioning in a distributed environment. This one simply highlights something I saw reported that helps illustrate a point I made in my last post. The Daily Press, Newport News, VA, last week reported:

A part-time computer help desk technician let go from Thomas Nelson Community College almost three weeks ago said that, as of Wednesday morning, he still had computer access to the records and Social Security numbers of every student in the Virginia Community College System.

Edwin Slater, a 24-year-old Newport News resident, said college officials told him he was being laid off from his job July 9 because of budget cuts. But Charles Nurnberger, TNCC's vice president for finance and administration, said no employees have been laid off, although some jobs have been consolidated.

The college VP's answer to the alleged data breach is quite contorted. He indicates that no employees had yet been officially terminated. The VP doesn't address the fact that the employee in question had either been notified weeks ago that he was being laid off or that, in any case, he had not showed up to work in 3 weeks. So the VP sort of implies that there was no data breach since the college hadn't officially terminated the individual's status as an employee. This is an interesting answer, but not one that has anything to do with protecting the confidential student information to which the help desk technician had access.

As I wrote in my previous post:

RBAC is like Communism: It sounds really great until you try to implement it,
David Griffeth, Vice President of Enterprise Identity Management, Citizens Bank at Catalyst Conference 2009.

In my previous post in this series, I covered the ROI for improvements in provisioning processes and I began to walk through the employment lifecycle to show how provisioning relates to specific employment lifecyle events. In this post, I finish my discussion of the employment lifecycle and talk a bit more about the limitation of role-based access controls.

RBAC and Communism

I didn't attend last week's Catalyst Conference 2009. However, when I saw David Griffeth's quote about role-based access control (RBAC) tweeted from the conference on Friday afternoon, I thought it captured quite nicely one of the points I'm trying to make in this series of posts. Managing access and entitlements by role gets complex quickly. It is not to say that roles aren't useful in managing provisioning, but starting with a table of events relevant to provisioning and de-provisioning is likely a better way to begin your planning. Increasingly, HR service delivery is distributed among multiple SaaS providers. Roles and sub-roles are likely to be tied to particular SaaS offerings. So lifecycle events - such as those covered in this post and the previous post - are a better starting point than roles. Build your table of lifecycle events, look at target systems, then perhaps look at whether and how roles fit into the provisioning and de-provisioning operations.

STAR Standards Chief Architect David Carver recently wrote a post about the W3C's use of a public issue tracker. A few people have "retweeted" the post and sent it my way via email. In the post, David gives kudos to the W3C for providing a publicly accessible issue tracker. I think the reason the post has some resonance is that at least a few readers recognize that the post is not so much about the use of about a particular feedback technology as it is about behavioral change within standards organizations and new ways of working. Actually, "new ways of working" isn't quite the right description. Between the lines, I think the post really is about bringing well-established and contemporary software development best practices to the work of standards organizations. If you read through David's other posts regarding the application of agile methodologies to standards development, they very much fit into this same theme.

David writes:

Unfortunately not all the [standards organization] workgroups take advantage of [issue tracking]. There are a handful of organizations, STAR being one, that make use of issue tracking systems to track the work and when it was completed. Visibility either to the public or at least to their membership can be key for helping adopters know what is coming and when it might be coming. Having the visibility into their process is a good thing, and should be encouraged.

I have enough experience with issue trackers in my years with HR-XML to be able to offer a few suggestions to standards organizations and other industry working groups:

In my first post, I covered some basic provisioning concepts and emphasized that while provisioning processes ideally are "role-aware," they also need to be sufficiently flexible to handle a variety of intervening events. In this post, I cover some of the ROI for improvements in provisioning processes and walk through just a few events in an employment life cycle to show where provisioning fits into HR processes. I'll follow-up with two more posts. One to look at termination processes and the other to zoom-in on architecture to support provisioning.

The ROI for Improving Provisioning

There are ample business cases for investments that improve provisioning processes.

From the initial feedback I've received, the premise of last week's webinar was spot on. As Larry Fulton pointed out, enterprise service buses (ESBs) are proliferating and increasingly are bundled within broader software offerings. While there is no shortage of middleware or ESB infrastructure within large and medium-sized enterprises, it is clear that not many HR system stakeholders are actively involved in ESB implementations. Not surprisingly, there also appears to be limited awareness among HR system stakeholders of the architectural foundations necessary to use ESBs effectively in rationalizing a portfolio of distributed HR services.

