What is the Principle of Least Privilege?

The Principle of Least Privilege (PoLP) means that users receive only the minimum access necessary to perform their tasks. This principle reduces security risks.

Compliance means operating in a way that ensures your organization meets applicable laws and regulations, industry and sector guidelines, and internal policies. Governments, partners, and customers increasingly expect organizations to demonstrate compliance proactively.

Deprovisioning

Q: What is deprovisioning?

Deprovisioning is the process of removing access permissions and user accounts when an employee leaves the organization or changes roles. Deprovisioning helps reduce security risks by terminating unused access.

What is Deprovisioning?

Within identity and access management, deprovisioning is the process of revoking previously granted accounts and permissions. Deprovisioning is a critical process, as proper execution prevents users from keeping access longer than needed and avoids unnecessary charges. This article focuses on key deprovisioning considerations and explains them within the context of different provisioning approaches used in modern Identity and Access Management solutions, such as HelloID.

Why is Deprovisioning Important?

When setting up your identity and access management processes, account and permission provisioning receive a lot of attention. Most people soon realize that a strong deprovisioning strategy is equally as important for the following reasons:

When accounts and permissions are granted automatically, timely deprovisioning can normally be automated as well. However, in many organizations, about 20% of all permissions are configured manually. Automatic deprovisioning then will not work.
Laws and regulations do not distinguish between automatic and manual access management. The Principle of Least Privilege applies to all permissions. You must therefore ensure that manually granted accounts and permissions are also deprovisioned on time.
Non-compliance can have a major impact, especially if it results in data breaches. It can lead to sanctions, legal claims, and reputational damage.
Keeping unnecessary accounts and permissions active can also lead to very high licensing costs. Managers often fail to monitor this, and users rarely return permissions proactively; people tend to accumulate permissions.
At the same time, you improve the user experience when permissions are deprovisioned on time. This demonstrates professionalism and shows people that you handle their data carefully.

How Automatic Provisioning and Deprovisioning Work In Practice

In HelloID, we automate account and permission issuance using Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). With these concepts, you grant accounts and permissions based on unambiguous user data, such as a person’s job role within the organization, as well as other attributes like department, location, or competencies. This data is recorded consistently in a source system, such as the HR application, and HelloID uses it to determine which accounts and permissions a person needs. The platform then ensures that these settings are automatically applied to the target systems. For example, in HelloID, you can use business rules to ensure that nurses in a hospital automatically receive access only to patient data for the department where they work. This prevents unauthorized access to other departments.

The benefit of this automated provisioning is that changes are applied automatically as well. If someone changes roles or moves to another department, the change is recorded in the HR system. HelloID recognizes these changes and automatically adjusts the relevant accounts and access permissions. This also means that if certain permissions or accounts are no longer needed, HelloID automatically handles deprovisioning. Permissions are revoked, accounts are blocked, and, depending on the configured business rules, they are eventually decommissioned. When employment ends, all accounts are automatically deprovisioned. You achieve not only automatic provisioning but also automated deprovisioning.

With this automation, you know that everyone complies with the Principle of Least Privilege (PoLP) at all times. This principle means that every person receives only the accounts and permissions strictly necessary for their tasks and responsibilities. With our automated provisioning, a person always receives only the minimum required permissions, and thanks to automatic deprovisioning, unnecessary permissions are revoked immediately. You always have the required permissions, but never more than that.

Deprovisioning Individual Permissions

In our experience, you can typically automate about 80% of accounts and access permissions using RBAC or ABAC. At the same time, individual access permissions are still needed. If someone also takes on duties as an emergency response officer alongside their regular role, additional licenses or permissions may be required, as this extra responsibility is usually not recorded in the HR system. The same applies when someone joins a specific project. You will not find that in HR data either, while access to a project folder or a specific license may be required.

These accounts and permissions can therefore only be granted individually, and requests for them are often submitted and fulfilled manually through the service desk. With the HelloID Service Automation module, we can further streamline and automate these requests. For example, you can process requests through a self-service portal, where we use configurable workflows to request approval from the appropriate manager or managers automatically. All processed requests are also recorded automatically for audit purposes.

Even though we streamline the individual access to accounts and permissions this way, deprovisioning remains a point of attention. With automatic issuance of permissions, the same data ensures automatic deprovisioning when it is no longer needed. With individual access permissions, it is often unclear how long people need them, leading users to keep permissions far too long. How do we solve that? We describe it below.

