nathan/nexus-mcp
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nexus-mcp/Workday/Planning/workday-ad-identity-sync-next-steps.md
nathan 2a62e51347 Updated folder structure
2026-04-03 09:32:41 -04:00

7.5 KiB
Raw Blame History

title, description, type, version, author, date
title description type version author date
Workday to AD identity sync — next steps backlog Granular execution checklist mapped to 2026 goal milestones and current Workday/Identity MCP artifact status. Implementation Backlog v1 N. Castaldi 2026-04-03

Current status snapshot

  • Workday artifacts define architecture, phases, and governance clearly.
  • Workday implementation artifacts still indicate unresolved blockers: OAuth grant decision, owner assignment, non-prod tenant access, endpoint mappings, and field allowlist lock.
  • Identity MCP appears production-capable with read-only tools and test scaffolding, which is suitable as the downstream enforcement interface for remediation orchestration.
  • Missing from current docs: measurable KPI instrumentation plan, weekly drift-report automation implementation details, and a sequenced cutover plan to remove manual reconciliation.

Priority 0: Unblockers that must be closed first

  • Assign a single accountable owner for Workday auth provisioning and approve named backups.
  • Finalize OAuth grant type and token lifecycle policy (token TTL, refresh behavior, secret rotation frequency).
  • Provision non-production Workday tenant/API access and confirm connectivity from the MCP runtime host.
  • Confirm Integration System User and security group permissions for strict read-only domains.
  • Publish an approved field allowlist and explicit denylist, then version it in source control.
  • Produce endpoint-to-tool mapping table: tool name, endpoint URL, required params, output shape, and error contract.

Priority 1: Build Workday MCP to parity with Identity MCP pattern

  • Scaffold project files listed in the implementation plan: server, backend contract, adapter, debug script, tests, and packaging metadata.
  • Implement memory backend first and add deterministic sample worker records for contract testing.
  • Implement API backend auth flow with secure secret loading from approved store (no secrets in code or logs).
  • Implement tool 1 end-to-end: get worker status by authoritative identifier.
  • Add schema validation to ensure responses include only allowlisted fields.
  • Implement remaining core tools in sequence: worker profile, org attributes, manager, effective dates.
  • Add robust adapter behavior for 401, 403, 404, 429, and 5xx responses with safe retry and timeout controls.
  • Add structured STDERR logging compatible with MCP stdio transport and include invocation audit metadata.

Priority 2: Identity correlation and mismatch detection

  • Define canonical correlation key precedence (employee ID, then work email, then UPN fallback).
  • Create a correlation module that compares Workday status against AD/Entra state from Identity MCP.
  • Implement mismatch categories with deterministic rules:
  • Terminated in Workday but enabled in AD.
  • Future-dated hire in Workday but account created too early.
  • Active in Workday but missing in AD.
  • Manager mismatch between Workday and AD attributes.
  • Contractor end date passed but access still active.
  • Define severity levels and SLA targets per mismatch category.
  • Add suppression logic for approved exceptions (legal hold, approved delayed start, merger-transition records).

Priority 3: Automation workflow in Power Automate

  • Create a scheduled flow for daily sync checks and a separate weekly reporting flow.
  • Build connectors/actions to call Workday MCP and Identity MCP safely with service principal credentials.
  • Implement idempotent processing so repeated runs do not duplicate tickets or actions.
  • Add decision branches for each mismatch category and route to the correct remediation path.
  • Integrate with ticketing workflow for human approval gates before identity changes execute.
  • Capture full run telemetry: start/end time, processed records, mismatches found, remediations requested, remediations completed.
  • Implement failure handling with retry policy, dead-letter queue pattern, and escalation notifications.

Priority 4: Automated remediation via Identity MCP

  • Confirm Phase-gate controls so any write actions stay disabled until approvals are complete.
  • Define remediation action catalog mapped to mismatch categories (disable account, update manager, queue provisioning task).
  • Add mandatory approval checks (ticket ID, approver identity, timestamp, change reason) before any write path.
  • Build rollback procedures per remediation type and test rollback on non-production data.
  • Add post-action validation checks to confirm AD/Entra state now matches Workday source-of-truth.

Priority 5: Measurement and reporting (SMART metrics)

  • Establish Q1 2026 baseline for mean-time-to-provision (MTTP) using existing onboarding tickets.
  • Define MTTP formula and data source contract so measurements are reproducible.
  • Implement weekly identity drift report generation with trend lines by mismatch type.
  • Add dashboard metrics required for Q3 target tracking:
  • MTTP reduction percentage versus Q1 baseline.
  • Total mismatches detected per week.
  • Percent auto-resolved versus human-resolved mismatches.
  • Manual reconciliation hours eliminated.
  • Publish weekly report distribution list and archival location for audit retention.

Priority 6: Security, compliance, and operational hardening

  • Run a log redaction test to verify no secrets or restricted fields are emitted.
  • Perform least-privilege review across Workday ISU, MCP host identity, and Power Automate connectors.
  • Add change-control requirements for schema updates and new tool introduction.
  • Create a quarterly access recertification checklist for service accounts and app registrations.
  • Add synthetic monitoring checks for token acquisition, endpoint latency, and tool health.
  • Create incident response runbook for sync failures, auth failures, and drift-report pipeline outages.

Priority 7: Delivery plan by quarter

  • Q2 milestone 1: close all unblocking dependencies and complete non-prod end-to-end read-only validation.
  • Q2 milestone 2: complete Workday MCP core tools plus correlation logic and automated mismatch classification.
  • Q2 milestone 3: deploy Power Automate daily sync and ticketed approval workflow to pilot scope.
  • Q3 milestone 1: enable weekly drift reporting to IT Operations with stable SLA performance.
  • Q3 milestone 2: complete production rollout and retire manual reconciliation process.
  • Q3 milestone 3: verify at least 30 percent MTTP reduction against Q1 baseline and document evidence.

Immediate next 10 execution steps

  • Confirm OAuth grant type in writing and record decision in implementation plan.
  • Request and obtain non-prod Workday API credentials.
  • Implement and test one Workday MCP tool in API mode.
  • Lock response schema allowlist in tests.
  • Define correlation key precedence and test with sample identity data.
  • Implement first mismatch detector: terminated-in-Workday but active-in-AD.
  • Stand up daily Power Automate check flow in non-production.
  • Generate first weekly drift report draft and validate with IT Operations.
  • Pilot one human-approved remediation path end-to-end.
  • Capture baseline MTTP and publish first KPI scorecard.

Suggested status tracking tags

  • Add one tag to each backlog item: BLOCKED, READY, IN_PROGRESS, VALIDATING, DONE.
  • Add owner and target date to each item before sprint planning.
  • Review and update this backlog weekly until Q3 completion.