Manual user account management requires significant time and effort to execute, but remains prone to oversights, slow execution, and data entry errors. Manual provisioning also typically requires unnecessary administrator-level permissions for Tier 1 staff, inherently increasing security risks. Automating user account management allows your organization to increase efficiency and security, virtually eliminate errors and delays, and reclaim significant IT bandwidth. By connecting your HR system to Active Directory (or another directory service), you can create, provision, and manage users/groups; implement role-based access governance; and secure your entire IT environment with rapid process execution over every user’s complete lifecycle—from onboarding to offboarding.
User Account Provisioning is a process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. When automated, these identity management actions are triggered when information is added or changed in a personnel system. New hires, promotions, transfers, and departures are examples of events that can trigger identity management processes.
Permission bloat (or occasionally “privilege creep”/“access creep”) refers to the gradual accumulation of access rights that naturally occurs over a user’s employment, most often in under-managed IT environments. These information security vulnerabilities and compliance risks most often coincide with promotions, role changes, reassignments, or comprehensive reorganizations when user access does not get reviewed and accordingly adjusted.
By contrast, automated identity management and provisioning keep your users’ access up-to-date based on role-based controls. When changes occur that alter a user’s access needs, an automated solution will remove the unnecessary rights and eliminate permission bloat.
Adhering to the precise access rights a user needs to meet their job responsibilities—no more, no less—is referred to as the “Principle of Least Privilege”.
CRUD is an acronym for “Create, Read, Update, Delete” and refers to the overarching identity management processes that occur over the course of a user’s account lifecycle. “Create” begins the lifecycle; “Read” and “Update” recurs as needed to adjust account information and access rights throughout employment; and “Delete” ends the lifecycle with the employee’s departure from the organization.
Role-based access control (RBAC) is the identity management method of preconfiguring structured user access according to each position’s job function and responsibilities (e.g., department, position, location, and other potential factors). The collection of an entire organization’s role-based access controls for each position is referred to as an “authorization matrix”. RBAC is one of the major methods for implementing and enforcing Access Governance.