User Account Provisioning (or user provisioning) is a process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. These identity management actions are triggered when information is added or changed in a personnel system. New hires, promotions, transfers, and departures are examples of events that can trigger identity management processes.
Manually managing user accounts and group memberships can quickly become one of the IT department’s most time-consuming jobs. When a new person is hired, it takes the IT department 30 minutes on average to create a new account and assign proper permissions. This process can be delayed by several days, if the IT department is swamped with other tasks. This delay can leave a new employee stranded and unproductive on what was supposed to be their first day of work.
Creating new accounts is just one part of the whole account management process. When an employee changes their name, gets a promotion, or leaves employment, their account details and permissions must be audited and updated. Very often, details such as removing permissions that are no longer relevant are ignored for the sake of saving time. This can lead to permission creep, a major source of security breaches.
Automated User Provisioning
Automated provisioning removes the difficulties and delays caused by manually managing user accounts. First, your organization’s personnel information is imported into the provisioning system and linked to existing user accounts in your target systems. Next, the software is configured to look for changes in the personnel data, such as new employees, promotions, and name changes. When these changes are detected, the solution will automatically take action to create and maintain accounts throughout your network and related systems. These systems include directories such as Active Directory, Office 365, Google G Suite, as well as business applications like SAP and Salesforce.
In addition to saving time and money, automated provisioning improves security. When accounts are created by hand, someone in IT knows the password to that account. The username and password must then be transferred to the new employee, often in an insecure manner. Automated provisioning removes the human vulnerability from this process. It can also be coupled with Account Claiming to mitigate the security risk associated with handing over new user credentials.
Automated Permission Assignment
In addition to User Provisioning Systems, a comprehensive Identity and Access Management (IAM) solution will also manage user permissions across your network. This happens through an Access Governance (AG) system that combines personnel data with a configurable “role model” or “job matrix”. These models use Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) methods to determine users’ group memberships and network resource permissions.
Access Governance doesn’t stop at automatically granting group memberships and permissions to new user accounts. In addition, it removes permissions that are no longer necessary for a user’s current job role. This removal of excess permissions greatly enhances security by reducing the risk of insider threats to your organization1.
Tools4ever’s identity management software tackle the issue of automated user provisioning and access management. Whenever there is a change in the HR system (e.g., new employee, name change, role change, leaving employment), our solutions trigger the appropriate process automatically. This makes account management quick, simple, secure, and cost-effective.
Automated Provisioning in the Real World
Let’s take a look at several real-world scenarios and how automated provisioning with comes into play.
When a new employee starts, they need an email account, a home directory, and group memberships. Depending on the employee’s role, other accounts may be necessary (e.g., SAP, Salesforce, TOPdesk). The identity management system will generate a unique username, create a directory and email account, and a home directory on the appropriate file server. It will also add additional resources according to the user’s role and enroll the user in Account Claiming, if applicable.
When an employee is promoted to a new position in the organization, IAM will update their directory account details as necessary. If they need additional accounts, those will be automatically created.
In addition, Access Governance will assign new permissions and remove old ones as necessary to avoid permission creep. This reduces the organization’s risk of a data breach, and helps meet compliance requirements.
When an employee leaves an organization, their accounts and accesses must be removed for security purposes. The identity management system takes action to disable the ex-employee’s accounts and remove their access rights. Their accounts are typically held in isolation for a period of time before being permanently deleted.
Ad Hoc Requests
Not all access can be defined by the HR system. Sometimes a one-off is necessary. With a Self-Service Solution, users and their managers can request access to additional resources. The access request is then routed to the responsible party, who can approve or deny access with the click of a button. All without involving the IT department.
HelloID is Tools4ever’s flagship product, providing user account provisioning, self-service workflows, and single sign-on. Give your users streamlined application access and self-service capabilities no matter where they are in the world. Configurable approval workflows and dynamic forms let you customize the HelloID IDaaS experience to fit your organization’s unique needs.
SSRPM offers a full range of self-service password management options. Additionally, you’ll never have to give a new employee their password in an email or on a piece of paper. Its unique Account Claiming module allows new employees to securely access their account without revealing its password to anyone. Additionally, SSRPM lets users reset their own passwords 24/7 by answering a few challenge questions, all without needing to contact the help desk.