Everyone in the IT department has already performed provisioning, much like Monsieur Jourdain in The Bourgeois Gentleman, who spoke prose without knowing it.
Oops, am I talking about distant memories? Everyone writes prose; it's just an ordinary form of discourse 🤭.
Provisioning is the same! These are all the actions on an application account. This includes creating, suspending, modifying, and deleting an account.
Point.
Why this point? Because many sites imply that provisioning is the action of facilitating the management of the user lifecycle by automating provisioning processes, however, provisioning is not necessarily automated, yet it is still provisioning.
Let's start with healthy and clear foundations: provisioning is simply a process of creating, deleting, modifying, suspending an application account.
⚠️ Please note that creating a user, i.e. adding an employee to the IS or HR source, is not provisioning.
Why do we carry out IT provisioning processes?
Provisioning always originates from a point in a user's lifecycle, let me explain.
An account is only created when an employee joins a company or needs new access, specifically in the context of a change in their position or responsibilities.
An account is suspended if the employee temporarily leaves the company.
A modification is made if the user evolves within the company, and a deletion if they permanently leave the company. At this point, we speak of deprovisioning or unprovisioning.
Provisioning and the lifecycle are closely linked, and everything is integrated into an IAM, identity, and access management logic. Indeed, when you create provisioning, you inevitably have the following thought: I am assigning this user account to this person with these types of rights because they have this position and these responsibilities. Which is the principle of Identity and Access Management.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
How to keep provisioning up to date?
Now that we know what a provisioning process is, we understand that it is easy to carry one out, but that the difficulty does not lie there, but rather in the overall management of the company's provisionings.
To create an application account, a system and network administrator or a technician will need certain prerequisite information that varies depending on the type of account to be created. This often includes the email or security group, etc.
There are three sources of information for creating an application account:
- the user profile,
- The creation of a field by a nomenclature specific to the company (for example, the email),
- another application.
However, if any of this information changes, provisioning is no longer up to date.
That's why another factor must be introduced: synchronization.
Synchronization in this context is the action of updating the application account while keeping it. What is sought is that the administrative information is propagated to the technical accounts.
In action:
When an employee joins your company, they are entered into the HR source, for example, in an HRIS.
Whether manually or automatically, it is necessary to collect the first name, last name, arrival date, and possibly departure date to create an Active Directory, Microsoft 365, or Google Workspace account.
To answer the initial question, how to have up-to-date provisioning, it is therefore necessary to constantly scan the initial source to synchronize it with the application and have up-to-date accounts. However, this action cannot be carried out manually.
There are then two solutions:
- HR notifies the IT department of each modification
- automatic synchronization is set up
You suspect that one of the methods is less reliable than the other 😅
Why automate user provisioning?
Without automation, each new hire requires an increasing number of copy/pastes, with its share of errors, to create the 10/15 application accounts that the future employee will need.
This requires the working time of a person who will spend approximately 30 minutes to 1 hour depending on the number of accesses to be created.
If all the information is quick to find, everything is fine; if some is missing, it makes the situation worse.
If provisioning is not completed on time, the employee will suffer because they arrive at a company where they cannot be operational, not to mention the image it gives of the company.
At this stage, we accumulate a human cost on the IT and employee side, as well as a cost to our image.
With automation, we aim to:
- Reduce the HR workload related to double entry of employee information on the HR file + the file shared with IT.
- Reduce the IT workload related to numerous copy/paste operations, information gathering, and processing the many tickets inherent in the user lifecycle.
- Reduce the risk of data entry errors, as well as the risk of unremoved duplicates, unsynchronized accounts, and therefore discrepancies.
This solves the following problems:
- simplified welcome for the new employee: successful onboarding, available access, and rapid provisioning
- Cost savings: productivity and efficiency
- accuracy in the IS and simpler audits to carry out with traceability of actions
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
Manual provisioning VS automated provisioning
Can provisioning be managed manually?
This completely depends on the size of your company and the turnover you have.
If you don't have a large company and you have 10 entries/exits per year, the question of automation does not arise: you would waste time setting up an Identity and Access Management tool for a few provisionings.
Ask yourselves these questions:
- How much time do I (or my teams) spend provisioning application accounts?
- Am I able to keep an up-to-date IS between HR information and all the accounts present in the IS?
- Do I have control over the user profiles of all existing accounts?
- Am I able to easily perform audits for reconciling my accounts, in particular?
If you are starting to have major difficulties with each question, it is high time to consider automation. Don't panic, an IAM solution does not always mean a 6-month project management, a horrible interface and an integrator at 1500€ per day! Fortunately, there is at least one solution that really helps you without weighing down your morale or your budget → see our pricing.
How to automate account provisioning?
Automation fits into a fairly broad context, and while I may be digressing, it's important! Focusing solely on provisioning automation doesn't allow us to understand what needs to be considered to implement it.
Provisioning is integrated into IAM (Identity and Access Management) and decisions are made through entitlement management.
They are carried out with rules defined by the IT department, and more specifically by the IT department, in a user profile management.
This sets profiles with rights that correspond to the security policy of least privilege. These rights will be monitored, particularly during audits, and are there to reduce cyber risk.
A user is assigned a profile with rights and access that are tracked throughout their evolution within the company and readjusted according to needs and changes. These rights and access are then revoked when the user leaves.
Simply automating an HR source to an application account is not enough; a rights and access strategy must also be considered.
If you automate your provisioning but give administrator access to just anyone, you risk getting into big trouble...
IAM solutions like Youzer enable the creation of entitlement profiles in which all applications are configured for a specific type of user. This is where automation becomes truly valuable.
Automation is carried out while respecting the company's security.
What are the different types of provisioning?
Provisioning is carried out from two perspectives: HR and IT.
HR provisioning:
- Hiring: when a user arrives, an account must be created for them.
- Update: a user has just had a modification in their personal information, the application account must be updated,
- End of contract: when a user leaves, their accounts must be suspended and then deleted,
- Suspension → reactivation: When a user returns, their accounts need to be reactivated.
IT provisioning:
- rights change: rights can evolve temporarily or permanently on an application
- new requirement: a user needs a new application, so an account must be created for them and rights assigned.
- evolution: a user changes position, they receive new access rights, and their permissions change
- nomenclature change: the company has just changed its name or has made an acquisition and wants to unify its emails for example, it is necessary to review the nomenclature of the email settings.
In conclusion
IT provisioning plays an essential role in managing application accounts and the user lifecycle. It enables the creation, modification, suspension, and deletion of accounts, ensuring appropriate access to IT resources.
Automated provisioning offers many advantages, such as error reduction, speed of execution, and compliance with security policies. By integrating IAM solutions and adopting automated processes, companies can simplify provisioning management, improve operational efficiency, and strengthen the security of their IT environment.
Automated provisioning is therefore an approach to be favored to ensure smooth and up-to-date management of application accounts, while optimizing resources and preserving regulatory compliance.
