A curious thing has occurred as identity and access management systems are deployed in enterprises world-wide. The nature of the relationship between IT and HR, or human capital management (HCM) has evolved. For many IAM implementations, the relationship between the IAM team and HR hasn’t been a particularly good one. While the HR database can and has served as the authoritative source for IAM systems, negotiating with some HR departments to make that connection and share the neccessary data to build the IAM data repository has been, shall we say, difficult. The need to control and maintain the privacy of employee information is viewed as a sacred trust by many in HR, and they don’t like the idea of even an extract of their data used outside of their purview, even if it is for purposes other than HR.
IAM projects need a starting point, and HR data is a logical one. Synchronizing the data in HR that exists about a person and their job activities with the directory for authentication or the entitlement catalog for authorization is a natural design step. However, in making this connection, IAM data stores also become an extension of HR, because they also obtain and store data NOT found in HR systems but data about identities nonetheless. Not only is data for access found in the identity store, but even data about other people not found in many HR systems, such as contractors or partners, for example.
It is at this point that HR and IT find themselves in a bit of a dilemma. HR does not have a mandate to track contractor identities in many industries, but they ARE human resources for the business. Therefore some of the data collected by IAM systems can be and often is of interest to HR. If both of them can overcome the friction of shared data quality and access responsibilities, it can actually be an productive partnership. IAM data repositories can become a small, miniature ‘surrogate’ to larger HR systems, with data from these repositories used for purposes other than access. My colleague Lori Rowland coined an interesting term for this and related phenomena– “accidental identity management”. An IAM program captures valuable data about identities that may be used by other parties within the business for something completely outside of access.
Even though consumers and/or citizens are also not the purview of HR systems, IAM also provides valuable identity and access information (dare I say ‘intelligence’?) for a broader view of people and their interaction with IT resources. We see today how valuable such information is to consumer technology providers such as Google and Facebook. Imagine an equivalent in use cases for enterprise IAM activity and event information leveraged in business decision-making. The first and most obvious ‘customer’ of such intelligence will be HR, providing a more accurate record of what an employee actually DOES, rather than what we say they do with job titles and ‘roles’. There are of course some significant privacy implications to ‘role activity monitoring’, but I think you get the picture.
In addition to everything else you know and understand about IAM, add to that the potential to be a valuable asset in the pursuit of best-in-class human capital management.