Let me provide a comprehensive walkthrough of our implementation covering identity governance integration, automated role mapping, and the onboarding efficiency gains we achieved.
Project Background and Business Case:
Our manual onboarding provisioning process had several pain points:
- Average 2.5 days from hire date to full system access
- 15% error rate (wrong permissions, forgotten applications)
- 8 hours of IT staff time per new hire for account creation and access provisioning
- Poor new hire experience (couldn’t start work on day one)
- Compliance risks from inconsistent provisioning and poor audit trails
With 200+ new hires per year, this translated to 1,600 hours of IT time and significant productivity loss. The business case for automation was compelling.
Architecture Overview:
Our solution integrates three key components:
-
ADP Workforce Now (Source of Truth):
- Onboarding module captures new hire data
- Custom fields added for access requirements
- Triggers connector when hire record reaches “Approved” status
-
SailPoint IdentityIQ (Identity Governance):
- ADP connector pulls employee data in real-time
- Role mapping engine applies provisioning logic
- Workflow engine handles approvals and exceptions
- Connectors to downstream systems (AD, Salesforce, Workday, etc.)
-
Downstream Systems (Provisioning Targets):
- Active Directory (primary identity source)
- SaaS applications (Salesforce, Office 365, etc.)
- On-premise applications (ERP, CRM, etc.)
- Physical access systems (badge readers)
Identity Governance Integration - Technical Implementation:
The ADP connector configuration was critical to success:
-
Connector Setup:
- Configured SailPoint’s native ADP connector
- Authentication: OAuth 2.0 with service account
- Sync schedule: Every 4 hours (to catch new hire records quickly)
- Delta sync enabled (only pull changed records)
-
Attribute Mapping:
We mapped key ADP fields to SailPoint identity attributes:
- ADP Employee ID → SailPoint Identity ID
- ADP Department → SailPoint Department
- ADP Job Title → SailPoint Job Code
- ADP Manager → SailPoint Manager relationship
- ADP Location → SailPoint Location
- ADP Start Date → SailPoint Hire Date
- Custom Fields (access flags) → SailPoint Entitlement Requests
-
Trigger Logic:
The connector monitors for specific conditions to trigger provisioning:
- New hire record created in ADP Onboarding
- Record status = “Approved” (hiring manager signed off)
- Start date within next 30 days
- Not marked as contractor/temporary (different provisioning flow)
Automated Role Mapping - The Core Logic:
This is where the real value comes from. We built a sophisticated but maintainable role mapping framework:
-
Role Matrix Design:
Instead of creating hundreds of individual roles, we used a matrix approach:
Base Dimensions:
- Department (Sales, Engineering, Finance, HR, etc.)
- Role Family (Manager, Individual Contributor, Executive)
- Level (Junior, Mid, Senior, Principal)
Example: Sales + Individual Contributor + Senior = Role Bundle:
- Salesforce (Sales Cloud User)
- Office 365 (E3 License)
- Slack (Standard User)
- Zoom (Licensed User)
- Company Intranet (Employee Access)
- VPN (Standard Access)
-
Role Mapping Rules in SailPoint:
We configured rules that evaluate ADP attributes:
IF (Department = "Sales" AND JobCode CONTAINS "Account Executive" AND Level = "Senior")
THEN Assign Role Bundle: "Sales_IC_Senior"
IF (Department = "Engineering" AND JobCode CONTAINS "Engineer" AND Level = "Junior")
THEN Assign Role Bundle: "Engineering_IC_Junior"
IF (JobTitle CONTAINS "Manager")
THEN Add Role Bundle: "Manager_Base" (includes manager-specific tools)
-
Location-Based Additions:
Regional requirements are layered on top:
- US employees: Add US-specific compliance tools and access
- EMEA employees: Add GDPR-required systems and documentation
- APAC employees: Add region-specific applications
-
Custom Field Exceptions:
We added 10 custom checkboxes in ADP’s onboarding form:
- “Requires Salesforce Premium Features”
- “Needs GitHub Admin Access”
- “Requires Financial System Access”
- “Needs Physical Badge Access (24/7)”
- Etc.
Hiring managers check these during onboarding form completion, and SailPoint reads them to add entitlements beyond the base role bundle.
