Provision Access For Identity And Access Management

User Access Provisioning Steps, Policies, and Procedures for Identity and Access Management Systems.

What does Access Provisioning mean?

Provisioning access in the simplest terms, is the process for providing access to something or someone, within an Identity Management system. 

If you’ve loaned your house or car keys to a friend, congratulations, you’ve provisioned the access rights to your car or house, to your friend.

In today's modern technical terms, there are many more elements involved.

However, the general principle of providing access to resources remains the same.

provision access
Provisioning access to business applications or digital resources may be a slightly different process for different companies.

*Quick Tip

User information for 3rd party applications can be updated automatically or by an individual who manually adds, updates, or deletes the User's information.  We refer to these different ways of connecting to applications as connected or disconnected applications.

  • Connected Application - Automated Provisioning
  • Disconnected Application - Manual Provisioning

Businesses will typically document their specific rules and protocols inside a proprietary access control policy which outlines the creation of user accounts, facilitating access to existing accounts, and managing them with various other organizational resources.

The primary benefit of having a centralized provisioning process and policy in place, is to prevent inappropriate access, excess permissions to a user, and to avoid unnecessary security risks.

Other aspects of the provisioning process can include the application on-boarding process, approval request process, email authorizations and notifications, and any other triggered tasks that collaborate with the user account.

Provisioning can also include preparing an application or role, so that it is capable of granting immediate access to specific users, who meet specific criteria, configured within the provisioning policy.

Planning Your Access Control Policy? Download our Free Template
Access Control Policy template Get started with our free 11-page customizable template. Add, remove, or edit any sections.

Identity And Access Provisioning Lifecycle

For most businesses and scenarios, the process of maintaining appropriate user access rights, to the resources each individual user requires, is a never-ending process.

Provisioning begins when a user account is created.

Provisioning will continue on, any time a change happens to a user account, during the entire user lifecycle.

The provisioning lifecycle includes creation of a user account, modifications to a user account, and termination of the user account, from the network.

Identity and Access Provisioning Lifecycle Steps

The full lifecycle includes the control of a user account, from creation to deletion.

For example, new access permissions, account modifications, and changes to an employee role, department, or location, are all part of the user's provisioned lifecycle.

Finally, organizations also utilize user account provisioning processes, to address certifying, revoking, and de-provisioning user accounts.

Example Provisioning lifecycle process

1. A new user is onboarded into the organization.

2. The user is assigned birthright roles and access, per the policies and access requirements related to their specific position in the company.


As the user's day-to-day responsibilities change, he/she may require a role change, need access to additional applications, or have certain access revoked.

3. Request for access modification is submitted.

4. Internal provisioning policies and workflows, will determine the appropriate approval process.

5. Upon approval, the user's account will be provisioned or deprovisioned with appropriate access to applications, entitlements, and roles.

User Certification

Depending on the provisioning policies, or any software compliance requirements, administrators may be required to audit the user's access.

6. Request is created for a certification.

7. The user access certification process is completed, and resources are either approved or the user to keep, or revoked.

User Exit from organization or termination

8. When a user is no longer with a company, a request is submitted to remove the user's access to all organizational resources, and disable or remove the user from the organization's databases.

9. The request to remove the user's access and account is approved, depending on business policies and legal requirements.

10. The final stage of the user provisioning lifecycle is typically completely removing the user's records from all applications, services, and digital resources.

However, occasionally businesses are required to retain this information for a predetermined period of time.

User Provisioning Process

User accounts are commonly provisioned with directory entries.

Directories provision applications that need substantial access controls, often done directly through APIs or database entries.

Provisioning Software

There are many types of software that control user access to applications and internal resources.

One of the most common pieces of software is Microsoft's Active Directory, which specializes in controlling internal access.

Additionally, several different Identity and Access Management systems work with systems like Active Directory, or by themselves to control both internal access and external access, to third-party SaaS products and Cloud Applications.

