HR Profile Attributes
Introduction¶
Defining the HR profile attributes or the data elements that you will get and process form HR System to Identity platform (IdP), namely Active Directory, Azure AD or Google Cloud directory, is one of the most important things you need to consider before you start to create your workflow. The input attributes from HR System help you:
- Map them to the directory attribute to create identity profile
- Define lifecycle business rule, and processing conditions
- Form the basis or intelligence to build rule sets to assign birthrights or privileges reflected as memberships to Organization Units (OU), Security Groups (SG), O365 Groups, Distribution Lists (DL), Azure AD only DL, Mail Enabled Security Groups, and other group memberships as per the target Identity Platform (IdP)
This document is not exhaustive and lists the most commonly used attributes and why you would want them to be synced to IdP and be made available to Hire2Ritire Workflow. These set of input attributes are recommended best practice from our experience of building employee lifecycle and identity, privilege, access and resource provisioning workflows for our customers. The exact names of the employee attributes may change from one HR system to the other, however, the meaning or the semantic of each attribute is what this document is focused on.
Which attributes are required?¶
Please note that other than the employee ID all the attributes could be optional based on your business needs. Hire2Retire platform is very flexible and is capable of being customized to your individual lifecycle needs.
HR Employee Profile Attributes¶
The HR employee profile attributes that are commonly used to define the identity profile are grouped under following heads:
- Basic PII (Personnel identifiable Information)
- Reporting Information
- Employment Status
- Job Identifiers
- Other Information as needed
Basic PII (Personnel identifiable Information)¶
Basic PII attributes are common employee identifiers such as first name, last name, preferred name etc. These are well known and not sensitive in nature and typically you may be able to find them on LinkedIn or contact databases.
| Attribute Name | Description and purpose |
|---|---|
| Employee ID (key #) [Required] | Key to connect HR profile to IdP profile. Hire2Retire uses this identifier to determine if this employee exists in the AD or IdP and then can appropriately perform hiring, change of role, or termination. |
| First Name | First Name |
| Last Name | Last Name |
| Preferred Name | Preferred name for use as display name or for email or UPN construction, if desired. |
| Personal Email | Optional, if required to be used for sending onboarding email or first login password. |
| Mobile Phone Number | When synced to AD, it facilitates 2FA and Office 365 self-service and password reset. |
Reporting Information¶
Reporting information identifies the manager ID so that while creating the identity account, Hire2Retire can establish the tree or the reporting relationship. This attribute helps keep the GAL (Global Address List) current and up to date.
| Attribute Name | Description and purpose |
|---|---|
| Reports to Employee ID | ID of the reporting manager |
Job Identifiers¶
Job identifiers are a set of the HR profile attributes that identify the role and privilege that an employee has in the organization. These are significant attributes from the identity perspective as they establish birthrights, privileges, and role-based access controls (RBAC).
Hire2Retire provides an intuitive no-code user experience to define the profile attribute driven rule sets for assigning group memberships. For example, a manager in sales could be put in a security group that would give him privilege to sale application and could additionally be used to auto-provision license and access to Salesforce.
| Attribute Name | Description and purpose |
|---|---|
| Job Title | Job titles denote a certain level of responsibility and access needed to perform one’s duties. |
| Department | Employee’s assigned department. It is a great choice for defining role-based permissions and access. |
| Company or Business Units | Companies over time acquire and merge with other companies or split into smaller subsidiaries that may control access privileges. |
| Cost Center | Another dimension that is often used to assign role-based access control. |
| Employee Type | Customers sometimes use their HR platform to manage full-time, part-time and seasonal employees. In such situations, Hire2Retire can manage each type of employee differently. |
Employment Status¶
Hire2Retire uses start date and last day worked or related date field to make decision on the employment status of an employee. These date fields also help it perform scheduled operation like pre-boarding ahead of the start date and scheduling termination and access removal on the last working day at the chosen time zone sensitive time. For example, someone having last day on 15th of March could be scheduled to be terminated and access removed on March 15th at 6 PM local time which is different for New York vs. San Diego.
| Attribute Name | Description and purpose |
|---|---|
| Start date | First day at work or employment. |
| Last day worked or termination date | Last working day or specifically when the system access or privilege should be removed. |
| Employment status | Typically used for handling long term leave like sabbatical, FMLA, legal leave, security or disciplinary leave. |
| Termination reason | Typically used for handling sensitive termination where the last day worked may be later for the payroll purpose, but the access must be immediately removed. |
Other Information as needed¶
Hire2Retire is very flexible and supports mapping and processing as many attributes as required by your business needs. We support mapping attributes to any available IdP fields including commonly used extension attributes in Active Directory.
You may process attributes to the Hire2Retire workflow without mapping them to IdP for the purpose of enabling features and capabilities like group assignment, data rich email communication or creating service desk tickets.