How do I do this? Count/capture each users' access to various Business Applications

[Berto2002]

When someone leaves our organisation, we have a record of the key assets they used (such as mobile phone, telephone number, laptop) so we are able to reclaim them through the workflow and know what should be expected to be returned.

The challenge I have been given is to achieve the same for business application accesses.

We should be in a position to know which business applications any given user has been granted so that when they leave, we can detect them in workflow and prescribed actions to the relevant teams to have the accesses removed. I would like suggestions on what mechanisms I can use to achieve this and any advice from anyone who already does this in some way.

The only ways I can think of doing it so far:

1. to create /assign some kind of asset to them for every application. At the point they are granted access and these would show up in the get asset workflow nodes. The trouble is that would create tens of thousands of asset records.
2. Since my subscriber lists are populated by Organisation Groups and I can detected the OGs in workflow I can use that; but this does not expose anything to the service desk on the Request ticket like Assets do

It would be better to be able to link a user to some kind of common entity.

I wondered if the software asset management functionality could help here, but there is no documentation on that and I have logged a separate post asking how that works.

Any suggestions welcome.

[Guest Paul Alexander]

Hi @Berto2002

We have a couple of ways of doing this, depending on the 'type' of software being used.

1. Master/Token licenses, where we have a set amount of licenses for a particular item of software
   1. We have a 'master software' asset, with all of the details of the license (version, license key, serial number, etc). There is only one of these
   2. We then create a 'Token asset' which, when a software license is issued to a person, is then linked to the Master asset. So, the user is linked to the 'token', and the 'token' is linked to the 'master'
   3. We can then see, by opening the Master token, how many of the 'tokens' are being used, and can then decide whether we need to increase the amount of licenses etc.
2. Any MS or AutoCAD licenses where the user needs to be in a specific AD group in order to get access to the software
   1. For this, we use the LDAP import tool to import from the specific AD group in to a 'general organisation' in Hornbill.

 

When a leavers request is logged, part of our process is to find and add any assets (software, hardware etc) and these are added to the leavers request. We also use a 'get user groups' node which will list any groups that the leaver is a member of, which we then either add to a task for the analyst to remove the user from the AD group or (if you have the setup to do this) it can be automated. 

 

 

[Berto2002]

Hi @Paul Alexander, for point 1, what is the feature you use for this? What entity is the "token asset" and how is it linked-up please?

We do the same with the assets for leavers as you have; with workflow to automatically set the Used by of an asset to our 'in stock' user once it is checked-in.