HR AI Skill

Access

Manage system access provisioning, account creation, permissions, SSO setup, and access revocation for employees. Use when setting up new hire accounts, managing role-based access, handling access requests, or revoking access during offboarding. Triggers on...

System Access & Account Provisioning

Ensure employees have timely access to all systems and tools needed to do their job.

Workflow

  1. Trigger provisioning upon offer acceptance (new hires) or internal transfer approval.
  2. Determine required access based on role, department, location, and job function.
  3. Create accounts in all required systems (email, SSO, collaboration tools, SaaS apps).
  4. Assign role-based permissions and add to appropriate groups/channels.
  5. Send welcome email with login instructions and first-step guide.
  6. Verify access working on Day 1 (automated check + employee confirmation).
  7. Monitor access changes throughout employment (promotions, transfers, projects).
  8. Revoke all access on offboarding (scheduled, not manual).

Role-Based Access Matrix

ACCESS MATRIX — By Department
==============================

ALL EMPLOYEES (baseline access):
  → Email (Google Workspace / Microsoft 365)
  → SSO (Okta / Azure AD) with MFA
  → Communication: Slack / Microsoft Teams
  → Calendar: Google Calendar / Outlook
  → HRIS: BambooHR / Workday (self-service)
  → Document storage: Google Drive / SharePoint (personal folder)
  → Knowledge base: Notion / Confluence (read access)
  → Expense app: Expensify / Concur

ENGINEERING (additional):
  → Code repository: GitHub / GitLab
  → CI/CD: Jenkins / GitHub Actions / CircleCI
  → Cloud platforms: AWS / GCP / Azure (role-scoped)
  → Project management: Jira
  → Design tools: Figma (view access)
  → Monitoring: Datadog / PagerDuty
  → Internal developer portal

SALES (additional):
  → CRM: Salesforce / HubSpot
  → Sales enablement: Gong / Outreach / Salesloft
  → Proposal tools: PandaDoc / DocuSign
  → Expense tracking: Expensify (elevated limits)
  → Calendar automation: Calendly

MARKETING (additional):
  → Marketing automation: HubSpot / Marketo
  → Analytics: Google Analytics / Mixpanel
  → Design tools: Figma / Canva Pro
  → Social media: Sprout Social / Buffer
  → Content management: WordPress / Webflow

FINANCE (additional):
  → ERP: NetSuite / QuickBooks
  → Accounting: Xero / Sage
  → Expense approval: Elevated approval limits
  → Banking: Company bank accounts (dual-control)
  → Tax filing software

EXECUTIVE / LEADERSHIP (additional):
  → Board portal: Diligent / Nautilus
  → Financial dashboards: Tableau / Looker (executive views)
  → Executive email alias
  → Travel booking: Concur / TripActions
  → Signature management: DocuSign (admin)

HR (additional):
  → HRIS: Full admin access
  → Payroll system: Gusto / ADP (admin)
  → Benefits admin platform
  → Performance management: Lattice / 15Five (admin)
  → Background check platform: Checkr
  → ATS: Full access
  → Document management: Personnel files (restricted)

Provisioning Process

NEW HIRE ACCESS PROVISIONING
=============================

Step 1: Account Creation (T-5 business days)
  → Create email account: [email protected]
  → Provision SSO identity with default password + MFA enrollment prompt
  → Create calendar, set business hours and time zone
  → Add to company-wide distribution lists

Step 2: Tool Access (T-3 business days)
  → Provision role-specific SaaS accounts (automated via SSO integration)
  → Assign licenses (track license pool — alert if low)
  → Create personal storage folders with appropriate permissions
  → Add to team/department Slack channels

Step 3: Security Configuration (T-2 business days)
  → MFA enrollment (push notification preferred, backup codes provided)
  → Acceptable use policy acknowledgment
  → Data security training assignment (due within 7 days)
  → Device enrollment (MDM profile for company devices)

Step 4: Verification (Day 1)
  → Automated test: Can employee log in to SSO and access key tools?
  → IT sends Day 1 welcome email with login URL, support contact, quick-start guide
  → Employee confirms access via simple form or Slack check-in
  → Any failed access: IT priority ticket, resolved within 4 hours

Step 5: Post-Provisioning Audit (Week 2)
  → HR/IT review: Were all required access items provisioned?
  → Employee survey: "Did you have all the tools you needed on Day 1?"
  → Resolve any gaps
  → Close provisioning ticket

Access Request Process (Ongoing)

ACCESS REQUEST WORKFLOW
========================

When employees need access beyond their baseline:

1. Submit request via HRIS self-service portal:
   → System/tool name
   → Justification (project, role need)
   → Urgency level
   → Duration (permanent / temporary with end date)

2. Auto-routing:
   → Standard tools (on access list for role): Auto-approved
   → Elevated access (admin, financial, sensitive data): Manager → HR → IT approval
   → Temporary access: Manager approval only, auto-revoke at end date

3. Provisioning:
   → IT provisions within 1 business day (standard) or 4 hours (urgent)
   → Confirmation email sent to employee and manager

4. Audit trail:
   → All requests logged with timestamp, approvers, and rationale
   → Quarterly access review: Managers confirm direct reports still need each access
   → Annual access certification: Department heads certify all access in their department

Access Revocation (Offboarding)

ACCESS REVOCATION PROTOCOL
===========================

Trigger: Offboarding workflow initiated

Scheduled revocation (voluntary):
  → Set for 5:01 PM on last working day
  → Staged revocation:
      1. 5:00 PM: Disable email (can't send new messages)
      2. 5:01 PM: Revoke SSO access (logs out of all sessions)
      3. 5:05 PM: Remove from distribution lists and channels
      4. 5:10 PM: Revoke SaaS access (API tokens, cloud accounts)
      5. 5:15 PM: Disable MFA enrollment (prevents re-enrollment)
  → Grace period: 24 hours (in case of timing error)
  → Forwarding: Set up email forwarding to manager for 30 days

Immediate revocation (involuntary/security concern):
  → IT revokes SSO immediately (within 15 minutes of instruction)
  → Physical escort to collect belongings
  → All systems locked before employee leaves building
  → Legal/HR notification of revocation timestamp

Data preservation:
  → Employee's files archived (not deleted) for 7 years
  → Calendar events cancelled or reassigned
  → Open projects transferred to designated owner
  → Slack messages preserved in channel history

Security Policies

ACCESS SECURITY FRAMEWORK
==========================

Password policy:
  → Managed by SSO (no individual passwords for most tools)
  → SSO password: Min 12 characters, changed annually
  → MFA required for all accounts (no exceptions)
  → Session timeout: 30 minutes (internal tools), 8 hours (external)

Least privilege principle:
  → Start with minimum required access
  → Escalate only with documented business need
  → Temporary elevated access: Max 72 hours, auto-revoke
  → Admin access: Just-in-time provisioning, time-limited

Access reviews:
  → Monthly: Automated stale access detection (>90 days inactive)
  → Quarterly: Manager certification of direct report access
  → Semi-annually: HR reviews sensitive data access
  → Annually: Full access audit across all systems

Termination scenarios:
  → Voluntary: Scheduled revocation on last day
  → Involuntary: Immediate revocation
  → Layoff: Batch revocation with COBRA notification timing
  → Contractor end: Immediate revocation on contract end date

Integration Points

Edge Cases