Integrating access control with human resources provides many benefits to the organisation as whole.
When a new employee starts with an organisation, there is an on boarding process, such as confirming the identity of the employee and their right to work in the specific country.
This process may include purchasing of equipment such as a laptop and smartphone, as well as creating a login to the network and email address.
To be able to get into company offices the employee will also need an access card.
This process is usually managed by the Human Resources department, but they will need to work with other departments such as IT and Security to ensure that the employee has everything they need.
The problem is, this process tends to be manual, or cumbersome.
The case for integration
Most of the information that is needed by the access control system (Name, Department, Responsibility, Level of Seniority) is already stored within the Human Resources Database.
The first logical step would be to be able to provide this information automatically, and in real-time to the access control system.
To ensure data security, the system should allow customers to create a dedicated database user with access only to the relevant data.
To help customers integrate systems with their applications, security system vendors may provide direct access to the system database via an open API, such as ODBC (Open Database Connectivity). ODBC allows customers to retrieve any required data from the access control or burglar and intruder detection system by reading directly from the database.
While this interface allows easy data retrieval, issues arise when third-party applications need to add or update system data.
This requires detailed knowledge of the database structure, including relationships between tables and table fields. Performing database modifications without this information is extremely difficult and can result in database damage or loss of consistency.
Despite these limitations, ODBC is the most powerful method of retrieving data for reporting, statistics or feeding into third-party databases.
During a period of employment, it’s likely that from time to time, a person may change job roles, or be seconded to different locations or departments while working on a specific project.
The problem with this from a security point of view, is that granting and revoking permissions is usually manual.
This could potentially lead to someone having more access than they need, which could turn them into a security risk to the organisation.
By allowing the access control system to automatically grant and revoke access rights based on data within the human resources system, we eliminate additional manual work, and ensure that people only have the level of access required for the specific job role.
An example of how permission automation works
Dave has been working for the company for four years and has recently moved departments.
By importing data from the Human Resources system, we know that:
- Dave now works for the Finance Department
- Dave is based in the London Office
The access control system has business logic rules defined on what access should be granted to match the security policy of the company Dave works for.
This will look something like
IF Department=’Finance’ and Location=’London’, grant the following permissions:
‘Finance Office’ AND ‘London Office Reception’
Time Schedule: 0900 to 1700 Monday to Friday
the access control system will also remove any permissions that do not match the policy, meaning that permissions from Dave’s previous role in the sales department will be automatically removed.
Increasing security when an employee leaves
In a similar way to when someone joins an organisation, there will be a process in place when they leave.
This will include the return of all company property and information held by the employee, especially their access card.
The risk is if the card is not returned, security might not block it, meaning that the card could be misused by a third party.
When someone leaves, the Human Resources database will be updated with their leaving date.
If we send this information automatically to the access control system, when that date is reached, the card and all associated access rights will be blocked.
Being automatic, we don’t rely on someone doing something (or indeed, forgetting to do something), but we also increase security.