Overview
Employee Onboarding Access Provisioning is the process of granting new hires appropriate system access based on their job role and approved authorization. This process ensures logical access is provisioned securely, timely, and in alignment with SOC 2 CC6 access control requirements.
Step-by-Step Process
Receive approved hire notification
The IT Manager receives a new hire notification from HR confirming the employee start date, role, and department. This notification must include documented approval from the hiring manager. The output is a validated onboarding request ready for access provisioning.
Role: IT Manager
Review role-based access requirements
The IT Manager reviews the employee’s job role and maps it to predefined role-based access profiles. Any deviations or elevated access requests are confirmed in writing with the hiring manager. The output is a defined access scope for the new hire.
Role: IT Manager
Create core user accounts
The IT Manager creates user accounts in identity and productivity systems using the employee’s legal name and corporate email. Default security settings such as MFA enforcement are applied at creation. The output is active user accounts with baseline security controls enabled.
Role: IT Manager
Assign role-based group memberships
The IT Manager assigns the user to approved groups or roles that control application and data access. Group assignments are based strictly on the reviewed role mapping. The output is controlled system access aligned to job responsibilities.
Role: IT Manager
Provision application access
The IT Manager enables access to required applications through the identity provider or directly within each system. Access is limited to approved systems only. The output is functional access to business applications on or before the start date.
Role: IT Manager
Validate access and security settings
The IT Manager verifies that the user can access required systems and that MFA and password policies are enforced. Any access errors or excessive permissions are corrected immediately. The output is a validated access configuration.
Role: IT Manager
Document and retain onboarding evidence
The IT Manager records completion of onboarding and stores supporting evidence in the compliance repository. Records must include timestamps and approver details. The output is an auditable onboarding record.
Role: IT Manager
What You Need Before Starting
- Approved new hire record from HR system with start date
- Employee job role and department details
- Access provisioning standards or role-based access matrix
- Administrative access to Okta, Google Workspace, and BambooHR
Evidence Your Auditor Expects
- HR onboarding request or BambooHR hire record showing approval date
- Screenshot of Okta user profile showing creation date and assigned groups
- Google Workspace Admin audit log entry showing account creation timestamp
- Access validation checklist completed and dated by IT Manager
How This Looks In Your Tools
Okta
Log in to the Okta Admin Console and navigate to Directory > People. Click “Add Person,” enter the employee’s name, username, and primary email, then assign the user to predefined groups under the “Groups” section.
After saving the user, navigate to Security > Authentication to confirm MFA policies are applied. Review the user’s Applications tab to ensure only approved applications are assigned, and document the user creation date from the profile page.
Google Workspace
Sign in to the Google Admin console and go to Directory > Users. Click “Add new user,” enter the employee information, and assign the user to the correct organizational unit based on role.
Navigate to Directory > Groups to add the user to role-based Google Groups. Use Reports > Audit log > Admin to verify and capture the account creation timestamp for evidence.
BambooHR
Log in to BambooHR and navigate to the employee’s profile under the People tab. Confirm the hire status, start date, job title, and manager are marked as approved.
If BambooHR is used as the system of record, export or screenshot the hire approval and onboarding status. Retain the profile update history showing the date the employee was marked active.
Common Audit Findings
- Access granted without documented approval
- This occurs when IT provisions access based on informal requests or verbal confirmations. Prevent this by requiring a system-recorded HR approval before any account creation.
- Excessive access assigned at onboarding
- Overly broad group assignments are often caused by unclear role definitions. Maintain and enforce a role-based access matrix reviewed at least annually.
- Missing evidence of access provisioning
- Organizations often fail to retain screenshots or logs showing when access was granted. Prevent this by using a standardized onboarding evidence checklist.
- Delayed access provisioning
- Late account creation can result from unclear ownership or missed start dates. Use automated HR notifications and assign a single accountable process owner.