FREDWESTON.NET - DevOps: Onboarding and Offboarding Workflow
DevOps: Onboarding and Offboarding Workflow
Posted under Work Stuff on Saturday, April 21, 2018 @ 8:06:16 PM
Show Previous Article Show Next Article
a big part of the ops work at my place of employment deals with the onboarding and offboarding of staff.  we have around 30-40 new hires / terminations a year, and as a manual process that probably represents somewhere around 60-80 hours of work.

some of the big challenges we used to face are:
  • no centralized responsibility for notifying it of employee changes
  • not getting timely notification of employee changes
  • not getting the information we need when we were notified of employee changes
  • constantly having to follow up to get the information we needed
  • no centralized source of truth on the status of employee changes
  • no automated approvals for equipment requests (i.e. pcs, cell phones, peripherals, etc)
we implemented a system comprised of five main components:
  • a "new hire form" - this gets filled out by our hr department to notify us of new employees
  • a "termination form" - this gets filled out by our hr department to notify us of terminations
  • an "equipment request form" - this gets filled out by the hiring manager and allows them to specify the equipment their new employee requires.  it also automated the purchase approval process (some types of equipment charges back to the hiring department's budget, so we need charge back approval)
  • a web utility used by it that actually creates active directory accounts, enrolls the new employee in our mfa system for vpn authentication, sends notifications to various departments notifying them of the new employee and sends the new hire a welcome e-mail.
  • a set of scripts that run as scheduled tasks on a windows server.  these are primarily reminder scripts that serve to send nag e-mails to various people when the workflow is waiting on someone to take action.
the new hire form

this form uses active directory authentication and restricts access to members of our hr team.  it collects all of the basic information we require such as name, contact info, job title, department, manager, office location, and start date.  

it also collects additional information that can be used to kick off additional notifications / workflow tasks.  for example:
  • does the new hire require equipment (i.e. a pc, cell phone, etc).  if so, a notification will be automatically sent from the person filling out this form to the hiring manager with a link to the equipment request form.
  • does the new hire require a credential (i.e. id card)?  if so, a notification is sent to the person that creates our staff credentials.
  • does the new hire need a keyfob to access our office?  if so, a ticket to issue one is raised in our helpdesk system via an api call.
fig 1 - the new hire form

the equipment request form

this form is filled out by the hiring manager to let it know what equipment their new employee will require.

the form provides information about the equipment policies (i.e. budget info, etc) and collects information related to:
  • pc requirements (laptop, desktop, etc)
  • accessories (monitor, docking station, keyboard/mice, usb storage, printer, ups, printer, etc)
  • cell phone
  • ip phone
  • should the new hire be added to existing e-mail distribution lists (i.e. a department list)?
  • how should we deliver the equipment?  leave it in the employees office, deliver it to an existing employee, ship it?
if any of the selected equipment requires budget approval, a notification is automatically sent from the hiring manager to their elt (exec leadership team) representative (i.e. the big boss).  the elt rep can approve or deny the request.  in the case of approval, the relevant tickets to procure and issue the equipment are raised in our helpdesk software via an api call, in the case of a denial a notification is sent back to the hiring manager informing them.  the elt rep can send a comment to note their specific objection and the hiring manager can refill the form and try again.

some items are handled by different teams (i.e. ip phone provisioning is handled by a different team than pc provisioning) and thus get separate tickets.  tickets are automatically assigned to the appropriate person / team.

fig 2 - the equipment request form

the account creation script

the account creation script is a web form used by it to actually provision accounts.

it performs the following functions via api calls, vbscript and/or powershell scripts:
  • creates an active directory account, adds employee to appropriate security groups, adds login scripts, etc.  the ad user is automatically created in the correct ou based on the new employee's department.
  • sets e-mail addresses
  • syncs the new user account to office 365 / azure ad - assigns an office 365 user license, creates e-mail box, adds user to selected distribution lists
  • creates a user account in our freeradius server (used for vpn mfa via google authenticator)
  • creates a user account and assigns a license on our saas subscription
  • assigns a fax number to the new employee in our fax server software
  • provisions a user account in our centurylink reservationless audio conferencing system via api call
  • sends a "welcome aboard" e-mail to the new employee with a copy of our "new hire it guide" document, which serves as a quick reference for it information.
the termination form

hr has a web app where they can enter terminations in to the system.  since this is a very basic form that only captures a limited amount of information i've omitted a screenshot.  

the hr form collects the following information:
  • employee to terminate
  • date / time termination should be effective
  • manager that should fill out the termination form
once hr submits the form, a link to the termination form is sent to the terminating manager so they can provide the required information to it.

the termination form collects the following information:
  • what do we do with the employee's e-mail account?  delete, auto reply, forwarding?
  • what do we do with the employee's cell phone and/or air card?  disconnect the line?  reassign it?
  • what do we do with the employee's computer?  reclaim and add to inventory as a spare?  leave it where it is for a replacement employee?  sell it to the departing employee?
  • who should be tasked with review of the terminated employee's computer files, e-mail, voicemail?
once the form is filled out, relevant tickets are raised in our helpdesk software via api call.

when we terminate an employee, we archive their pc files, e-mail (as a .pst) and voicemail.  we then upload this data to amazon s3 and store it for 60 days.  we have a web form that it uses to send the terminating manager links to this data and information on accessing it.  the form uses a standard template informing the manager that they have 60 days to review the data before it's deleted.  these notifications are frequently ignored and it gets requests for employee data, so it's handy for us to be able to tell folks to reference the automated e-mail they received because that prevents us from needing to take on additional work or deal with people (lazy is good).

fig 3 - the termination form

there is a collection of scripts running as scheduled tasks.  they perform the following tasks:
  • sends reminders for pending equipment requests
  • sends reminders for pending equipment request approvals
  • sends reminders for pending termination forms
all of the user-facing web forms implement strict javascript form validation to ensure data quality.

all in all, this is a collection of systems that have been developed over a period of 3-4 years.  they largely eliminate the need for ops to ever deal with a human being related to employee changes.  it ensures we have all the information we need in a centralized location.

the web components are all developed in classic asp (that's just what i know, i haven't been a developer in 20 years).  most of the scripts are in vbscript (same reason), though some needed to be done in powershell (i.e. interfacing with office 365, etc).

i've considered genericizing it and open sourcing, and may do so at some point in the future when i have more time to devote to it.