Harris Federation – Managing Staff Identities

Posted on 8 June 2017

Harris Federation turned to Identity Experts to help them build a new solution to manage staff identity management.

Managing identities across an organisation is difficult enough for one entity, but imagine the complexity if users have roles across different organisations, all of which need to be managed centrally.  Although this may sound unlikely, in today’s continually evolving world it is becoming more common.

The Harris Federation is a not-for-profit charity with over 25 years’ experience of education in and around London. With more than 40 establishments operated, they have built their reputation on a family of Academies that, across the board, are setting standards of excellence and fulfilling high expectations.

Coping with multiple staff roles

The IT department for the Harris Federation has to manage the accounts for more than 30,000 users across all their academies, as Andy Meighen, IT director explained.

“More than 80% of our users are students and managing the identities for these is pretty straightforward. We have built our own system that automatically provisions and de-provisions accounts from our MIS system, and has worked fine for a number of years.

“The complexity occurs when we want to automate identity management for our staff. Firstly, we did not have a single source of data for all our staff. This is because we employ both salaried staff and those on short term contracts. In addition, our salaried staff can work at different academies in different roles. This means there are duplicate accounts created in our MIS system, making it unsuitable as the definitive data store for identity management.”

Build a new database for staff identity management

As a result of this, Harris Federation decided that the best way to solve the problem would be to build an entirely new person database. “This would enable us tailor the information to reflect the different roles an individual may have at different academies,” said Andy. “We would then have the definitive source of information to drive the joiner, mover and leaver processes with our Active Directory setup.”

After deciding to utilise Microsoft Identity Manager to synchronise the data, the Harris Federation realised it would need a partner to help them complete the project.

“So, we spoke to Microsoft directly,” said Andy. “They recommended a few partners, but after speaking to them all, we decided to go with Identity Experts as they specialised in identity Management and were experienced in implementing such solutions in the education sector.

Consequently, in the summer of 2016, Identity Experts consultants met with the IT team at the Harris Federation to start the project. “Initially, they sat down with us to understand our challenges and the sources of data we had available,” explained Andy. “From this initial discovery work, they were then able to scope the project for our agreement and sign off.

“They then set about building the solution and setting up the various connectors to the new database from our original data sources. Finally, once the system had been implemented they carried out skills transfer with our staff, so we would have a better understanding of the system and be able to provide more support internally.”

Taking care of joiners, movers and leavers

Due to the complex nature of the new person database, the Harris Federation IT department is only migrating one academy at a time. Despite this, they are still able, even at this early stage of the project, to appreciate the benefits of their work so far.“Now, we don’t have to manually provision accounts,” said Andy. “With a lean IT team, like we run here, that is invaluable, as it frees us up to concentrate on higher value tasks.  It has also given us a standardised AD setup process which has considerably improved the quality of the AD information throughout our estate and ensures standards are maintained continuously. “As we add more academies to the database the benefits are going to increase and eventually when all are loaded the identity management for all our staff, some 6,000 accounts will be automatic. This means that when any joiners, movers or leavers are added to the database, the changes will automatically synchronise through to the relevant AD accounts. “This will mean that the joiners and movers get access to the correct resources immediately, ensuring they are productive straight away. It also means leavers are immediately denied access, helping to maintain security across our systems.”

Understanding the environment

“Working with Identity Experts has been easy,” concluded Andy. “We could tell from the first meeting that they understood the environment in which we were working and were able to utilise that experience in helping us design a better system that works for us. “Whenever we have a problem we cannot resolve internally, we know escalating it to them will get us a rapid response. As we continue to expand the system I feel confident that they have the expertise and experience to support our identity management efforts.”

A few people we've already done it for