[Nov 15, 2020] George Kozlov (Director of Engineering Operations from People.ai) replied:
Thanks for your reply. It's nice to meet you virtually as well.Here are the answers to your questions:
1. Do you use any application or some sort of tracking sheet to identify the applications that you have provisioned for your employees as a central source of truth? What is your recommendation here?
- We rely on the Okta platform as the source of truth. We maintain the groups in Okta, and the groups are mapped to the departments in BambooHR. There are 4 levels of entitlements which we track:
- Organization - the applications relevant to all full-time employees, e.g., BambooHR, Lattice, etc
- Department - the applications relevant to a specific department
- Division - division level applications, e.g., BV&I group within the CS department
- Individual - we try to avoid them as much as we can, but they still present.
- When the automation receives the "user.activated" event, it just goes through the list of all assigned applications and adds the user to those we maintain via workato automation. The rest is automated via SCIM API in Okta.
- In other words, Okta is the source of truth.
2. How are you provisioning the applications which support SSO exactly? Are you using Workato to provision the application through Okta, or are you provisioning it directly from the application itself?
The SSO is not related to the users provisioning as is. Some applications support JiT users provisioning, and the workflow is the following:
If the application supports SCIM API, we use SCIM API via Okta.
- If SCIM API is not supported, but SSO and JiT provisioning are supported, we use JiT to create the user during the first login.
- IF neither SCIM nor Jit is supported, but there is a REST API - we use REST API via Workato.
3. How are you determining what applications should a specific user be provisioned with? Where and how are you capturing that taxonomy?
See my answer to the first question.
Please let me know if you have other questions ๐
