AWS Partner Network (APN) Blog
Automation of User Onboarding and Offboarding Workflows
By Puneet Chaddah, CTO at Relevance Lab
By Ron Davis, Sr. Control Services Specialist at AWS
By Sundeep Mallya, Head of RLCatalyst Product at Relevance Lab
By Anil Sriram, Head of Cloud Technology Services at Relevance Lab
In order to provide a seamless employee experience, the workflow of user onboarding and offboarding requires integration between HR systems, ITSM tools, cloud resources, identity and access control, and intelligent automation.
A number of organizations have silos of applications, service request management, and manual interventions that have direct impact on support overheads, end user experience, ticket fulfillment SLAs, and security and compliances issues.
To address these common needs, Relevance Lab worked closely with Amazon Web Services (AWS) to create an intelligent automation solution using RLCatalyst, ServiceNow, Jira Service Desk, and AWS services such as AWS Service Catalog, AWS Service Management Connector, and Amazon WorkSpaces.
In this post, we will walk you through the workflow and solution for automated user onboarding and offboarding.
Relevance Lab is an AWS Select Consulting Partner and platform-led services company specializing in cloud, DevOps, automation, analytics, and digital transformation.
Need for Automated User Onboarding and Offboarding
The need for user onboarding and offboarding in a “touchless manner” has increased in the current work environment, with greater needs to manage a distributed workforce without compromising on enterprise security needs.
When the transition to work from home started for one of Relevance Lab’s largest customers, there was a spike in requests to deal with employee onboarding and offboarding workflows. There was also increased demand for temporary contract resources with restricted access privileged needs and remote desktops.
As enterprises adjust to this new reality, many of the practices for flexible onboarding and offboarding with cloud-based workspaces will continue since they provide better cost, security, speed of activation and deactivation, data security, and compliance.
Using the RLCatalyst product for access and compliance of user onboarding and offboarding, combined with use of AWS services, Relevance Lab has been able to save close to $500,000 annually for our largest customers.
Typical User-Onboarding and Offboarding Process
The table below explains the typical process followed by enterprises covering multiple functions across HR, IT and business:
|Onboarding Workflow||Offboarding Workflow|
|1. Data capture from HR systems||1. Data capture from HR systems|
|2. Request creation and workflow||2. Request creation and workflow|
|3. AD user creation||3. AD user disablement|
|4. Workspace creation||4. Workspace access disablement|
|5. Custom software installation||5. Custom software de-installation|
|6. Workspace ready check and user notification||6. Manager notification|
|7. CMDB/asset update, including Software Asset Management (SAM)||7. CMDB/asset update, including SAM|
|8. Workspace deletion/re-allocation|
|9. SOX (Sarbanes-Oxley) compliance checks|
This solution has been created by leveraging AWS services, ITSM tools, and an intelligent automation product from Relevance Lab called RLCatalyst.
RLCatalyst acts as a glue between the ITSM cloud-based tools and distributed assets managed by cloud providers. The integration layer provides secure connectivity, authentication, distributed transaction management, state management, and log aggregation for complex workflows.
Figure 1 – Intelligent automation workflow using RLCatalyst.
The key building blocks of this solution are:
- RLCatalyst BOTs Connector that integrates with ServiceNow Workflow and ServiceNow Orchestration engine to achieve end-to-end automation. This allows chaining of tasks covering ServiceNow activities, updates from third-party systems, provisioning of AWS assets, and post-provisioning lifecycle updates.
- RLCatalyst BOTs Server that is securely deployed inside customers’ Amazon Virtual Private Cloud (VPC) and acts as an orchestration engine to execute different types of BOTs. This RLCatalyst BOTs Server is deployed on Amazon Elastic Compute Cloud (Amazon EC2) servers with a secure deployment using AWS Control Tower.
- The RLCatalyst BOTs server has pre-built integrations to multiple third-party products and tools like cloud providers, AD/O365/G-Suite/Okta, and Workday or Taleo. It acts like an integration service bus connecting service requests to target providers.
- RLCatalyst BOTs Execution Engine that works under the orchestration logic to execute different types of BOTs on Windows and Linux workloads using a combination of scripts (Python, PowerShell), API calls, AWS Lambda functions, AWS CloudFormation templates, or Chef/Ansible-based automation tools.
- Security, logging, state management, audit trail, and graceful error handling using AWS CloudTrail, as many of these distributed transactions have multiple hops and disconnected updates with unknown execution times that need event handling using Amazon Simple Notification Service (SNS). When a BOT fails to complete the workflow, a graceful handover has to happen back to humans with ticket logging.
