User Account Provisioning (or user provisioning) is an identity management process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. These actions are triggered when information is added or changed in a “source system” (e.g., HR system). New hires, promotions, transfers, and departures are examples of events that can trigger provisioning and other identity management processes.
Manually managing user accounts and group memberships can quickly become one of the IT department’s most time-consuming jobs. When a new person is hired, it takes the IT department 30 minutes on average to create a new account and assign proper permissions. This process can be delayed by several days if the IT department is swamped with other tasks. This delay can leave a new employee stranded and unproductive on what was supposed to be their first day of work.
Creating and provisioning new accounts occurs during onboarding, but is just one part of the whole account management process. When an employee changes their name, gets a promotion, or leaves employment, their account details and permissions must be audited and updated. Very often, details such as removing permissions that are no longer relevant are ignored for the sake of saving time. This can lead to permission creep, a major source of security breaches.
Automated User Provisioning
Automated provisioning removes the difficulties and delays caused by manually managing user accounts. First, your organization’s personnel information is imported into the HR system and linked to existing user accounts in your target systems. Next, the software is configured to look for changes in the personnel data, such as new employees, promotions, and name changes.
When these changes are detected, the solution will automatically take action to create and maintain accounts throughout your network and related systems. These systems include directories such as Active Directory, Office 365, Google G Suite, as well as business applications like SAP and Salesforce.
In addition to saving time and money, automated provisioning improves security. When accounts are created by hand, someone in IT knows the password to that account. The username and password must then be transferred to the new employee, often in an insecure manner. Automated provisioning removes the human vulnerability from this process. It can also be coupled with an “account claiming” process to mitigate the security risk associated with handing over new user credentials.
Automated Permission Assignment
In addition to user provisioning systems, a comprehensive identity and access management (IAM) solution will also manage user permissions across your network. This happens through an access governance (AG) system that combines personnel data with a configurable “role model” or “job matrix”. These models use role-based access control (RBAC) or attribute-based access control (ABAC) methods to determine users’ group memberships and network resource permissions.
Access governance doesn’t stop at automatically granting group memberships and permissions to new user accounts. In addition, it removes permissions that are no longer necessary for a user’s current job role. This removal of excess permissions greatly enhances security by reducing the risk of insider threats to your organization.i
Tools4ever’s identity management software tackles the issue of automated user provisioning and access management. Whenever there is a change in the HR system (e.g., new employee, name change, role change, leaving employment), our solutions trigger the appropriate process automatically. This makes account management quick, simple, secure, and cost-effective.
Automated Provisioning in the Real World
Let’s take a look at several real-world scenarios and how automated provisioning comes into play.
When a new employee starts, they need an email account, a home directory, and group memberships. Depending on the employee’s role, other accounts may be necessary (e.g., SAP, Salesforce, TOPdesk).
The identity management system will generate a unique username, create a directory and email account, and a home directory on the appropriate file server. It will also add additional resources according to the user’s role and set them up for account claiming, if applicable.
When an employee is promoted to a new position in the organization, IAM will update their directory account details as necessary. If they need additional accounts, those will be automatically created.
In addition, AG will assign new permissions and remove old ones as necessary to avoid permission creep. This reduces the organization’s risk of a data breach and helps meet compliance requirements.
When an employee leaves an organization, their accounts and access must be removed for security purposes (i.e., deprovisioning). The identity management system takes action to disable the ex-employee’s accounts and remove their access rights. Their accounts are typically held in isolation for a period of time before being permanently deleted.
Ad Hoc Requests
Not all access can be defined by the HR system. Sometimes a one-off is necessary. With a self-service solution, users and their managers can request access to additional systems and applications. The access request is then routed to the responsible party, who can approve or deny access with the click of a button. All without involving the IT department.
HelloID is Tools4ever’s flagship product, providing user account provisioning, self-service workflows, and single sign-on. Give your users streamlined application access and self-service capabilities no matter where they are in the world. Configurable approval workflows and dynamic forms let you customize the HelloID IDaaS experience to fit your organization’s unique needs.
SSRPM offers a full range of self-service password management options. Additionally, you’ll never have to give a new employee their password in an email or on a piece of paper. SSRPM’s Account Claiming module allows new employees to securely access their accounts without revealing its password to anyone. Additionally, SSRPM lets users reset their own passwords 24/7 by answering a few challenge questions, all without needing to contact the help desk.
What is Provisioning? FAQ
Simply put, “onboarding” refers to the process of getting a new hire up to speed on organizational processes, policies, and with provisioned access to the necessary resources required for their job’s responsibilities. Successful onboarding aims to help new employees quickly become effective within the organization. Tools4ever’s solutions optimize the business and IT side of onboarding processes that ensure new users’ access to network resources like accounts, applications, and file shares. SSRPM’s Onboarding module helps ensure the safe transfer of user accounts and passwords to new employees.
Changing a user’s access rights can happen a few different ways with an identity and access management solution. If the user received a promotion or official position change, an established Access Governance model will automatically update (or “reprovision”) their rights according to role-based access control.
If the user’s access only needs to change for a temporary period (e.g., ad hoc projects), then self-service capabilities will allow them to request access or their manager to preemptively assign it.
Reprovisioning occurs whenever an automated provisioning solution executes processes for existing users, updating their access rights to the most current for their role. If no access changes are necessary for the user at the time of scheduled execution, none will be made.
Deprovisioning is one of the many steps that must occur for safe user offboarding when an employee departs an organization. All of the user’s accounts and access rights must be removed and deactivated for secure and compliant operations.
Access Governance (AG) is an IT security and compliance discipline aimed at minimizing the risks associated with improperly managed user account permissions.
Role-Based Access Control (RBAC) is the identity management method of preconfiguring structured user access according to each position’s job function and responsibilities (e.g., department, position, location, and other potential factors). The collection of an entire organization’s role-based access controls for each position is referred to as an “authorization matrix”. RBAC is one of the major methods for implementing and enforcing Access Governance.
Downstream resources generally include all the various systems, applications, and data that users required provisioned access to after being entered into the HR system and having their Active Directory (or other directory service) account created.