Client
Our client is a leading global cyber security and network security software provider.
Challenge
Our client is a rapidly growing software solution provider with employees based across the United States and around the globe. Given the rapid pace of hiring, job transitions, and promotions, automated Identity Access Management (IAM) is a critical function to ensure internal security and compliance. While the client had invested in some core IAM technologies, they asked Dispatch to develop enhanced identity management capabilities to meet the needs of their business.
Solution
Workday is the system of truth for employee identification and role, and Okta is the identity management solution. There are dozens of applications that are used across the company, such as Salesforce, NetSuite, Coupa, Concur, and Snowflake, that require Identity Access Management (IAM) logic to ensure appropriate user access rights are assigned or revoked based on role, seniority, geographic location, and other attributes.
While Okta is an exceptional identity management platform, the client had discovered some limitations with its functionality for the workflow they expected. They did not want to replace Okta and continued to see it as a core part of their identity management infrastructure but needed a “coprocessor” to enhance its capabilities. As they already used Workato to automate workflow across the organization, this was a natural platform to build these enhancements.
One of the enhancements was to create a more intelligent Workday event update functionality. We created a Workato recipe that connected with Workday that determined what employee and manager updates to transmit to Okta based on criteria such as the timing of employee lifecycle events. We then leveraged Workato’s API platform to expose this functionality to Okta so that it could be requested dynamically.
We created Workato-based microservices between Okta and downstream applications to orchestrate access management in near-real time. We built logic for several microservices based on the access rules required for each application. For instance, with Salesforce, upon an Okta trigger, the Workato microservice searched for manager IDs and updated the Salesforce manager ID with the employee’s manager. For Coupa and NetSuite, the Workato recipe queried Snowflake to determine the access attributes and metadata to assign to the employee. For Concur, the Workato recipe queried Snowflake and NetSuite to determine department and approval limits to assign to each employee.
This microservices approach ensured business logic for access to each application could be defined and maintained independently from the overall workflow of employee event management coordinated between Workday and Okta. It was scalable so that new applications could be added to the IAM model without significant effort by reusing services. And it was auditable and transparent so that access was provisioned in a secure and reliable manner.
Outcome
This project resulted in an elegant and sophisticated approach to Identity Access Management. It avoided a “Frankenstein” approach by keeping Okta as the core IAM engine and enhancing its functionality instead of segregating it into separate solutions for each application’s needs. This solution resulted in a significant reduction in manual intervention, and most importantly, the automation increased security and compliance confidence in a scalable, auditable, supportable, and flexible system as the needs of the business evolved.