The Business of HR is Distributed

While HR trails behind other enterprise functions in leveraging ESB infrastructure, it leads the enterprise in other areas, such as in using software as a service (SaaS) delivery models. I've joked that HR Services, like Elvis, have left the building. Benefits administration and payroll services have long been outsourced, but recruitment and a full range of talent management services also are increasingly are delivered by external SasS-model providers.

Thanks to those who attended yesterday's webinar, Demystifying ESBs for HR System Stakeholders, and many thanks to the presenter Larry Fulton.

Larry has made available a copy of the slide deck from his blog. Full replay of the session is available in the two video embeds that appear below.

Another resource that you may find valuable is the January 2009 report on ESBs that Larry wrote while at Forrester. Software AG has made the report available from its website (.pdf).

If Larry and/or I can answer any follow-up questions or be of any assistance, please don't hesitate to contact us. I'd be happy to forward your inquiries to Larry.

Part 1

Demystifying ESBs for HR System Stakeholders - PART 1, Larry Fulton, Senior IT Architect.

Part 2

Below is the first in a few posts looking at managing access and entitlements across an employee lifecycle (from hire to termination). This post covers some basic concepts and definition of terms.

The OASIS Provisioning Services Technical Committee describes provisioning as:

...the automation of all the steps required to manage (setup, amend and revoke) user or system access entitlements or data relative to electronically published services.

In the context of HR processes, the term "provisioning" is commonly used in a few different contexts, but it broadly describes a process of communicating to a target system the information that system needs to authenticate users and to determine their access privileges. Perhaps the most critical task within the provisioning process is "de-provisioning," which refers to the removal of access rights and entitlements.

Provisioning is a horizontal enterprise process that has special relevance for HR systems management because access and entitlements for individuals usually are derived from a individual's status as an employee or contractor and from the particular position they hold or role they play.

New hire and termination processes are of special concern in managing provisioning. The new hire process is of concern, since new employees cannot become fully productive until granted system and facility access they require to do their jobs. Termination is of concern because of the security risks posed if terminating employees are not properly de-provisioned from systems. Provisioning and de-provisioning also may be triggered by many other intervening business and life events (for example, new projects, transfer, promotion, sabbatical, etc.).

Join us for a Webinar on July 15, 12:00 noon EDT
Space is limited. Reserve your Webinar seat now at:
http://www.hrinterop.org/webinar/

The term "Enterprise Service Bus" continues to create confusion. This is in part because the term is used in a few different ways. "ESB" sometimes is used in describing an architectural approach towards enterprise integration relying on intermediary software to perform message brokering, routing, transformation and similar functions. At the same time, "ESB" also is applied to the broad and evolving category of middleware used in implementing ESB architectures. Adding to the confusion, the ESB category of middleware is so diverse that it defies "apples-to-apples" comparisons of ESB capabilities and features.

The purpose of this webinar is to demystify ESBs for HR IT stakeholders. Within large and medium-sized enterprises, it is common for HR systems to connect into the "enterprise service bus." However, HR IT typically is a relying party and doesn't always exercise control or influence over how ESB infrastructure is applied to HR integration scenarios. In many cases, there is no shortage of middleware or ESB infrastructure within the enterprise, but simply a lack of adequate attention given to the application of such technology to complex and rapidly evolving HR integration scenarios. While some HR integrations are quite pedestrian and well known (HR systems ultimately tie into any enterprise application needing to know who is a current employee), HR increasingly is a step ahead of other enterprise functions with regard to complex integration challenges such as interactions with enterprise portals and SaaS and "cloud-based" resources.

I was really pleased with last week's webinar on serious games. The application of game technology and "game mechanics" to human capital management purposes at first seems to be a new and radical departure from conventional practices. However, I think in some sense it represents technology catching up with tried and true training and performance management approaches. The medium of serious games really represents a return to active learning and "learning by doing". This is a far more natural and engaging approach to instruction than the passive, power-point delivered learning experiences that otherwise predominate.

Likewise, serious games and virtual enviroments offer a way to take "competency models" out of documents and system dialog boxes and put them into "3D." Virtual worlds can give employees the opportunity to try, reherse, and refine their competencies in a safe environment. Multiplayer environments can provide transparency across teams and opportunities to learn from both team members and competitors.

Thanks again to the panelists, Randy Brown, Virtual Heroes; Steve Mahaley, Duke Corporate Education; and Karen Sopko, Creative Bandwidth Games