The provisioning of user accounts and information system rights is a crucial component of your IAM strategy. It allows you to allocate exactly the right resources to the right people as changes occur during the user lifecycle.
There is a twin aim: to increase productivity by automating the creation, modification and deletion of accounts and users’ rights in IS applications, based on their movements within the organisation (entry, exit, transfers, changes, etc.), and to enhance security by keeping tight control of the authorisations granted to users and thus being able to answer the question: who has access to what?
This means meeting highly operational challenges that are central to your IAM platform. As well as technically applying your authorisations management strategy to your IS, user provisioning allows you, for example, to carry out remediation operations as a result of access rights review campaigns, to populate user credentials in Enterprise SSO or Web SSO, solutions, and to control the dependencies between the IT resources granted to users to avoid generating incompatibilities and/or “toxic rights”, which are forbidden under regulatory compliance rules.
User provisioning, the technical framework linking your identity and access management (IAM) solution to your information system
The provisioning of user accounts and their rights is an essential functionality of identity and access management software, and can take several forms: automated provisioning, which seeks to automatically create the necessary accounts and rights in applications by means of technical connectors; manual or guided provisioning, which requires technical actions to be steered by workflow processes but undertaken manually by administrators; and mixed or semi-automated provisioning, which combines automated tasks and manual actions. “On-the-fly” provisioning is more closely linked to identity federation and entails using the swapped identity token to send the information necessary for creating and updating user accounts to the target application.
In order to develop a quality user provisioning offering, several features are essential:
- A catalogue of standard and more advanced connectors: while it is quite conventional to offer a range of connectors for the most common applications (e.g. Active Directory, ERP), Cloud applications (e.g. O365, Gapps), or applications that rely on a standard interface or an API (SCIM, REST), special attention needs to be paid to the richness and agility of the IAM platform development framework in order to integrate non-standard, legacy or internally developed applications, for example.
- Management of software and hardware resources: a premises access badge, a strong authentication medium such as a chip card or an FIDO2 key, or a mobile phone are just some of the hardware resources that might need to be included in the general management of user authorisations, alongside software resources.
- Downstream and upstream provisioning: the latter is just as important as the former, in order to trigger user lifecycle management processes based on the detection of events in reference sources such as the HR IS, or to reconcile the rights defined in the authorisation policy with those in the applications connected to the IAM solution, for the purposes of ongoing monitoring in particular.
Discover the richness
of the provisioning engine used
by our Meibo People Pack solution
Main challenges and benefits of user account provisioning processes
Your capacity to define and then automate the processing operations associated with accounts and rights provisioning is therefore highly dependent on the capabilities of your identity and access management platform.
1
Productivity and ROI
- Automate the provisioning of accounts and rights in IS applications
- Cut down on administrative tasks and eliminate processes using “paper” forms
- Improve the effectiveness and reliability of entry, mobility, exit and rights allocation processes
- Simplify the integration of new applications and make the IS flexible and agile
2
Security
- Control and track the allocation, modification and removal of user rights in the IS
- Delete orphan accounts, ensure that individuals do not hold multiple toxic rights
- Check that accounts are actually closed for people who have left the company
- Simplify the rights allocation and removal process