Access Provisioning Analyst Job Description

The Access Provisioning Analyst is responsible for the provisioning of new access to the company's systems.

The most common tasks are granting or denying access requests.

Additionally, Provisioning Analysts manage existing access, ensuring that individuals are only given the level of access they need to complete their job duties.

The provisioning analyst is responsible for providing access to various systems and applications for new employees, contractors, vendors, or other temporary workers.

Typical Job Responsibilities:

  1. Responsible for granting or denying access requests
  2. Proactively identify and analyze customer needs
  3. Install and configure hardware, software, and services as needed
  4. Assist customers with installation and configuration
  5. Reviews and approves requests for information on all new hires, contractors, and consultants
  6. Maintains records of all granted or denied requests for information
  7. Ensures individuals are only given access to the level of information needed to complete their job duties
  8. Ensures compliance with company policy and regulatory requirements
  9. Ensure proper licensing for all hardware, software, and services purchased by the company
  10. Maintain inventory of all equipment and software purchased by the company
  11. Must be familiar with the company's security policies and procedures
  12. Must be able to work independently with minimal supervision
  13. Troubleshoot issues as needed
  14. Record any changes made to the environment in a change request system
  15. Must have excellent customer service skills

With the advancement of Identity Access Management systems, many of the responsibilities of the Access Provisioning Analyst have been reduced, or delegated to other positions.

Want to know how we launch IAM systems in days instead of months?

Schedule a demo with us and see IDHub for yourself!


Auto Provisioning

Business roles can be configured with a predetermined collection of applications for access to the user.

Role-based provisioning allows automatic and workflow-based account provisioning to occur.

Administrators assign roles to new users during creation, or to existing users who have changed their responsibilities or positions.

Automatic user provisioning and deprovisioning, grants or revokes access to users, based on the configured automatic triggers, within the assigned roles.

Below are some common changes that may take place during the user lifecycle, which would trigger the automatic provisioning and deprovisioning of assets to a user account:

  • New Employee
  • Location Change
  • Promotion
  • New Applications are added or removed
  • Role Changes
  • Department Changes
  • Terminations

Remote User Recognition And Access Provisioning

The beauty of using a full-featured Identity Management System, is that access can be granted to anyone within, or outside an organization.

Remote users, partners, or third-party services can be on-boarded and provisioned with the appropriate access, per the internal policies, while mitigating compliance risks.

Similarly, deprovisioning external accounts and users, is the same simple process.

Cloud Provisioning

With Identity Management Systems, network administrators can connect to external applications, and define independent user types, roles, and permissions.

This type of configuration allows a local administrator to process all access, through an internal SSO login interface.

A Single Sign-on screen allows users to securely access a number of resources from within the building, on the other side of the world, or as a third-party partner.


Try IDHub for FREE for 30 Days, no payment information necessary.

Try out our full working version of IDHub Cloud or Teams and explore right now!

Provisioning with IDHub

IDHub makes automated user provisioning a breeze, as it utilizes an automated provisioning workflow engine, as well as role-based provisioning, to fully govern user management access control.


Distributed Connectors

IDHub connectors are standalone, platform-agnostic applications that encapsulate all interactions within a target system.

IDHub core connects to the target system via connectors, used to provision user accounts, entitlements, and other organizational resources.

man pointing

Standard Based

IDHub connectors consist of SCIM and other REST endpoints, used to perform operations on a target system.

The connectors are developed and maintained independently by the mainline, IDHub.

They are self-contained processes running, on a server/platform, directly connected to target systems.

In some cases, connectors can also run on the Target System Servers.

Connector Architecture

Built to Scale

IDHub's provisioning engine integrates with connectors using a standard-based protocol, and offloads the tedious work outside the core stack.

IDHub's provisioning engine increases the stability of systems, while also insulating the core stack from an outage, and prevents any problems from occurring on isolated systems.

access control template download

Download The Editable 11 Page Access Control Policy Template

Skip to content