}

What is User Provisioning?

What is User Provisioning?

User Provisioning (or user account provisioning) is an Identity and Access Management process that ensures user accounts are automatically created, allocated proper resources, changed, disabled, and deleted. These identity management actions are dependent on staff turnover and changes within the organization. Starting employment, promotion, ad hoc assignments, and employee departures are examples of identity management events that determine provisioned resources.

The biggest challenge to user account provisioning can be the process itself. Manually managing user accounts and user groups easily becomes one of the IT department’s most time-consuming jobs. Accounts must be created, added to groups, assigned proper privileges, and granted access to resources (e.g. downstream software, file shares) according to user roles. These exhausting efforts are multiplied by every employee at an organization.

Every major employment event a user experiences, such as a promotion or role change, requires reviewing and verifying their account provisioning. Even employee departures require deprovisioning. Without user account reviews, your organization may quickly fall out of compliance with current data protection regulations.

Automated User Provisioning

Automated provisioning negates the difficulties and delays caused by manually managing user account creation. By linking various systems and software together, user-specific identity information determines the execution of automated provisioning processes. Most of the necessary identity information already exists within your organization’s HR system. These personnel specifics include:

  • Name and address
  • Start and end dates
  • Job titles
  • Designated manager and employee relationships
  • Department

User accounts may be actively and automatically managed by linking this “source” data to your provisioning solution. The provisioning system will then execute processes to create, link, and populate accounts across the network (e.g. Active Directory, downstream software and applications).

Access Governance (AG) is one of the most significant factors determining a given user’s provisioned resources. This Identity Management discipline is also known as Role-Based Access Control (RBAC). “Role models”, or “job matrices”, are hierarchical structures that determine the resources and privileges granted to each specific employee role or job. Driving access management according to an access governance schema ensures that each and every employee has exactly the resources they require - no more, no less.

Tools4ever’s automated user provisioning software establishes a connection between systems and user accounts in the network. Whenever there is a change in the HR system (e.g. new employee, name change, role change, leaving employment), our software detects it and then performs the appropriate provisioning process automatically. This makes account management quick and simple.

Examples of user account provisioning changes and procedures:

Starting employment

When a new employee starts, they need an email, home directory, and group memberships in your system. Depending on the employee’s role, advanced network privileges and downstream accounts may also be necessary (e.g. SAP, Salesforce, TOPdesk). Automated provisioning executes the process according to the user’s role, with little to no manual intervention needed.

Tools4ever has developed over 150 system connectors, with many more planned.

Promotion

A user account is assigned a different set of rights in the network according to the new role. Rights and downstream accounts are added and/or removed accordingly.

Users accumulate access rights and privileges over the course of their employment. Without their access being reviewed and adjusted for each role change, the accumulated access across the network poses serious compliance and security risks.

Leaving employment

The user’s account is blocked immediately and transferred to another OU. In addition to network resources, deprovisioning may include removing access rights to things such as physical buildings (e.g. disabling security codes).

Marrying/divorcing or address changes

Information is synchronized off of the HR system and will reflect those values across display names, emails, and more. Changing the source data handles the rest.

Location change

Home directory data is transferred to the nearest home directory server. Relevant account attributes such as “department” and “office” are updated accordingly.

Ad Hoc Projects

Not all access can be defined by the HR system—sometimes a one-off is necessary. Upon request, a user account can receive access to specific file shares, applications, data or more pertaining to one-off or temporary assignments. Access can be granted indefinitely or with automatic deprovisioning at a scheduled end date to help ensure compliance and security.

Within its suite of Identity Management software, Tools4ever offers two provisioning solutions:

IAM (Identity and Access Manager)

IAM was added to Tools4ever’s software suite as a next-generation Identity Management solution in 2016. IAM provides Tools4ever’s most-sophisticated user account management - incorporating access governance, automated user provisioning, business intelligence reporting, advanced security controls and more.

UMRA (User Management Resource Administrator)

Originally launched in 2004, UMRA served as Tools4ever’s flagship user account management software and provisioning solution for Active Directory environments. System administrators across all industries and sectors still rely on UMRA for their user account lifecycle needs over a decade and a half later.

Tools4ever’s Identity and Access Management solution suite also includes IDaaS, single sign-on, self-service password resets, file system auditing, and more functionality.