Automated user provisioning: when and how

Posted by Edward Killeen on Tue, Sep 18, 2012

Users have a lot of accounts; it keeps both IT and users busy.  The trick is to give them the accounts that they need and only the accounts that they need.  Automated user provisioning is essential.

The "person" directory is the foundation of how automated provisioning should work.  A person account should be created for each user (full time employee, contractor, partner, customer, etc).  This person account should have enough information about it to start a chain of provisioning workflows that create a joined account for each application the user needs.  We call this role based provisioning.

Let's start with how to populate the "person" directory, or metadirectory.  The metadirectory will inventory an authoritative source (HRIS for employees, a spreadsheet for contractors {just kidding}, CRM for customers and partners) to check to see any new users and provision a person account with attributes flowing from that or any other system.

Dynamic roles are provisioned (assigned) based on those attributes.  Based on those roles, the user gets an AD account, a salesforce.com account, an SAP account, line of business app accounts, a Jive account, and whatever else their role and your imaginative workflow decides.  Role mapping determines the user's role in each of these systems.

automated user provisioning workflowThis provisioning workflow is designed around your business rules and processes.  EmpowerID offers a visual workflow designer that has almost 400 out of the box templates and the power to customize each worfklow with 400 different actions or shapes.

The provisioning workflow is kicked off as soon as the metadirectory inventories the authoritative source and determines this is a new user.  The workflow will create the person and automate the user provisioning for the appropriate applications based on roles, creating mailboxes, updating appropriate group memberships and basically doing the work to make a user a productive employee.  This is automated user provisioning in a way that matches your business process.

Speaking of business processes, ever notice how there are some one off situations?  A user account needs to be provisioned through an alternate channel?  Opening up the applications (or ADUC) themselves is a security risk if you just have admins go in there with no means to audit access.  Using these same provisioning workflows, you can design a form, assign role based permissions and have an admin kick off the process through delegation.  It is auditable, access can be made temporary and when the metadirectory inventories the systems it will know from where this account originated.

In our years of experience with empowerID and automated user provisioning, we have seen that no two use cases are the same.  But the process almost always is.  With configuration (not customization), you can have your user provisioning process automated.

If you want to see how it's done, let's take an hour and demonstrate these use cases for you.  Schedule a demo now!

Click me

Tags: User provisioning