Getting a user provisioned and productive on your network is one thing, getting their cloud accounts sorted is a whole other ball of wax. In the old days, you had Active Directory, Exchange, some line of business applications and ERP this and that. Presto, boomo, you had a provisioned user.
Now if you want to automate the user account provisioning process, you need to account for any cloud applications the user has. These cloud applications have different UIs, are owned by different lines of business and generally add a wrinkle to your identity and access management that you just don't need.
But it's the world we live in and we have to somehow manage cloud identities with our internal identities. The three main things to worry about are: 1) provisioning / deprovisioning, 2) role based access control, and 3) federated single sign on.
Automating provisioning and deprovisioniong is the first and most important step. You pay for these accounts monthly per user so if someone has left the company, you want that account gone immediately. An IAM platform like empowerID will have connectors to all of your major cloud applications like Salesforce, Google apps or Hubspot. For those without an out of the box connector, building one with the applications APIs is pretty easy.
Unless your IAM solution can do role based provisioning, your user will always have this account though. Remember that provisioning isn't a one time affair, it is a lifecycle for the user, make sure that your automated provisioning workflow (and deprovisioning) takes into account the user's role or attributes and deprovision the account if their role is no longer eligible for the application.
But provisioning these accounts is pointless if you still have to go into the application and manage the user manually. Application level role based access control (RBAC) is built into most applications. Most IAM platforms have enterprise level RBAC. Role mapping is essential for cloud applications, map the enterprise roles to the application role during provisioning and as your user moves around the organization. An example is Salesforce, if your user is promoted from sales executive to sales director, their enterprise role will change; a good IAM platform will then change their cloud application role along with it.
Last, but not least, is the federated single sign on. Your users have increased their number of application passwords exponentially (that is a bit of an exaggeration), make sure that you are federating with your cloud applicaitons. SAML and other standards have made this easy if your IAM platform supports it. We have a whitepaper on the Top 5 Federated single sign on scenarios, take a look and see what matches your needs.
IT departments spent the better part of the last decade figuring out corporate identities. Most IAM vendors built their "platforms" before the cloud became so prevalent. EmpowerID was conceived and built from 2008 onwards with the cloud in mind the entire time. It is a platform based on a single code base that allows you to manage the provisioning and deprovisioning of cloud accounts, their roles and access, and federation all within a single IAM platform. You do the work once for all identities, whether it's internal or cloudy.
A demo of this complete ecosystem for your users' identities will show you how simple this can be to manage.
Tags: User provisioning, Identity and Access Management (IAM)