Primary Connection to the Identity Provider (IdP)
One of the first things you do when setting up your Drata account is establish a connection with your Identity Provider (IdP) on Google Workspace or Office 365. This will allow Drata to pull in all of the identities (name, email, avatar, and timestamp when user was added to the IdP). This will create the personnel records on Drata and grant everyone an EMPLOYEE role.
Supplemental Connection to the Human Resource Information System (HRIS)
If you connect your HRIS system (like Gusto, Rippling, or others), Drata will pull the user records and match them to the now existing personnel records in Drata. This secondary integration is used to enrich the original personnel data pulled in from your IdP.
The data in your HRIS is considered to be the "source of truth" from an auditor's perspective when it comes to an employee or contractor's name, start/separation date, and employment status.
Employment Status
There are six employment statuses in Drata:
Current Employee
Former Employee
Current Contractor
Former Contractor
Out of Scope
Unknown
When you only have your IdP connected, Drata imports everyone as a current employee, unless the email is an obvious alias (admin@, marketing@, info@, etc.). Though once the HRIS is connected, Drata is able to enrich the employment status with more supplemental/accurate data by looking at the HRIS separation date to set the Former status and remove authentication access to Drata. This keeps your former employees and contractors in your Drata instance even if they are removed from your IdP to ensure an audit trail for all personnel and account access.
In the event a person's status cannot be determined due to no matching record from the IdP to the HRIS, the system assigns that personnel record with an Unknown status.
Out of Scope
If you have personnel that will not be included in an audit, as they are out of scope (learn more about who is in scope for your audit), and therefore should be excluded from the automated testing and personnel compliance checks, you can mark them as Out of Scope on the Personnel page. You will be prompted to enter business rationale to justify this exclusion. Be aware that all email addresses used to access critical services and customer data are in scope for SOC 2.
In Summary
The IdP connection is the only required connection on Drata, which will pull in your personnel and allow them to authenticate into their My Drata page. The HRIS connection will enrich the personnel records with audit-ready "source of truth" data to better paint a picture of your personnel during your audit period.
Drata has put these processes in place to allow you to demonstrate proper access control procedures in preparation for your audit and to strengthen your overall security posture.
Tips and Tricks
If there are aliases set on the user record in the IdP for receiving/forwarding email, Drata will use those for matching purposes on the HRIS sync. Though the identity syncing process will only associate the primary email address on the Drata personnel record.
If your company is currently providing employees with multiple email addresses or has in the past, we recommend utilizing aliases as it will consolidate the accounts, maintain email forwarding, and reduce costs.