New Hires and Smart Groups
We have a requirement for new hires to complete security awareness training on their start date. We use AD sync and we've added a start date, not the account creation date, in the AD object extendedAttributes. That field is mapped to the "employee-start-date" field and is in the correct format to be read by KnowBe4.
We want a New Hire smart group to use the UserDate/Employee Start Date field in a criteria and apply the In the Last 1 days timeframe to move the user into that group on their start date. We want users to be assigned their first training automagically on their start date with no admin intervention. Unfortunately the smart group cannot do this! The smart group criteria will show users with start dates within the last day, but also to infinity in the future. So if I have five users starting in two weeks, those five users get placed in the New Hire smart group immediately and assigned training immediately.
I've put in a feature request with support, but does anyone have an idea how I could do this automatically with minimum intervention once the user is created and sync'd to KnowBe4? One idea from support was to create the user in AD but leave them disabled until the day before their start date. They wouldn't be sync'd while they were disabled, and then once enabled they'd go on the next sync and the smart group criteria would be met. But this still requires an AD admin to remember to enable them the day before they're scheduled to start.
Thoughts?
-
Official comment
Hi Bruce!
Thank you for reaching out to our community board for ideas! I've looked into your use case and spoken with support representatives on this scenario. I've realized there is confusion surrounding the purpose of the "Employee Start Date" field in KnowBe4. If you're syncing this field from your active directory via your <domain>.com file, you can see here in our documentation that the "when created" date/time will populate in your KnowBe4 console (employee-start-date = "whenCreated"). Therefore, your Smart Group criteria "in the last 1 day" is working as designed–considering it will include users that were added to your Active Directory and synced to KnowBe4 within the last day. I understand how the user field name/Smart Group "Employee start date" option could be misleading.
Unfortunately, I cannot think of a better solution aside from what our Support team offered at this time (i.e., not enabling/creating the user until the day before their start date). Thank you for your participation in the community board!
Warm Regards,
Lauren
KnowBe4Comment actions -
I haven't been able to test it yet, but my idea for a new hire group fell under this:
User Date | (The user must)(have been created)(in the last 1 month)
User Date | (The user must)(have last logged in)(in the last 2 days)
Training | (User has not)(completed)(in all of these)(# assignments)(ever)
In theory; You could create a user up to a month in advance (though things might get messy if they start at the end of that month) and as soon as they log in, without any of the required training complete, they would be added to the group and enrolled into said training (as long as you have a matching training campaign.)
After they finish all of the training, they no longer match the criteria and are taken out of the New Hire group.
I know for a fact that 'User Date Created' with 'Training' works. I haven't been able to test the addition of 'Last Log In'.
You'll still have to update the group as the training classes change, like the annual ones.
-
Hi, George! Thanks for your participation in our community board!
This is a great idea! This could certainly be a solution for Bruce's scenario, assuming: (1) Users are always added to his Active Directory within one month of their start date, and (2) he requires the new employees to log in to their KnowBe4 account on their first or second day on the job.
Thank you!
Lauren
KnowBe4 -
Yes, thanks very much for that idea George. I think that could work. We would rarely create a new user more than a month before their planned start date. The trick would be getting them to login on their first day, but that could just be a check-box in a new hire day-one checklist. Luckily we use SSO so all they'd really need to do is to click the icon on their O365 app launcher and they'd be automatically signed in. I'm going to test this out. Thanks again!
-
Valid points Lauren.
Of course those elements can be modified on a case by case basis.
Personally I'm not aware of many places that would add a user to their domain outside a month in advance, but i'm sure some exist. In fact, using my company for example, before we set up AD sync, we didn't create a new hire's domain account until after they completed their initial training. That's changed of course, but not by much.
The second point you made would be where I can see the need for changing the first value. If they know it takes a new hire a month or two before they gain access to their account (and they also like to make a domain account as soon as possible) then they could punch in the longest expected time frame needed.
For example: 30 days early AD build + 30 days offline orientation + 30 days allotted to complete training + a few days for a safety buffer = (The user must)(have been created)(in the last 100 days)
The second value would also need to be adjusted for how long they have to complete the required training. If it's a short collection of training content, then perhaps they'll be able to complete it in a day. For something more extensive, then they'd need to add a few more days. It's also a good idea to add a few days to allow for emergencies, holidays, general issues.
Another thing I've noticed is that once a user is removed from a smart group, any training they've been enrolled in doesn't go away. So you could leave the log in time short, that way they could log in, be added to the smart group, get enrolled in training, be removed from the smart group because the "created' time frame runs over, and have all the time allotted in the training campaign to complete the initial training.
Then, if desired, you could have those completed trainings as a requirement to be added to other smart groups. Though that would required a bit more maintenance as training content is updated.
I could talk about this for a while, haha. I've been trying to figure out how to manipulate the smart groups to do what I want for the past few days.
-
Hi Lauren. I just wanted to clarify your comment
"If you're syncing this field from your active directory via your <domain>.com file, you can see here in our documentation that the "when created" date/time will populate in your KnowBe4 console (employee-start-date = "whenCreated")"
I modified my domain.conf file so that it reads employee-start-date = "extensionAttribute1" and that value is the actual employee start date, not when they were created in AD. So I actually forced the employee-start-date to be correct. What breaks is the fact that the smart group critera "within the last day" evaluates correctly when looking backwards, but it also will include any dates in the future, to infinity. So if a user is starting in six days, the smart group will add them immediately just because their start date is exists in the future.
I wonder how much work it would take to tell that criteria to not act on future dates? Look only at the current date, and dates within the past day.
Please sign in to leave a comment.
Comments
6 comments