Seasonal workers and identity automation. Pick one.
Posted by MudDifficult2015@reddit | sysadmin | View on Reddit | 15 comments
Every year, same problem. We hire \~300 seasonal warehouse staff between October and January. They leave. Some come back next season. Some don't. Some come back mid-season as rehires after quitting. HRIS treats rehires as new workers half the time, same worker the other half, depends on how HR entered them.
Result: duplicate accounts in AD. john.doe and john.doe2. Both with Okta profiles. Sometimes both active simultaneously. The old john.doe account still has group memberships from two seasons ago that never got cleaned up because the deprovisioning ran but didn't catch the app assignments that were added manually outside the normal workflow.
We've tried building automation around this. Every time we think we have it, HR changes how they enter rehires in the HRIS and the correlation logic breaks.
At this point the "automation" is one of my guys manually cross-checking a spreadsheet against AD before each season starts. That's not automation. That's just a different kind of manual.
Is anyone actually running a clean provisioning setup for high-churn seasonal workforces, or is this just the price of having humans involved in HR data entry?
Likely_a_bot@reddit
Bad process is the enemy of automation.
Curious201@reddit
seasonal staff are exactly where identity lifecycle usually falls apart, because everyone treats them as temporary until the accounts, groups, mailboxes, badges, and app access stay around for years. i would not try to solve this with reminders alone. the source of truth needs to be HR or whoever owns the worker status, and every account should have an expected end date attached to it from day one. even if you do not have full IAM automation, you can get a lot safer with a weekly report of accounts past end date, accounts with no recent login, and seasonal users still sitting in privileged or shared groups. the dangerous part is not creating accounts quickly in October, it is the quiet pile of half-disabled identities nobody wants to own in February.
Jay_JWLH@reddit
Sounds like a database problem. New entry, new employee ID (global ID).
gumbrilla@reddit
Not the way I've experienced it, HRIS should be looking for keeping a record of a person, as well as employment(s) hanging off of it. In some jurisdictions there are legal consequences from employing say use a temp. For example, in my jurisdiction, a temp becomes fully perm by law if they work for you for 3 years total, and gaps aren't larger than 6 months.
Jay_JWLH@reddit
Yeah, legal would need to be involved in the development of the database as well. OPs job should just pay for software and train staff to use it competently.
Happy_Emergency_9562@reddit
Agreed, was gonna comment something similar
Lulidine@reddit
Yup run IT for a call center. Every summer we have a bunch of workers leave and they rejoin in the fall.
We stopped using names as AD accounts. Between all of that mess you mentioned, plus people getting married, changing preferred names, etc. We use employee ID which HR indexes on based on Social Security Number. So a rehire always gets their old Employee ID back.
We have a program that runs every 4 hours checking the DB for status changes and updating AD. If an employee is gone, their account gets stripped of all group memberships and disabled.
Fake_Cakeday@reddit
Not from the US so excuse the dumb question.
I thought the social security number was personal and not supposed to be shared. Am I thinking of another number?
Seeing as AD is able to be read by everyone with a domain joined PC.
Vino84@reddit
They way I read it, is that the HR system uses the SSN. If the user is rehired, they get the same Employee ID, which becomes their account name.
Fake_Cakeday@reddit
Ooh okay. Yeah, that sounds better and more plausible. Thank you
Sree_SecureSlate@reddit
Can stop trying to match people by name and switch your "Source of Truth" to a permanent Employee ID that never changes.
If you force your system to link every "John Doe" to one fixed ID, HR's messy data entry stops creating digital ghosts and simply updates the same person’s record every time they come back.
Asleep_Spray274@reddit
Sounds like an identity strategy and governance problem first. The business needs to decide how those identities are treated and needed in the organization first. Then map out the governance model to support it then inform all parts of the business how to manage it from HR to IT. This is a people and policy problem first, technical second
366df@reddit
You might get some inspiration from school environments. Lots of students coming and going. But from the sounds of it, the first issue is that there seems to be no policy for the rehiring process.
Appropriate_Fee_9141@reddit
Isn't there a disable and enable option in AD?
Garetht@reddit
It sounds like the deprovisioning process needs a tweak if users are staying inactive for 8 months without getting cleaned up.