Automated user provisioning: the first step

Posted by Edward Killeen on Wed, Nov 28, 2012

automated user provisioningTo paraphrase Gartner, Identity and Access Management is the act of getting the right people the right access to the right resources at the right time.  Central to that concept is the right people.

Think of the people that you have: employees, contractors, customers, and prospects.  Each of those users needs access to certain resources on your network and you certainly don't want to treat them all the same.  You need role based provisioning to ensure that each user gets provisioned to the appropriate applications.

As an example, your employees will need user accounts in Exchange, SharePoint, CRM, ERP, Google Apps, etc.  Contractors will need a subset of that with more limited roles.  Customers will need accounts in the supply chain software, ticket management, and maybe SharePoint.  Prospect you just want to make sure that they are in CRM and have access to general sites within SharePoint.

So how do you automate this?

For each type of user you will need an authoritative source, the Identity Store of Truth.  For employees and contractors, it most likely will be your HRIS.  For customers, it can be the billing system or CRM.  For prospects, you might want to have a self-registration page.  Each of these Identity Stores of Truth will connect to the empowerID metadirectory, creating a person object that defines roles based on what data store they come from and attributes that we know about them (department, total annual billing, location, etc).  These roles are handled dynamically and change as a user's status changes.

Based on these roles, empowerID will provision user accounts into each of the connected systems listed above.  The metadirectory will then have a joined record of each user's accounts and can synchronize any changes from authoritative sources over to the connected system.

This pertains to the ongoing lifecycle of each of these users.  As you know, users are not static, they change jobs, they move from contractor to employee, prospect to customer and their needs change.  So, provisioning has to keep going to keep up with these users' lifecycles.  This is a key part of the concept of the right person having the right access at the right time.

EmpowerID's metadirectory is constantly inventorying each of these connected systems, if it sees a change to a contractor in the HRIS, it flows that to each application, possibly provisioning or deprovisioning accounts, and most likely changing their roles in all of these systems.

And it is all handled by a visual IAM workflow.  You have probably designed this process on a whiteboard or in Visio.  EmpowerID's workflow emulates this look and feel, allowing you to map the process to your IAM process.  And, the beauty of it?  It is true automated provisioning.  Not just once but every time a change happens.

Once you have your user provisioning automated, empowerID opens up the world of RBAC and federation and password management and governance and auditing.  But start with the "right people" through automated user provisioning and you've won the first and most important battle. 

Schedule a demo now and see how it works!

Click here to schedule a demo of Automated User Provisioning!

Tags: User provisioning, Identity and Access Management (IAM)