cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

George Kozlov from People.ai: Here are some of the deep automations I've built using Workato

jessica-lie
Workato employee
Workato employee

[Nov 14, 2020] George Kozlov (Director of Engineering Operations from People.ai) posted:

I drive the IT department, engineering operations, and some of the business operations initiatives at People. ai.


Over the last 2 years, I built dozens of deep automation using Workato. You can read a few articles about processes automation on Medium:

I will be glad to answer your questions, if any, or drive a webinar.

5 REPLIES 5

jessica-lie
Workato employee
Workato employee

[Nov 14, 2020] Ryan Koh (Customer Success at Workato) replied:

Hi George, 


Great to meet you. I am Ryan from the Solutions Team here at Workato. Your articles really caught my attention, especially on user provisioning. Awesome stuff!


I have been working with multiple customers that requires similar automations that you have implemented for your organization especially on user provisioning with Okta. 


I do have many questions around this topic that will help this community and more! I am going to start off with a couple to get the ball rolling, hoping to get your expert advice as well as the community. 

  • Do you use any application or some sort of tracking sheet to identify the applications that you have provisioned for your employees as a central source of truth? What is your recommendation here? 
    Reason why I am asking this is because Okta only allows you to track applications which supports SSO (as you have mentioned), what about applications that does not have support for SSO? 
  • How are you provisioning the applications which supports SSO exactly? Are you using Workato to provision the application through Okta or are you provisioning it directly from the application itself? 
    • What are the things to take note in determining if an application should be provisioned through Okta vs directly from the application when using Workato

      Often times, many people get confused when it comes to provisioning of application when using an IDP like Okta 

  • How are you determining what applications should a specific user be provisioned with? Where and how are you capturing that taxonomy? 
    • Also, are you provisioning the applications directly? Or is there an approval layer for the application owner to approve before the actual provisioning takes place? 

Prajith, Qaseem, Sam, 


Take a look at this article - https://medium.com/people-ai-engineering/users-provisioning-automation-fc8cb4714c26

A lot of insightful content in here that George has curated, which we can benefit from and get more best practices. 

jessica-lie
Workato employee
Workato employee

[Nov 15, 2020] George Kozlov (Director of Engineering Operations from People.ai) replied:

Thanks for your reply. It's nice to meet you virtually as well.Here are the answers to your questions:


1. Do you use any application or some sort of tracking sheet to identify the applications that you have provisioned for your employees as a central source of truth? What is your recommendation here? 

  • We rely on the Okta platform as the source of truth. We maintain the groups in Okta, and the groups are mapped to the departments in BambooHR. There are 4 levels of entitlements which we track:
    • Organization - the applications relevant to all full-time employees, e.g., BambooHR, Lattice, etc
    • Department - the applications relevant to a specific department
    • Division - division level applications, e.g., BV&I group within the CS department
    • Individual - we try to avoid them as much as we can, but they still present.
  • When the automation receives the "user.activated" event, it just goes through the list of all assigned applications and adds the user to those we maintain via workato automation. The rest is automated via SCIM API in Okta.
  • In other words, Okta is the source of truth.

2. How are you provisioning the applications which support SSO exactly? Are you using Workato to provision the application through Okta, or are you provisioning it directly from the application itself?

The SSO is not related to the users provisioning as is. Some applications support JiT users provisioning, and the workflow is the following:


If the application supports SCIM API, we use SCIM API via Okta.

    • If SCIM API is not supported, but SSO and JiT provisioning are supported, we use JiT to create the user during the first login.
      • IF neither SCIM nor Jit is supported, but there is a REST API - we use REST API via Workato.

3. How are you determining what applications should a specific user be provisioned with? Where and how are you capturing that taxonomy?
See my answer to the first question.


Please let me know if you have other questions ๐Ÿ™‚


jessica-lie
Workato employee
Workato employee

[Nov 17, 2020] Prajith Maniyath (Senior Director - IT Business Systems at Allakos Inc) replied:

Hi George,


Thanks for sharing the detailed process, we will consider these aspects as we design our onboarding/offboarding process. Appreciate your inputs.

jessica-lie
Workato employee
Workato employee

[Nov 27, 2020] Ryan Koh (Customer Success at Workato) replied:

Thank you George, this has been really helpful. I may follow up with questions down the line, but this has been getting hugely popular of the late.