nathan/nexus-mcp
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nexus-mcp/archive/Workday/Planning/workday-ad-identity-sync-next-steps.md
nathan 479df6bd8a chore: archive legacy Identity, Workday, and Intune folders 
- Move Identity/, Workday/, Intune/ to archive/ (superseded by nexus-mcp shards)
- Move 'Local Setup.md' to archive/ (superseded by nexus-mcp/Local-Setup.md)
- Add archive/README.md explaining migration and preserved content
- Clean repository structure: only nexus-mcp, documentation, and .github remain active

All legacy functionality migrated to nexus-mcp sharded architecture.
Archived folders preserved for reference and historical context.

Refs: SESSION_SNAPSHOT_2026-04-13.md
2026-04-13 09:38:42 -04:00

116 lines
7.5 KiB
Markdown
Raw Blame History

---
title: "Workday to AD identity sync — next steps backlog"
description: "Granular execution checklist mapped to 2026 goal milestones and current Workday/Identity MCP artifact status."
type: "Implementation Backlog"
version: "v1"
author: "N. Castaldi"
date: "2026-04-03"
---
## Current status snapshot
- Workday artifacts define architecture, phases, and governance clearly.
- Workday implementation artifacts still indicate unresolved blockers: OAuth grant decision, owner assignment, non-prod tenant access, endpoint mappings, and field allowlist lock.
- Identity MCP appears production-capable with read-only tools and test scaffolding, which is suitable as the downstream enforcement interface for remediation orchestration.
- Missing from current docs: measurable KPI instrumentation plan, weekly drift-report automation implementation details, and a sequenced cutover plan to remove manual reconciliation.
## Priority 0: Unblockers that must be closed first
- [ ] Assign a single accountable owner for Workday auth provisioning and approve named backups.
- [ ] Finalize OAuth grant type and token lifecycle policy (token TTL, refresh behavior, secret rotation frequency).
- [ ] Provision non-production Workday tenant/API access and confirm connectivity from the MCP runtime host.
- [ ] Confirm Integration System User and security group permissions for strict read-only domains.
- [ ] Publish an approved field allowlist and explicit denylist, then version it in source control.
- [ ] Produce endpoint-to-tool mapping table: tool name, endpoint URL, required params, output shape, and error contract.
## Priority 1: Build Workday MCP to parity with Identity MCP pattern
- [ ] Scaffold project files listed in the implementation plan: server, backend contract, adapter, debug script, tests, and packaging metadata.
- [ ] Implement memory backend first and add deterministic sample worker records for contract testing.
- [ ] Implement API backend auth flow with secure secret loading from approved store (no secrets in code or logs).
- [ ] Implement tool 1 end-to-end: get worker status by authoritative identifier.
- [ ] Add schema validation to ensure responses include only allowlisted fields.
- [ ] Implement remaining core tools in sequence: worker profile, org attributes, manager, effective dates.
- [ ] Add robust adapter behavior for 401, 403, 404, 429, and 5xx responses with safe retry and timeout controls.
- [ ] Add structured STDERR logging compatible with MCP stdio transport and include invocation audit metadata.
## Priority 2: Identity correlation and mismatch detection
- [ ] Define canonical correlation key precedence (employee ID, then work email, then UPN fallback).
- [ ] Create a correlation module that compares Workday status against AD/Entra state from Identity MCP.
- [ ] Implement mismatch categories with deterministic rules:
- [ ] Terminated in Workday but enabled in AD.
- [ ] Future-dated hire in Workday but account created too early.
- [ ] Active in Workday but missing in AD.
- [ ] Manager mismatch between Workday and AD attributes.
- [ ] Contractor end date passed but access still active.
- [ ] Define severity levels and SLA targets per mismatch category.
- [ ] Add suppression logic for approved exceptions (legal hold, approved delayed start, merger-transition records).
## Priority 3: Automation workflow in Power Automate
- [ ] Create a scheduled flow for daily sync checks and a separate weekly reporting flow.
