What does automated onboarding and provisioning mean?
User provisioning, or user access provisioning in the simplest terms, is the process of providing someone access to something, particularly an application, resource, or level of rights. Along with the process of actually giving the person that access, there is also the process of the request for that access, the rules for that access, and the process of approving the access request.
Provisioning could be granting a user an account inside of a Cloud SaaS service, access to a software application, a particular folder, or permission to take some action within your system, such as editing documents instead of just viewing them.
In today's modern technical terms, there are many more elements involved, but until now, one thing has been clear, the process is tedious.
Typical provisioning processes for user onboarding would often involve the HR department submitting information to the IT department, along with different managers submitting their information for what rights and access a new user should have when they start.
The process of getting a new user up and running with all of their correct access rights can typically take days or weeks, and months is not unheard of.
For existing users who need additional access, they or their managers must submit a request to the IT department for access. The IT department often had to track down the person they needed to get approval from to grant access. Then the IT department would have to manually make the necessary changes to give the user the requested access.
Automated Onboarding and Provisioning with Identity and Access Management (IAM) is a tool that, once a user has been added "or provisioned" into the tool, can be used to automate the entire provisioning process from start to finish based on the rules you set forth. Needless to say, the time saved by IT, and the time it takes to get a new user up and running is significant.
Businesses will typically document their specific rules and protocols inside a proprietary access control policy which outlines the creation of user accounts, facilitating access to existing accounts, and managing them with various other organizational resources.
The primary benefit of having a centralized provisioning process and policy in place is to prevent inappropriate access, and excess permissions to a user, and to avoid unnecessary security risks.
Other aspects of the provisioning process can include the application onboarding process, approval request process, email authorizations and notifications, and any other triggered tasks that collaborate with the user account.
Provisioning can also include preparing an application or role to grant immediate access to specific users, who meet specific criteria, configured within the provisioning policy.
We refer to these different ways of connecting to applications as connected or disconnected applications.
- Connected Application - An application that communicates directly with IAM Systems, and automated provisioning is possible.
- Disconnected Application - An application tracked and auditable in the IAM System without a direct connection. Final provisioning will be done manually by an individual after all automated requests and approvals have taken place.
Business roles can be configured with a predetermined collection of applications for access to the user.
Administrators assign roles to new users during creation, or to existing users who have changed their responsibilities or positions.
Automatic user provisioning and de-provisioning, grants or revokes access to users, based on the configured automatic triggers, within the assigned roles.
Below are some common changes that may take place during the user lifecycle, which would trigger the automatic provisioning and de-provisioning of assets to a user account:
- New Employee
- Location Change
- New Applications Added or Removed
- Role Changes
- Department Changes
Identity And Access Provisioning Lifecycle
For most businesses and scenarios, the process of maintaining appropriate user access rights to the resources each individual user requires is a never-ending process.
Provisioning begins when a user account is created.
Provisioning will continue at any time a change happens to a user account during the entire user lifecycle.
The provisioning lifecycle includes the creation of a user account, modifications to a user account, and termination of the user account from the network.
Identity And Access Provisioning Lifecycle Steps
For example, new access permissions, account modifications, and changes to an employee role, department, or location, are all part of the user's provisioned lifecycle.
Finally, organizations also utilize user account provisioning processes, to address certifying, revoking, and de-provisioning user accounts.
Example Provisioning Lifecycle Process
1. A new user is onboarded into the organization.
2. The user is assigned birthright roles and access per the policies and access requirements related to their specific position in the company.
As the user's day-to-day responsibilities change, he/she may require a role change, need access to additional applications, or have certain access revoked.
3. Request for access modification is submitted.
4. Internal provisioning policies and workflows will determine the appropriate approval process.
5. Upon approval, the user's account will be provisioned or de-provisioned with appropriate access to applications, entitlements, and roles.
Depending on the provisioning policies, or any software compliance requirements, administrators may be required to audit the user's access.
6. Request is created for a certification.
7. The user access certification process is completed, and resources are either approved or the user to keep, or revoked.
User Exits The Organization Or Termination
8. When a user is no longer with a company, a Service Request is submitted to remove the user's access to all organizational resources and disable or remove the user from the organization's databases.
9. The request to remove the user's access and account is approved, depending on business policies, legal requirements, and workflows.
10. The final stage of the user provisioning lifecycle typically removes the user's records from all applications, services, and digital resources.
However, occasionally businesses are required to retain this information for a predetermined period of time.
Traditional User Provisioning Process
User accounts are commonly provisioned with directory entries.
Directories provision applications requiring substantial access controls, often done directly through APIs or database entries.
There are many types of software that control user access to applications and internal resources.
One of the most common pieces of software is Microsoft's Active Directory, which specializes in controlling internal access.
Additionally, several different Identity and Access Management systems work with systems like Active Directory or by themselves to control internal and external access to third-party SaaS products and Cloud Applications.
Remote User Recognition And Access Provisioning
The beauty of using a full-featured Identity Management System is that access can be granted to anyone within or outside an organization.
Remote users, partners, or third-party services can be on-boarded and provisioned with the appropriate access, per the internal policies, while mitigating compliance risks.
Similarly, de-provisioning external accounts and users is the same simple process.
With Identity Management Systems, network administrators can connect to external applications and define independent user types, roles, and permissions.
This configuration allows a local administrator to process all access through an internal SSO login interface.
A Single Sign-on screen allows users to securely access several resources from within the building, on the other side of the world, or as a third-party partner.