- By creating an end-to-end record triggered by a formal “Ticket” and audit trails that cover human approvals, change tracking, system records, reconciliation, and information retrieval for audits, the BOTs provide a source of truth that makes compliance system-driven with records management in ITSM platforms.
- AWS Service Management Connector and ServiceNow Self-Service Portal that allows automation to leverage standard service catalog and order AWS products with 1-click models.
- The BOTs allow 1-click provisioning of AWS services like Amazon WorkSpaces, AWS Simple AD, AWS CloudFormation, and AWS Lambda.
What Are BOTs?
BOTs refer to automation functionality dealing with common DevOps, TechOps, ServiceOps, SecurityOps, and BusinessOps. BOTs follow a maturity model, from simple to more complex, starting with task automation, process automation, decision-driven automation, and AI/ML-based automation.
Comparing BOTs with traditional automation, the following are a few characteristics of BOTs:
- BOTs are reusable with separation of data and logic.
- Supports multiple models like AWS Lambda, scripts, agent/agentless, and UIBOTs with better coverage.
- Managed in a code repository with config management (Git repo) which allows the changes to be “managed” vs. “unmanaged scripts.”
- Wrapped in YAML definitions and exposed as service APIs, which allows BOTs to be invoked from third-party apps like ServiceNow.
- “Managed and Supervised Runs” via the BOT Orchestrator manages the lifecycle to bring in security, compliance, error handling, and insights
- Has a lifecycle for intelligent maturity.
- Built with an open source platform that can be extended and integrated with existing tools on a journey to achieve AIOps maturity.
- Deeply embedded with ServiceNow and AWS to leverage data and transaction integration in a bi-directional way.
More details of the key functionalities of automation, integrations, and compliance are explained below.
- Auto-notification from HR systems for new employee onboarding or offboarding or with self-service portals.
- Workflow automation in ServiceNow and Jira Service Desk for user-driven or event-generated request handling and auto-workflow triggers.
- Cloud automation using AWS Service Catalog APIs, AWS Lambda functions with appropriate compliance, and policy checks under AWS Control Tower organizations with guardrails.
- Orchestration dealing with multiple enterprise systems adapters and complex workflows with integrated approval management based on company policies.
- Hyper-automation using a “service bus” model with BOTs across cloud and data center workloads of systems and apps. These cover end user computing devices (desktops) and servers with a combination of Windows and Linux workloads.
Service Bus with Pre-Built Integrations
The product comes with pre-built integrations with the following systems:
- Taleo or Workday HR systems that manage the user lifecycle workflows.
- An organization’s identify and access management (IAM) tools, such as Active Directory, Single Sign-On (SSO), or IDAM.
- Existing ITSM tools, CMDB/asset management, and self-service portals.
- Cloud infrastructure and hybrid setups with appropriate policy controls for cost and governance management.
- Automated vulnerability and patch management lifecycle for all dynamic assets.
- Existing SOX (Sarbanes-Oxley) processes for assets and resource access controls and compliance.
- Software Asset Management (SAM) controls as appropriate for the organization (dynamic assets lifecycle and software CMDB updates).
Figure 2 – Solution deployment architecture.
The diagram above shows the different tools and their integration for building an intelligent automation solution.
By leveraging existing investments in common ITSM tools, AWS Control Services, and with a pre-existing library of commonly used BOTs, customers can quickly achieve end-to-end automation.
The RLCatalyst product can be downloaded by customers from AWS Marketplace and enabled in their environments. It’s pre-bundled for deployment inside a secure customer environment with a library of commonly used BOTs.
Dealing with user onboarding and offboarding is a common phenomenon for enterprises, and one that has assumed greater importance with the need to enable remote working, cloud-based assets, and “touchless” interactions.
At the same time, every enterprise has variations based on internal HR, IT, compliance processes, and adoption of standard ITSM and cloud systems.
With the RLCatalyst product, enterprises can achieve end-to-end automation along with flexibility for customizations relevant to customer needs. The cycle time of user onboarding and offboarding can be improved significantly.
RLCatalyst can be deployed quickly for enterprises and integrates with existing infrastructure and applications. To learn more about the solution and implementation, contact email@example.com.
Relevance Lab – AWS Partner Spotlight
Relevance Lab is an AWS Select Consulting Partner and platform-led services company specializing in cloud, DevOps, and automation, analytics, and digital transformation.
Contact Relevance Lab | Partner Overview
*Already worked with Relevance Lab? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.