November 4, 2021

We tried to create a world protected by unique passwords, but the world had other ideas. As the complexities of digital security evolve, so do how we defend ourselves against its threats. Limiting our digital profiles to a single password doesn’t match the layers of security we need in a cloud-based world. Expanding those profiles to reflect the intricacies of our access? An inevitable and powerful system we should all be leveraging. User account provisioning is your path toward a better protected, less tedious future.

An Identity Management Tool

When you funnel a new user into your system, you’re also creating their account provisions. User account provisioning refers to the management and maintenance of any given user’s access to one or more systems. This is done through objects and attributes being added to an end-user’s profile, and that profile dictating what rights and privileges the user has in the system. For example, an IT manager might need an attribute in their profile that gives them access to confidential code in the system, and another attribute to see the payroll of their team—rather than all IT employees having the same digital identity. This philosophy defines the ways we manage an end-user profile and its authorization rights.

Account Provisioning Triggers

Outside of adding new hires to the system, the account provisioning process includes any scenario where a user needs new, changed, disabled, or deleted permissions. New hires are often the simplest provisioning cases, created during onboarding and just one part of the account management process. It’s the smaller stops along an employee’s lifecycle that benefit from a more iterative form of access management. Here are the top 4 account provisioning triggers that will come up in an organization:

  • New Hire – The most obvious of the four, a new employee has a laundry list of credentials and access they’ll need to effectively start their job. Email addresses, employee resources, and server access are just a few stops in the account provision onboarding journey.
  • Employee Promotion – As one of the more involved scenarios, an employee promotion can set off a long list of attribute shuffling. The user profile will need to be updated with relevant attributes so that the employee has the right access to new systems—while also making sure there isn’t spillover access to resources they no longer need.
  • Employee Departures – “Deprovisioning” refers to when an employee’s access and their user account are removed for security purposes. This normally happens when an employee is let go, fired, or decides to leave the company. In some cases, you might want to idle the account for a brief period before deleting it from the system—just to be sure before deleting the profile permanently.
  • Everything Else – There very well could be a time that a data engineer needs access to CRM data to better understand a feature they’re building—but how do you explain that access? These are the ad hoc requests that can’t be defined by a traditional HR system. These work best in self-service solutions, where the request can be routed directly to the party with control, who then approves or denies access.

Manual User Provisioning

As with all manual exercises, this approach sacrifices time and resources for control. The management of user permissions, accounts, and the thought put into how they’ll gain access to the materials they need can become a time-consuming endeavor. IT departments can quickly become bogged down with tasks such as new hires, promotions, and other access-shifting events—which can take up to 30 minutes each to handle. This isn’t considering the price paid when these tasks pile up, resulting in compounded lost productivity for both the administrator and the employee gaining access. And if the administrator doesn’t create the user account correctly the first time, you’ll lose time having to go through the process a second time.

Automated User Provisioning

With an automated user provisioning system, you won’t have to deal with the manual time and effort spent managing your task list—which never really goes away. With a healthy, growing organization, account provisioning triggers are compounded over time, creating an endless barrage of tasks that a single person could never get in front of. With an automated system, the technology detects that an employee’s role has changed and makes the appropriate updates to that employee’s digital profile. As long as the system rules are established and scalable, you won’t have to worry about day-to-day user provisioning tasks falling through the cracks. And in the long run, this will help your organization grow faster.

Final Thoughts

Handling your account provisioning system manually gives you an extra level of control, but will catch up with you as your business grows. An automated solution takes the tedious maintenance off your plate so you can focus on thinking strategically about your business. How do you know which solution is right for you? SailPoint’s Identity Security platform can help you achieve better security while reducing human error—boosting your efficiency in the process.

Take control of your cloud platform.

Learn more about SailPoint Provisioning.

Get Started Today