Documentation Index
Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt
Use this file to discover all available pages before exploring further.
Friday, 3 PM: The CEO closes a deal. New Sales Engineer starts Monday.
Friday, 3:01 PM: The hiring system creates an HRIS record. Contract signed. Offer accepted.
Friday, 3:05 PM: HRIS webhook fires. Policy engine receives new employee data.
Friday, 3:10 PM: Policy engine calculates required access based on role: Sales Engineer.
Friday, 3:15 PM: Laptop order placed automatically via Jamf and Apple Business Manager.
Friday, 3:20 PM: Accounts created across all systems—Okta, Google, AWS, Slack, GitLab, Salesforce.
Friday, 3:30 PM: Access provisioned—groups, roles, permissions across 12 systems.
Friday, 3:40 PM: Laptop configured—apps installed, bookmarks set, VPN configured.
Friday, 3:45 PM: Manager notified: “Sarah Chen starts Monday. Laptop ships today. All access configured.”
Monday, 8 AM: Sarah opens her laptop. Logs in with SSO. Everything works. Slack channels populated. GitLab repos accessible. Salesforce ready. No tickets. No waiting.
This isn’t science fiction. This is the end-state vision for modern IT operations.
The Five Layers of Fully Automated Onboarding
Layer 1: Identity Source of Truth (HRIS)
Everything starts with the HRIS—Workday, BambooHR, Rippling, or similar.
Key requirement: The HRIS must emit events when data changes.
{
"event_type": "employee.hired",
"event_id": "evt_abc123",
"timestamp": "2024-11-22T15:01:00Z",
"data": {
"employee_id": "emp_789",
"email": "sarah.chen@company.com",
"first_name": "Sarah",
"last_name": "Chen",
"job_title": "Sales Engineer",
"department": "Sales",
"team": "Enterprise",
"employment_type": "FTE",
"start_date": "2024-11-25",
"manager_email": "john.doe@company.com",
"location": "San Francisco",
"work_arrangement": "Remote"
}
}
Layer 2: Policy Engine (Access Calculation)
The policy engine receives the HRIS event and calculates what access this person needs.
def calculate_required_access(employee_data):
policies = []
# Base policy applies to everyone
if employee_data.employment_status == "Active":
policies.append(BaseEmployeePolicy)
# Department policy
if employee_data.department == "Sales":
policies.append(SalesTeamPolicy)
# Role-specific policy
if employee_data.job_title == "Sales Engineer":
policies.append(SalesEngineerPolicy)
# Location-based policy
if employee_data.location in ["EU", "UK"]:
policies.append(GDPRCompliancePolicy)
# Resolve policies into access grants
access_grants = resolve_policies(policies)
return access_grants
{
"user": "sarah.chen@company.com",
"access": [
{"system": "okta", "action": "create_user"},
{"system": "okta", "action": "add_to_group", "group": "sales-team"},
{"system": "google", "action": "create_account"},
{"system": "google", "action": "add_to_group", "group": "sales@company.com"},
{"system": "salesforce", "action": "create_user", "profile": "sales-engineer"},
{"system": "slack", "action": "invite_user"},
{"system": "slack", "action": "add_to_channel", "channel": "#sales-team"},
{"system": "gitlab", "action": "add_to_group", "group": "customer-solutions", "role": "reporter"}
]
}
Layer 3: Orchestration Engine (Execution)
The orchestration engine takes the access grants and provisions them across all systems.
Key capabilities:
Dependency management
Create the Okta account before adding to Okta groups.
Parallel execution
Provision Google and Salesforce simultaneously when no dependencies exist.
Retry logic
If Slack API times out, retry with exponential backoff.
State tracking
Log what succeeded, what failed, what’s pending.
Rollback
If a critical step fails, undo previous steps.
class OrchestrationEngine:
def provision(self, access_grants):
# Step 1: Build dependency graph
dag = build_dependency_graph(access_grants)
# Step 2: Execute in topological order
for tier in dag.tiers():
# Execute tier in parallel (no dependencies within tier)
results = parallel_execute(tier)
# Check for failures
if any(result.failed for result in results):
# Decide: continue or rollback
if critical_failure(results):
rollback(previous_tiers)
raise ProvisioningError("Critical step failed")
# Step 3: Return execution summary
return generate_summary()
Layer 4: Device Management (Laptop Provisioning)
Simultaneously, the device management system provisions the laptop.
For macOS (Jamf + Apple Business Manager):
def provision_laptop(employee_data):
# Step 1: Order device via Apple Business Manager
device = order_macbook_pro(
ship_to=employee_data.home_address,
delivery_date=employee_data.start_date - timedelta(days=2)
)
# Step 2: Assign device to user in Jamf
jamf.assign_device(
device_serial=device.serial_number,
user_email=employee_data.email
)
# Step 3: Configure device profile
profile = build_profile(employee_data)
jamf.apply_profile(device.serial_number, profile)
return device
Layer 5: Communication and Workflow (Notifications)
The system notifies relevant stakeholders:
To the manager:
Subject: Sarah Chen starts Monday - Onboarding Complete
Hi John,
Sarah Chen (Sales Engineer) starts Monday, Nov 25.
Laptop shipped to home address (arrives Saturday)
All accounts created (Okta, Google, Salesforce, Slack, GitLab)
Access provisioned (Sales Team + Sales Engineer policies applied)
Manager access granted (you can view her onboarding progress)
Next steps:
- Monday 9 AM: Intro call scheduled (auto-added to your calendar)
- Monday 10 AM: Team standup (auto-added to her calendar)
- Monday 2 PM: Onboarding buddy meeting with Mike
Questions? Reply to this email or ping #it-help on Slack.
— IT Team
Subject: Welcome to [Company]! Your onboarding guide
Hi Sarah,
Welcome to [Company]! We're excited to have you on the team.
Your laptop should arrive by Saturday. Here's what to expect:
Unbox and power on
Log in with your Google account (sarah.chen@company.com)
Everything is pre-configured - Slack, email, tools
Your first day:
- 9 AM: Intro call with your manager (John Doe)
- 10 AM: Team standup - meet the Enterprise Sales Engineering team
- 2 PM: Onboarding buddy meeting with Mike (your go-to for questions)
Onboarding portal: [link]
Team handbook: [link]
IT support: #it-help on Slack
See you Monday!
Slack notification in #it-onboarding:
Onboarding complete: Sarah Chen (Sales Engineer)
- Created: Okta, Google, Salesforce, Slack, GitLab accounts
- Provisioned: Sales Team + Sales Engineer access (18 grants)
- Laptop: Shipped via Apple Business Manager (tracking: 1Z999...)
- Status: Ready for Monday start
[View full onboarding log] [Report issue]
Automated onboarding tied to HR hiring events provides continuous evidence of controlled access provisioning. Every access grant is logged with timestamp, justification (policy reference), and system confirmation—satisfying SOC 2 CC6.2 (prior authorization) and ISO 27001 A.9.2.2 (user access provisioning).
Real-World Example: End-to-End Automation
Tracing Sarah’s onboarding from offer acceptance to day one:
Friday, Nov 22, 3:00 PM:
HR accepts Sarah’s signed offer. HRIS creates employee record. Start date: Monday, Nov 25.
3:01 PM:
HRIS webhook fires. Policy engine receives event.
3:02 PM:
Policy engine calculates access:
- Base Employee policy
- Sales Team policy
- Sales Engineer policy
Output: 24 access grants across 8 systems.
3:03 PM:
Device management triggered:
3:05 PM:
Orchestration begins:
[Tier 1 - Identity systems]
3:05:10 Create Okta account
3:05:15 Create Google Workspace account
[Tier 2 - Base access]
3:05:20 Add to okta:base-employee
3:05:22 Add to google:employees@company.com
3:05:25 Create Slack account (via SSO)
[Tier 3 - Department access]
3:05:30 Add to okta:sales-team
3:05:32 Add to google:sales@company.com
3:05:35 Create Salesforce user (via Okta SCIM)
3:05:40 Invite to slack:#sales-team
[Tier 4 - Role-specific access]
3:05:45 Configure Salesforce profile (Sales Engineer)
3:05:50 Create GitLab account (via SAML, pending first login)
3:05:52 Add to slack:#customer-success
3:05:55 Add to slack:#engineering-general (guest)
3:06:00 Grant Notion access (sales + technical spaces)
[Tier 5 - Device configuration]
3:10:00 Laptop ordered (Apple Business Manager)
3:10:30 Jamf profile configured
3:10:45 Device assigned to user
[Tier 6 - Notifications]
3:15:00 Email sent to manager (John)
3:15:05 Email sent to new hire (Sarah)
3:15:10 Slack notification sent to #it-onboarding
3:15:15 Calendar events created (intro call, standup, buddy meeting)
- Wallpaper shows onboarding checklist
- Apps installed: Slack, Chrome, 1Password, Zoom, Notion
- Bookmarks added: Company handbook, HR portal, team wiki
- VPN configured
- Calendar has Monday’s meetings
Monday, Nov 25, 8:00 AM:
Sarah powers on laptop. Logs in with Google SSO. No password. No MFA setup (already configured).
