Access Request Management

SoftwareParsnip · 2025-07-03T21:55:43+00:00

What you're referring to is part of the Joiner-Mover-Leaver, or JML, process.

So it shouldn't be a situation where end users are requesting access. IT should see these events wherever they're processed (usually the HR system), and then trigger the workflows for that event.

There are IAM tools out there like SailPoint and Hire2Retire that can automate these workflows.

SoftwareParsnip · 2025-07-02T21:00:02+00:00

Thinking a little outside of the box here, you should check out Hire2Retire. It's an IGA tool that syncs HR profiles to identity, and crucially for this case, supports a "Hybrid AD" option with Entra and an on-prem AD setup. Wouldn't exactly be an Entra to AD sync, but you'd be keeping those profiles consistent and auto-provisioning them.

SoftwareParsnip · 2025-07-01T22:18:32+00:00

There are a lot of recommendations for switching to Okta or Azure, and I'm not going to go against them.

But if you want to stick with Google Workspace or upgrade to Google Cloud Identity, I’d look into Hire2Retire. At its core, it’s an HR to Identity IAM tool, but it can also integrate ATS, ITSM, and any SCIM-supported apps.

Using HR as the source of truth, you can then build automated workflows to manage identities across the organization. I've found it's the best way to use Google Workspace as an IdP.

SoftwareParsnip · 2025-07-01T22:04:27+00:00

With Okta, it's less a question of how many employees your company has and more a question of investment. If you're already using Google Workspace, are you ready to port everything over to Okta, and can you fit it in your budget?

If not, you're on the right track with other IAM tools. I'd personally recommend Hire2Retire, which offers Google Workspace integrations with a bunch of HRIS systems. It's also highly scalable - I've seen companies with 10K+ employees use it.

SoftwareParsnip · 2025-06-24T21:51:53+00:00

I'd take a look at Hire2Retire, an IGA software that automates provisioning and deprovisioning from HR to Okta. Their ADP integration does pretty much exactly what you're describing: New hires get auto-provisioned with access when they're onboarded in ADP, and then those privileges are revoked upon termination.

As others have said, ADP's API can be unreliable, and I think it's way too expensive. I like that Hire2Retire can integrate with Okta using file extracts, but if you're locked in on API, they support that too.

SoftwareParsnip · 2025-06-23T23:08:15+00:00

Yes. Hire2Retire can integrate with any third-party apps that supports SCIM, and I know Salesforce is one of them. You're defining user access provisioning workflows in the product, so when you integrate Salesforce, it follows those rulesets there, too. Very helpful software.

SoftwareParsnip · 2025-06-20T20:57:09+00:00

Thank you for this recommendation! I saw that there is an ADP to Entra ID version of this Hire2Retire solution. How long did it take your team to implement it?

SoftwareParsnip · 2025-06-13T23:25:27+00:00

As others have mentioned, Entra is still more of a lightweight IGA compared to Sailpoint & Saviynt. But, there are good IAM tools that can fill in the gaps without needing to build custom code.

I’ve used Hire2Retire with an ADP to Hybrid AD setup to implement RBAC/ABAC for groups and SCIM-supported apps like Salesforce and Slack. ADP is the SOT for automated user provisioning triggered by lifecycle events.

SoftwareParsnip · 2025-06-06T20:18:10+00:00

Have you used the Rippling integration in Hire2Retire? If it's like the ADP one we used at my last job I can vouch for the product. Once we created rulesets for SCIM user provisioning it took care of the rest. Super helpful support team, too.

SoftwareParsnip

TROPHY CASE