Deprovisioning and Compliance

With individual access granted, the risk is that it will remain in place indefinitely. A manager may request access to a project folder or a separate license for an employee. At the time the request is submitted, it is explicitly checked again whether the person really needs these facilities and whether it fits within policy. After that, the specific permission often drops out of view. The risk is that, from that moment on, the person retains the permission, no one monitors it, and the user keeps it until they leave the organization. That is undesirable for two reasons:

The strength of automatic provisioning and deprovisioning is that you comply with the Principle of Least Privilege at all times. Granted permissions are revoked automatically and on time. With individually granted permissions, it is not guaranteed, so you are not compliant with this concept. For both GDPR and information security standards such as ISO 27001, the BIO, and NEN 7510, this is a key requirement.
You also incur unnecessary costs for expensive licenses. Instead of granting a license temporarily for a few months, a person keeps the license for the remainder of their employment, sometimes for years. If organizations lack visibility into such individually granted licenses, this can quietly become a significant cost item.

It is therefore important to build processes for those individual accounts and permissions to ensure timely deprovisioning. With HelloID, we offer two mechanisms for automatic deprovisioning:

First, when issuing individual licenses and permissions, you can set a limited validity period upfront, such as 6 months. After that, the permissions are revoked automatically. For accounts and permissions where the required period is known at the start, this is the simplest approach.
For permissions granted for an indefinite period, you can schedule recertification campaigns with the Governance module. Using specific filters, for example, expensive licenses or high-risk access permissions, you can create campaigns in which managers who previously approved such permissions must review them again. Only if the manager re-approves the permission and there are no other blockers, for example, the application may no longer fit within IT policy, will it be extended. If not, the account or its access permissions are deprovisioned.

With these two measures, you can ensure timely deprovisioning for individually granted permissions as well. This keeps us compliant with the relevant laws and regulations and reduces our licensing costs.

Summary: The Difference Between Provisioning and Deprovisioning

For professional identity and access management, it is not enough to simply organize account and permission provisioning well. Timely and correct deprovisioning of permissions and accounts must also be ensured. We aim to automate this as much as possible. This provides the best guarantee of compliance with laws and regulations. Below, we summarize the roles of provisioning and deprovisioning across the phases of a person’s identity lifecycle.

	Provisioning	Deprovisioning
Onboarding process	Based on user attributes, for example, a person’s job role, accounts, and permissions are provisioned automatically.	-
Job change process	When changes occur, for example, a new role or department, new accounts and or permissions may be required. These are provisioned automatically.	When changes occur, previously granted accounts and or permissions may no longer be needed. These are deprovisioned automatically.
Individual requests	Where relevant and on request, individual accounts and or permissions can be provisioned. This can be handled through the service desk or via self-service.	If a previously individually granted account and/or permission are no longer needed, deprovisioning must occur.
Offboarding process	-	When a user leaves the organization, all accounts and permissions are first blocked. They are then deprovisioned at the appropriate time in accordance with policy rules.

Deprovisioning Tips & Tricks

We already outlined the importance of automatic deprovisioning. This prevents non-compliances, data breaches, and legal claims. For deprovisioning permissions granted temporarily, we also mentioned tools such as recertification. There are more options to ensure unused permissions are removed as quickly as possible. A few examples:

Awareness. Especially for temporarily granted licenses and permissions, it is important to make managers and employees aware of the costs and risks. No one leaves the faucet running on purpose, and you should cultivate the same awareness around your IT facilities.
Keep optimizing. With the governance module, you have tools such as role mining to improve your role model. You can also prevent the issuance of conflicting permissions. It helps you grant as few permissions as possible and automate this as much as possible.
Monitor consistency between the accounts and permissions recorded in your IAM platform and the actual state in target systems. This prevents accounts and permissions from being administratively deleted while remaining active in target systems. You can use the HelloID reconciliation functionality for this.

More Information About HelloID Deprovisioning Capabilities?

With automated user provisioning, HelloID ensures deprovisioning is executed automatically whenever possible. In addition, our Service Automation module can ensure that individually granted permissions are deprovisioned automatically after a set period. Finally, with governance features, we can prevent permissions from being granted unnecessarily or for too long. You can learn more about these capabilities in our HelloID Module Overview.

HelloID Module Overview