Opens Slack. She’s already in:
- #sales-team
- #customer-success
- #engineering-general
Opens Gmail. Sees welcome email from her manager.
Opens Calendar. Sees:
- 9 AM: Intro call with John (manager)
- 10 AM: Team standup
- 2 PM: Onboarding buddy meeting with Mike
Opens Salesforce. Logs in via SSO. Profile is already configured.
Opens GitLab. Logs in via SSO. She’s already in customer-solutions group (Reporter role).
Everything works. No tickets. No waiting. No “IT is provisioning your access.”
The Components Required
Building this requires:
1. HRIS with Webhook Support
Options: Workday (enterprise), BambooHR (mid-market), Rippling (modern, built for automation), Gusto (SMB).
Key requirement: Real-time webhooks for employee lifecycle events (hired, updated, terminated).
2. Policy Engine
Build or buy: Building a custom policy engine takes 6-12 months of engineering effort. Provisionr and other emerging platforms provide this out of the box.
Key requirement: Define policies as code, evaluate based on attributes, output access grants.
3. Orchestration Layer
Build or buy: Building custom orchestration takes 3-6 months. Workflow platforms (Temporal, n8n, Airflow) or purpose-built tools accelerate this.
Key requirement: Dependency management, parallel execution, retry logic, state tracking.
4. System Adapters
One adapter per system: Okta, Google Workspace, AWS, Salesforce, Slack, GitLab, Jira, and so on.
Build or buy: Building custom API integrations takes 1-2 weeks per system. Pre-built connectors from orchestration platforms reduce this significantly.
5. Device Management (Optional but Recommended)
For macOS: Jamf + Apple Business Manager, Kandji, or Mosyle.
For Windows: Intune + Azure AD, or SCCM.
Key requirement: Zero-touch deployment. Device ships to employee pre-configured.
The ROI Calculation
Before full automation:
- New hire onboarding: 2-4 days (waiting for access)
- IT time per onboarding: 3-5 hours (manual provisioning)
- Annual onboarding volume: 100 employees
- IT cost: 300-500 hours/year = 45K−75K
After full automation:
- New hire onboarding: 0 days (access on day one)
- IT time per onboarding: 0 hours (automated)
- Annual onboarding volume: 100 employees
- IT cost: 10 hours/year (policy maintenance) = $1,500
Savings: 43K−73K per year
Plus:
- Faster productivity (employees start working day one)
- Better employee experience (no frustration waiting for access)
- Reduced security risk (no manual errors, no forgotten deprovisions)
The Migration Path
Organizations don’t build this overnight. Here’s the phased approach:
Phase 1 (Months 1-3): Policy-based access
- Define policies for all roles
- Implement policy engine
- Provision access based on policy (manual execution)
Phase 2 (Months 4-6): Orchestration
- Build or buy orchestration layer
- Connect to all systems (adapters)
- Automate execution of policy-based access
Phase 3 (Months 7-9): Device management
- Integrate device management (Jamf, Intune)
- Configure zero-touch deployment
- Test end-to-end onboarding
Phase 4 (Months 10-12): Optimization
- Add monitoring and alerting
- Improve error handling
- Expand to cover role transitions, terminations
Common Pitfalls
HRIS data quality
Automation depends on clean HRIS data. If job titles are inconsistent or departments are wrong, policies fail. Solution: Audit and clean HRIS data before automation.
Over-automating edge cases
Organizations shouldn’t try to automate 100% of onboarding. Some things need human judgment—sensitive access, unique roles. Solution: Automate the 90%, handle the 10% manually.
No rollback plan
When automation fails mid-execution, there must be a way to undo partial changes. Solution: Build rollback into orchestration. Or accept that some failures require manual cleanup.
Insufficient testing
Testing onboarding automation is hard—organizations can’t repeatedly hire the same person. Solution: Use a test HRIS environment. Create synthetic employee records. Test thoroughly before production.
The End State
When fully automated onboarding works:
- Friday afternoon: New hire accepts offer
- Monday morning: New hire has laptop and full access
- IT effort: Zero (monitored, but not involved)
This is the vision. It’s achievable. It requires investment—6-12 months, 1-2 engineers. But the ROI is immediate and ongoing.
Stop manually provisioning access. Build the infrastructure to make it automatic.
Future hires will appreciate it. The IT team will appreciate it. The CFO will appreciate it when they see the cost savings.
Welcome to modern IT operations.
This is the final article in our Phase 1 series on policy-based access management. We’ve covered the problems (access requests, movers, reviews), the building blocks (policies, orchestration, compliance), and the end-state vision (full automation).
Want to see this in action? Explore Provisionr’s automated onboarding workflows
