The challenges of employee application provisioning

During my tenure as the VP of Engineering at a logistics startup in LatAm, I had the opportunity to hire and onboard almost 50 people, scaling the engineering team from 18 to 65 employees.

As a growing startup, we didn't have a structured process for adding new members to our team. Therefore, I had to create my own system to address three main challenges.

Providing application access for new hires

Every employee on the engineering team needed access to several applications in order to start contributing effectively. While the HR team created their company email and added them to Slack, they also required access to a variety of other tools and applications, including:

• GitHub
• Jira
• Confluence
• AWS
• GCP
• Miro
• Twilio
• Sendgrid
• New Relic
• Airbrake

This list was much longer, consisting of 22 applications, excluding internal ones.

When giving access to 22 applications for an employee once every 3 months, it may not seem like a big deal. However, when you have more than 5 people joining the team every week, it becomes increasingly burdensome.

Assigning the appropriate permissions based on the employee's role

Creating employee accounts for different applications was just the beginning. I also needed to grant specific permissions based on each employee's role. For instance, a new frontend engineer would have access to only the frontend-related GitHub repositories, while an engineering manager would have access to all organization repositories. Moreover, the AWS access for a DevOps engineer would differ from that of a developer.

This part was tedious and time-consuming since assigning permissions was not a standardized process across different applications. Therefore, I had to learn how to do it for each individual application.

Revoking all access when an employee leaves the company

I consider this the most crucial step of the three, as former employees with access to sensitive and confidential company information could have catastrophic consequences for the entire business.

Although the process itself was not overly difficult, I had to exercise extreme caution to ensure that the employee's access to every application was genuinely revoked. It's quite easy to overlook the fact that a departing employee may still have access to an app they rarely used.

Manual solution to the problem

Initially, I attempted to address the employee application provisioning challenge by creating a checklist of the different applications to which a team member should have access. I used a Google Sheets document to track whether an employee had all the necessary access. However, spreadsheets proved to be less than ideal when it came to frequently changing workflows. I then switched to Airtable, which was an improvement, but still not an ideal solution.

As software engineers, we constantly strive to automate repetitive tasks. Consequently, I began working on a way to simplify and automate the onboarding process for engineering team members.

Knowing that most of the apps we used should have an API that I could utilize to create accounts and manage permissions, I attempted to write a script to programmatically create Slack accounts and add them to specific channels. However, I soon realized that developing a script to connect to every application's API would require substantial effort, and even minor modifications would become cumbersome.

As a result, I continued with my manual process until I left the company, at which point someone else had to fill out the offboarding checklist in my absence.

Application provisioning software

An employee application provisioning software like Staybit could have saved me a significant amount of time and ensured that all employees had the precise permissions and access they needed. It would have allowed me to allocate my time more effectively towards tasks that directly impacted the company's success.

One of the remarkable aspects of Staybit is its ability to automate application provisioning for employees across all departments and roles. In my previous company, it would have not only saved my time but also benefited every department.

‍