Identity & Access Management for Contractors

Written by Cassa Niedringhaus on May 7, 2020

Share This Article

Regardless whether a person joins an organization as a full time employee or as a short-term contractor, IT admins need strategies to provide secure access to the resources and data those employees and contractors require to get their jobs done.

Admins also must lock down access when it’s no longer needed, and that can be more challenging with temporary or non-full-time employees who cycle through the organization more quickly. 

We’ll cover recommendations about identity and access management (IAM) for contractors and other temporary employees, as well as provide strategies for how to revoke access or extend it when those employees join the organization in a full-time capacity. 

Provisioning Contractors & Temp Employees

Provisioning (and deprovisioning) for contractors and non-employees is not materially different from the process for full-time employees, but it’s worth examining your processes to ensure efficiency and security.

IT admins examining how to manage temporary employees should be able to centrally control and revoke access for these employees, too, including managing their passwords and SSH key use. 

The nonprofit Educause, which guides a community of higher education IT professionals, notes that IT security should be stringent no matter an employee’s term: 

“When it comes to IT management and security, contingent users must be handled as rigorously as regular, full-time users.”


Here’s what that means in practice.

Automated & Repeatable Processes

Just as with provisioning full-time employees, you want to automate as much of the provisioning processes for contractors as possible to avoid human error and reduce the time spent on it.

Although organizations, particularly resource-strapped ones, might be hesitant to spend the money needed to create a temporary user in their central directory and pay associated licensing costs for productivity suites (i.e. G Suite or Office 365), it’s likely the best course of action for the security of organizational data.

This is particularly true for temporary/non-full-time employee users who will access sensitive or highly confidential organizational data. They shouldn’t save or share it via personal email accounts outside the purview of IT. This is especially important for those that are subject to compliance requirements in which all user changes need to be logged and provided to auditors.

You can delineate by vendor- or role-specific groups in the directory and provision contractors automatically to the applicable group(s) with access limited to only necessary resources. For example, a consultant who is hired to work on production servers would need a temporary SSH key, while a marketing consultant may not, but rather might require access to the website content management system.

Through these groups and/or custom attributes, you can easily track temporary users in the directory, as well as the resources to which they’ve been given access.

Automated and central provisioning is not only secure; it also helps those workers get them to work as quickly as possible. This is important in any scenario (and a key component of effective onboarding) but especially so given their timeframe with the company.

Suspending Contractor Access

Once a contract ends, you want to revoke access to all resources immediately. If virtually all IT resources are connected to the central directory, you can first suspend access to them immediately from the central directory, rather than individually deactivating each account.

Often, contractors are rehired for future work, so being able to suspend rather than delete their account could save time in the future when they return to the organization and need their access restored.

By suspending access, you can then archive the employee’s email, save pertinent files, and make other changes before deleting their data and accounts — but rest assured they’re not using them in the meantime. From a central directory, you can also implement monitoring to ensure no “ghost accounts” maintain access to organizational data or use licenses no longer needed.

It’s also worth coordinating with the HR department, which likely has the most up-to-date employment information and can help prevent information leakage or accounts that last longer than the employee’s contract.

Facilitating coordination between the HR and IT departments can help admins ensure that when HR deletes a user from the human capital management (HCM) system, that change is reflected across the IT environment and resources. 

Transitioning Contractor to Full-Time

From a central directory, you can easily transition a user from a temporary to a full-time employee and adjust their access levels accordingly, in the event they are hired to a permanent role. 

Without recreating their digital identity or reentering their attributes, you can easily transition them into groups and roles for full-time employees. An efficient way to take on this process is through a vendor- and platform-neutral cloud directory service, which allows admins to take on this process from a central web console. 

One such option is JumpCloud , a full-suite, cloud-based directory.

Learn More

JumpCloud connects employees to virtually all their IT resources and gives admins the tools they need to centrally control and manage user access from a single pane of glass. Learn more about provisioning, managing and securing user identities from a modern directory service.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter