User Access Provisioning: Automatically Assigning / Revoking Security Roles, Deactivating Users

  • 16 November 2022
  • 1 reply

We are implementing Eightfold TM and TA modules and integrating with Workday which serves as our HRIS and ATS.

We have two user populations:

  • US Employees - Sent via Employee Feed; users are automatically assigned the Employee Security Role
    • Employee Recruiters - If an EE is identified as a Recruiter on a Requisition 
  • Contingent Worker Recruiters/TA Support - If the CW is identified as a Recruiter on the Job Requisition feed, then Eightfold will create a User and assign them the Recruiter Security Role

In addition to Employee and Recruiter we have other Security Roles with elevated permissions that will be assigned to business users. There are some that are more specialized roles and will be assigned/revoked manually, but for higher volume roles we would like to implement rules to automatically assign/revoke these security roles to users in specific Business Roles.


  • Automatically assign specific EF Security Role to Users who meet defined condition rules - e.g. Automatically assign Talent View Security Role to an employee identified as an HRBP
  • Automatically revoke EF Security Roles when user no longer meets the condition rules - e.g. Automatically revoke Talent View Security Role when an employee moves to another role and is no longer an HRBP

Details of our specific design issues are provided below. Wondering if any other customers have similar requirements and if they found a solution?

The out-of-box EF rules for assigning the Recruiters described above has three significant gaps:

  1. Gap in CW User Creation: Not all of the Contingent Workers in TA are Recruiters and may not be identified on any Job Requisitions (e.g. Sourcer roles), but they need the Recruiter role in EF to review leads, talent pools, invite candidates to apply, etc. We have an outsourced recruiting model and the turnover volume makes manually monitoring and assigning these roles unsustainable.
  2. Gap in CW User Deactivation: Since the CWs are not in the Employee feed and a termination date will never be sent to deactivate their user records. These users likely won’t be able to log into EF via SSO once terminated, but this is not a sound solution and also will consume licenses.
  3. Gap in Revocation of Recruiter Role: We would like to mirror the population of Workday security used to identify TA support (Recruiters, Sources, etc.). Using EF’s default of identification of a Recruiter on a Job Req as the criteria for assignment of the Recruiter Security role will leave a gap where Recruiters no longer in Recruiting/TA Roles could retain the EF Recruiter role because they are still listed as a Recruiter on a Job Requisition which is inappropriate.

We have two additional EF Security Roles that we want to assign/revoke automatically:

  • Talent View Role - To be assigned to all HR Business Partners and Talent Management team; revoked when no longer in those roles
  • TA Leader Role - To be assigned to Talent Acquisition Managers and above; revoked when no longer in those roles

We expect these are common requirements and feel functionality should be part of the EF core product. Please advise if there are any solutions or if this should be raised as an idea.




1 reply

Userlevel 3

Hi @rbatdorf - This is great. Thanks for being so detailed. I’ve reached out to our Product team to get the best answer for you. We’ll reply as soon as we can. Thank you.