- [ ] Build connectors/actions to call Workday MCP and Identity MCP safely with service principal credentials.
- [ ] Implement idempotent processing so repeated runs do not duplicate tickets or actions.
- [ ] Add decision branches for each mismatch category and route to the correct remediation path.
- [ ] Integrate with ticketing workflow for human approval gates before identity changes execute.
- [ ] Capture full run telemetry: start/end time, processed records, mismatches found, remediations requested, remediations completed.
- [ ] Implement failure handling with retry policy, dead-letter queue pattern, and escalation notifications.
## Priority 4: Automated remediation via Identity MCP
- [ ] Confirm Phase-gate controls so any write actions stay disabled until approvals are complete.
- [ ] Define remediation action catalog mapped to mismatch categories (disable account, update manager, queue provisioning task).
- [ ] Add mandatory approval checks (ticket ID, approver identity, timestamp, change reason) before any write path.
- [ ] Build rollback procedures per remediation type and test rollback on non-production data.
- [ ] Add post-action validation checks to confirm AD/Entra state now matches Workday source-of-truth.
## Priority 5: Measurement and reporting (SMART metrics)
- [ ] Establish Q1 2026 baseline for mean-time-to-provision (MTTP) using existing onboarding tickets.
- [ ] Define MTTP formula and data source contract so measurements are reproducible.
- [ ] Implement weekly identity drift report generation with trend lines by mismatch type.
- [ ] Add dashboard metrics required for Q3 target tracking:
- [ ] MTTP reduction percentage versus Q1 baseline.
- [ ] Total mismatches detected per week.
- [ ] Percent auto-resolved versus human-resolved mismatches.
- [ ] Manual reconciliation hours eliminated.
- [ ] Publish weekly report distribution list and archival location for audit retention.
## Priority 6: Security, compliance, and operational hardening
- [ ] Run a log redaction test to verify no secrets or restricted fields are emitted.
- [ ] Perform least-privilege review across Workday ISU, MCP host identity, and Power Automate connectors.
- [ ] Add change-control requirements for schema updates and new tool introduction.
- [ ] Create a quarterly access recertification checklist for service accounts and app registrations.
- [ ] Add synthetic monitoring checks for token acquisition, endpoint latency, and tool health.
- [ ] Create incident response runbook for sync failures, auth failures, and drift-report pipeline outages.
## Priority 7: Delivery plan by quarter
- [ ] Q2 milestone 1: close all unblocking dependencies and complete non-prod end-to-end read-only validation.
- [ ] Q2 milestone 2: complete Workday MCP core tools plus correlation logic and automated mismatch classification.
- [ ] Q2 milestone 3: deploy Power Automate daily sync and ticketed approval workflow to pilot scope.
- [ ] Q3 milestone 1: enable weekly drift reporting to IT Operations with stable SLA performance.
- [ ] Q3 milestone 2: complete production rollout and retire manual reconciliation process.
- [ ] Q3 milestone 3: verify at least 30 percent MTTP reduction against Q1 baseline and document evidence.
## Immediate next 10 execution steps
- [ ] Confirm OAuth grant type in writing and record decision in implementation plan.
- [ ] Request and obtain non-prod Workday API credentials.
- [ ] Implement and test one Workday MCP tool in API mode.
- [ ] Lock response schema allowlist in tests.
- [ ] Define correlation key precedence and test with sample identity data.
- [ ] Implement first mismatch detector: terminated-in-Workday but active-in-AD.
- [ ] Stand up daily Power Automate check flow in non-production.
- [ ] Generate first weekly drift report draft and validate with IT Operations.
- [ ] Pilot one human-approved remediation path end-to-end.
- [ ] Capture baseline MTTP and publish first KPI scorecard.
## Suggested status tracking tags
- [ ] Add one tag to each backlog item: BLOCKED, READY, IN_PROGRESS, VALIDATING, DONE.
- [ ] Add owner and target date to each item before sprint planning.
- [ ] Review and update this backlog weekly until Q3 completion.
Reference in New Issue View Git Blame Copy Permalink