Workflow Automation - Handling the Process:
-
Standard Provisioning Flow (No exceptions):
- ADP connector detects new approved hire
- SailPoint evaluates role mapping rules
- Provisions accounts and access automatically
- Sends welcome email to new hire with login credentials
- Notifies manager that provisioning is complete
- Total time: 4 hours (next connector sync)
-
Exception Handling Flow (Custom access needed):
- Connector detects custom field checkboxes
- Provisions base role bundle automatically
- Creates approval task for manager: “Confirm additional access for [Employee]”
- Manager reviews and approves via email link
- Additional access provisioned upon approval
- If manager doesn’t respond in 24 hours, escalates to IT
-
High-Risk Access Flow (Elevated permissions):
- Certain role bundles trigger additional approval requirements
- Example: Finance roles require CFO approval before provisioning
- SailPoint workflow routes approval to appropriate executive
- Provisioning pauses until approval received
- Audit log captures approval trail
Onboarding Efficiency Gains - Measurable Results:
After 6 months of operation, we measured significant improvements:
-
Time to Access:
- Before: 2.5 days average (60 hours)
- After: 4 hours average (same-day for 95% of hires)
- Improvement: 93% reduction in time to access
-
IT Effort:
- Before: 8 hours per hire (manual account creation, access provisioning)
- After: 0.5 hours per hire (handling exceptions only)
- Improvement: 94% reduction in IT time
- Annual savings: 1,500 IT hours = $75,000 in labor costs
-
Error Rate:
- Before: 15% of new hires had incorrect or missing access
- After: 2% (only in exception cases with complex requirements)
- Improvement: 87% reduction in provisioning errors
-
New Hire Satisfaction:
- Before: 65% rated onboarding access as “satisfactory” or better
- After: 92% rated as “satisfactory” or better
- Improvement: 42% increase in satisfaction
-
Compliance Posture:
- 100% audit trail for all provisioning decisions
- Automated separation of duties checks (SailPoint policy engine)
- Manager approval documentation for all elevated access
- Reduced audit findings from 12 to 2 in first year
Lessons Learned and Best Practices:
-
Start Simple, Iterate:
We initially tried to automate everything, which led to complex rules that were hard to maintain. Better approach: automate the 80% common cases first, handle exceptions manually, then gradually automate exception patterns as they emerge.
-
Invest in Role Design:
The role matrix approach was crucial. Don’t try to map every job title to a role - you’ll end up with hundreds of unmaintainable roles. Use dimensions (department, level, function) to build composable role bundles.
-
Manager Involvement is Key:
Initially, we tried to fully automate without manager approval. This led to compliance concerns and some inappropriate access. Adding lightweight manager confirmation (approve via email link) provided the right balance of automation and oversight.
-
Custom Fields Drive Flexibility:
Adding 10 checkboxes to ADP’s onboarding form gave us the flexibility to handle most exceptions without manual IT work. Hiring managers understand their new hire’s needs better than IT does.
-
Monitor and Refine:
We review provisioning logs weekly for the first 3 months, monthly thereafter. This helps identify patterns that could be automated better or role mappings that need adjustment.
-
Documentation is Critical:
For audit purposes, we maintain:
- Role mapping logic documentation (what role gets what access and why)
- Exception approval trails (who approved what access)
- Annual role review process (verify role mappings are still appropriate)
- Change management records (when and why role mappings changed)
Technical Gotchas to Avoid:
-
Timing Issues: New hire records sometimes appear in ADP before hiring manager completes all fields. We added validation logic to ensure required fields are populated before triggering provisioning.
-
Duplicate Detection: Rehires or employees who transfer need special handling to avoid creating duplicate accounts. We check for existing accounts by email address before provisioning.
-
Custom Field Sync: ADP custom fields don’t always sync immediately. We added a 1-hour delay before reading custom field values to ensure they’re populated.
-
Manager Chain: If a new hire’s manager is also new, the manager relationship might not be established yet. We handle this by defaulting to department head until manager relationship is established.
ROI and Business Impact:
Total project cost: $120,000 (software licenses, implementation, training)
Annual savings: $150,000 (IT time, reduced errors, productivity gains)
Payback period: 10 months
Ongoing annual benefit: $150,000+
Beyond the financial ROI, the intangible benefits are significant:
- Better new hire experience (they can actually work on day one)
- Reduced IT frustration (no more urgent access requests)
- Improved security posture (consistent provisioning, better audit trails)
- Scalability (can handle hiring surges without adding IT staff)
This implementation transformed our onboarding from a manual, error-prone process to a streamlined, automated experience that scales efficiently. The key success factors were thoughtful role design, lightweight manager approvals, and continuous refinement based on operational experience.