Everyone in the IT department has done some provisioning, a bit like Monsieur Jourdain in Le Bourgeois Gentilhomme.
Oops, am I talking about distant memories? Prose, everyone does it, it's just an ordinary form of speech đ€.
Provisioning is the same thing! It's every action taken on an application account. It involves creating, suspending, modifying and deleting an account.
Point.
Why point? Because many sites assume that provisioning is the action of facilitating user lifecycle management, in particular by automating provisioning processes. But provisioning isn't necessarily automated, and yet it's still provisioning.
Let's start from a clear, sound basis: provisioning is simply the process of creating, deleting, modifying or suspending an application account.
â ïž Please note that creating a user, i.e. adding an employee to the IS or HR source, is not provisioning.
Why are IT provisioning processes carried out?
Provisioning always originates in a user's life cycle, let me explain.
An account can only be created if an employee has just joined a company, or if he or she needs new access, specifically as part of a change in position or mission.
An account is suspended if the employee temporarily leaves the company.
A modification is made if the customer moves within the company, and a deletion if the customer leaves the company for good. This is known as deprovisioning or unprovisioning.
Provisioning and lifecycle are very closely linked, and are all part of an IAM (identity and access management) logic. Indeed, when you create a provisioning, you inevitably think: I'm assigning this user account to this person with these types of rights, because he or she has this position and these responsibilities. This is what Identity and Access Management is all about.
How can I keep my provisioning up to date?
Now that we know what a provisioning process is, we understand that it's easy to set one up, but that the difficulty lies not there, but in the overall management of the company's provisionings.
To create an application account, a system and network administrator or a technician will need certain prerequisite information, which varies according to the type of account to be created, such as e-mail address or security group.
There are three sources of information for creating an application account:
- the user file,
- creation of a field using a company-specific nomenclature (e.g. e-mail),
- another application.
But if any of this information changes, the provisioning is no longer up to date.
That's why we need to introduce another factor: synchronization.
Synchronization in this context is the action of updating the application account while maintaining it. The aim is to propagate administrative information to the technical accounts.
In action:
An employee arrives in your company, and is entered into the HR source, for example an HRIS.
Whether manual or automated, you need to collect the surname, first name, date of arrival and possibly departure to create an Active Directory, Microsoft 365 or Google Workspace account.
To answer the initial question of how to keep provisioning up to date, you need to constantly scan the initial source to synchronize it with the application and keep your accounts up to date. However, this action cannot be performed manually.
There are two solutions:
- HR notifies the IT department of any changes
- automatic synchronization is set up
As you can imagine, one method is less reliable than the other đ
Why automate user provisioning?
Without automation, each new hire requires more and more copy/paste, with its share of errors, to create the 10 or 15 application accounts the future employee will need.
This requires the time of one person, who will spend around 30 minutes to 1 hour, depending on the number of accesses to be created.
If all the information is readily available, all is well, but if it's missing, the situation gets worse.
If provisioning is not carried out on time, it's the employee who suffers, as he or she arrives in a company where he or she cannot be operational, not to mention the image this gives of the company.
At this stage, there is a human cost on the IT and employee side, as well as an image cost.
With automation, we want to :
- reduce the HR workload for double entry of employee information on the HR file + the common file with IT
- reduce the IT workload associated with copying and pasting, fishing for information and processing the many tickets inherent in the user lifecycle
- reduce the risk of data entry errors, but also of undeleted duplicates, unsynchronized accounts and, consequently, disagreements
This solves the following problems:
- a simplified welcome for new employees: successful onboarding, available access and rapid provisioning.
- cost savings: productivity and efficiency
- accuracy in the IS and simpler audits to carry out with traceability of actions
â
Would you like to receive our white paper on identity and access management?
Manual provisioning VS automated provisioning
Can you manage your provisioning manually?
It all depends on the size of your company and the turnover you have.
If you don't have a big company and you have 10 entries/exits per year, the question of automation doesn't arise: you'd be wasting time setting up an identity and access management tool for a few provisionings.
Ask yourself these questions:
- how much time do I (or my teams) spend provisioning application accounts?
- Can I keep the IS up to date between HR information and all the accounts in the IS?
- Do I have control over the user profiles of all my accounts?
- Can I easily carry out audits to reconcile my accounts, for example?
If you're starting to struggle with every question, it's time to think automation. Don't panic, an IAM solution doesn't always mean 6-month project management, a horrible interface and a âŹ1,500-a-day integrator! Fortunately, there's at least one solution that can really help you out without weighing down your morale or your budget â see our rates.
How can I automate account provisioning?
Automation is part of a wider context - yes, I'm digressing, but it's important! Looking only at the automation of provisioning doesn't allow us to understand what needs to be taken into account to achieve it.
Provisioning is integrated into GIA (Identity and Access Management) and is decided through the management of authorizations.
They are carried out according to rules defined by the IT department, and more specifically by the IT department in a user profile management system.
This sets profiles with rights that correspond to the security policy of least privilege. These rights will be monitored for auditing purposes, and are designed to reduce cyber-risk.
We assign a profile to a user, with rights and accesses that we monitor throughout the user's time with the company, adjusting them according to needs and changes, and then withdraw the rights and accesses when the user leaves.
It's not enough to simply automate an HR source to an application account, you also need to think about a rights and access strategy.
If you automate your provisioning but assign administrator access to anyone, you could be in big trouble...
IAM solutions such as Youzer enable you to create rights profiles in which all applications are configured for a certain type of user. In this way, automation really comes into its own.
Automation is carried out while respecting the company's security.
What are the different types of provisioning?
Provisioning is carried out from two angles: HR and IT.
HR provisions :
- hiring: a new user arrives, and an account needs to be created,
- update: a user's personal information has just changed, so the application account needs to be updated,
- end of contract: a user leaves, his accounts must be suspended and then deleted,
- suspension â reactivation: a user returns, his accounts must be reactivated.
IT provisions :
- change of rights: rights can be temporarily or permanently modified on an application
- new requirement: a user needs a new application, so an account must be created and rights assigned,
- evolution: a user moves to a new workstation, receives new access rights and has different rights
- change of nomenclature: the company has just changed its name, or has been bought out, and wants to unify its e-mails, for example, so the nomenclature of e-mail settings needs to be reviewed.
â
In conclusion
IT provisioning plays an essential role in the management of application accounts and the user lifecycle. It enables accounts to be created, modified, suspended and deleted, guaranteeing appropriate access to IT resources.
Automated provisioning offers numerous benefits, such as reduced errors, faster execution and compliance with security policies. By integrating IAM solutions and adopting automated processes, companies can simplify provisioning management, improve operational efficiency and enhance the security of their IT environment.
Automated provisioning is therefore the preferred approach for ensuring smooth, up-to-date management of application accounts, while optimizing resources and preserving regulatory compliance.