Provisioning is a process for creating, updating, and deleting users and accounts across IT infrastructure.
In any enterprise, employees access multiple applications and resources daily. When you also have a large number of employees working in various departments, managing user accounts and permissions across multiple systems can be a daunting task.
Automated user and account provisioning ensures that your workforce can access the applications, files, and other resources they need while minimizing friction for system administrators.
What are automated provisioning and deprovisioning?
Provisioning governs rights and permissions to individual enterprise resources. Deprovisioning prevents people from accessing corporate resources after they are no longer affiliated with the company, helping to maintain a secure and confidential environment.
Automated provisioning is the process of creating or updating user accounts across multiple applications and systems at the same time. Automated deprovisioning disables, deletes, or otherwise changes accounts across servers, such as Active Directory, freeing up an organization’s disk space, licenses, and physical hardware for new employees.
Automated provisioning is useful when information is added or modified in the identity source of truth (such as an HR employee database) and that change needs to be reflected throughout several other applications. For example, employees being hired, promoted, or transferred are all user lifecycle events that involve automated account provisioning. Automated provisioning ensures that a user’s access rights are up-to-date across all systems with minimal human effort involved.
Automated deprovisioning refers to deleting an account and revoking access to multiple applications and networks simultaneously, removing specific permissions, or temporarily disabling an account. Automated deprovisioning is useful when an employee leaves, changes roles in a company, or in the case of a trial license.
What are the benefits of automated user and account provisioning?
User provisioning becomes increasingly important as an enterprise grows, providing the following benefits:
More efficient security administration that reduces work for administrators
Automated provisioning allows server changes to be automatically synchronized to applications within seconds, without any human involvement, streamlining the workflow between HR and IT departments.
Improved user experience
Users seamlessly gain access to everything they need without having to ask administrators or wait for approval.
Efficient utilization of resources
If just-in-time (JIT) provisioning is used, an account isn’t created until the first time the user accesses it.
Automated deprovisioning ensures that appropriate accounts are deleted, disabled or changed in multiple systems and applications immediately upon a change in a user’s status, such as termination or role change.
Improved security within an organization
Provisioning allows organizations to ensure that users can only access resources that they are authorized to use, protecting your systems and applications from unauthorized use and ensuring that accounts are deactivated immediately.
Automated lifecycle management prevents permissions creep by re-evaluating user permissions when their status changes, as well as ensuring that a new user isn't just copied from an existing user, which could result in over-granted permissions.
How do automated provisioning and deprovisioning work?
SCIM is a protocol for automating transactions of user identity data between IT systems. It is used to communicate a user change from an identity source of truth to downstream applications and systems, which triggers account create, read, update, and delete (CRUD) actions to occur in those networks.
SCIM 2.0 is the current version and leverages standards, such as REST and JSON, to provide a regulated approach to user management. It facilitates consistent and automated communication between identity sources of truth and end-user applications and systems. For more information, see SCIM: How It Works.
In a typical configuration, a SCIM client communicates with the identity source of truth and pushes updates to downstream systems and applications.
To apply provisioning to large numbers of employees at once, users are placed into broader groups based on factors such as employee role or location. These groups apply the same permissions for all members, rather than applying permissions to a single employee at a time, which is known as delegated provisioning.
What is the difference between provisioning and authentication?
Authentication refers to a user proving that they are who they claim to be, and provisioning refers to the rights and permissions that the user possesses.
For example, in a hospital, each employee must authenticate to the systems and applications they use. Before that employee can access a particular system or application, they must have an account for that system or application, and this is where provisioning comes into play. For example, someone with the role of “nurse” in the HR database could access a patient management system, but they couldn't access a payroll application.
What is JIT user provisioning?
Provisioning using SAML (link to SAML topic) assertions is commonly referred to as JIT provisioning. Systems supporting JIT provisioning can use attributes provided in SAML assertions to create accounts.
With JIT provisioning, user accounts are created the first time users sign on to an application if they have necessary permissions.
To configure JIT provisioning, administrators configure Single sign-on (link to SSO topic) between the identity provider (IdP), such as the user directory, and the service provider (SP), the target application, and include any applicable attributes required by the SP. These SAML attributes contain information about the user, such as their email address, role, or department.
JIT provisioning allows only for the creation of users. To automate account modification and deletion, see SCIM provisioning in the following section.
What are the different types of user provisioning?
Role-based lifecycle management
Role-based lifecycle management is one of the most common forms of lifecycle management, and translates a user's group memberships from an identity source of truth into roles and permissions across multiple applications.
For example, your organization stores users in a database with groups, such as Corporate, Marketing, and DevOps. Members of the Marketing group can access applications intended for them but are barred from applications designated for the Corporate and DevOps groups.
Inbound provisioning for SPs
Inbound provisioning refers to when the source directory (or identity source of truth) is external to the SCIM client, such as when user accounts exist in partner systems. The source directory sends SCIM commands to the SCIM client, which in turn pushes CRUD operations to downstream systems and applications.
Ghe IdP functions as a SCIM client to receive requests for user management and then updates the target directory appropriately using CRUD operations.
Outbound provisioning for IdPs
Outbound provisioning refers to when the identity source of truth is directly linked to the SCIM server. In the following diagram, a SCIM client connects to the user directory and monitors it for changes. As users are added, modified, or deleted, the changes are then pushed to the target directories or applications by their proprietary provisioning APIs.
What does a user provisioning process look like?
Provisioning can have many different processes, depending on the organization’s system architecture and the provisioning solution in place.
The user store synchronizes identities from the root user directory to external user stores, such as Salesforce Communities and SCIM-based user stores.
The provisioning service continually keeps the target identity stores synchronized with the user store. Any addition, change, or deletion of users or user information in the user store triggers an update to the target user stores.