Understanding the User Provisioning Process and Best Practices

February 24, 2015
Editorial Staff


Editorial Staff

Did you know that roughly one in five workers routinely share ‪passwords with members of their teams? Which makes the fact that 14% of employees use the same ‪password for every application quite alarming!

Wall Street giant JP Morgan recently revealed that a compromised employee account was at the root of the recent security breach, which led to one of the largest cyber-attacks ever and the theft of data on 76 million households and 7 million small businesses.

What is user provisioning?

User provisioning is the identity management process of creating and managing user access to resources within an IT system. As more IT resources move outside the network and into the cloud, it has become more important than ever to have discipline with password management in order for an enterprise to prevent being the next JP Morgan. This is where federated provisioning of users comes in.

Provisioning and de-provisioning of users is core to enterprise identity and access management in the cloud. In order to leverage cloud applications such as Office 365, Box, Concur, Zendesk, etc., the user provisioning of these services has to match the scale and availability of the cloud.

Solving user provisioning and de-provisioning is really a misnomer; it has to be about the full account lifecycle management of the user.

There are also varying types of user account provisioning to choose from based on your needs. The three main ones include:

  • Discretionary account provisioning– This allows a network administrator to decide which applications the end user will be able to access.
  • Self-service account provisioning– This process allows users to participate in the provisioning process so the administrator’s overhead is reduced.
  • Workflow-based account provisioning-This type of provisioning accumulates the required approvals before giving user access to an application.

The User Provisioning Process & Importance of Full Lifecycle Management

Enterprise employees typically access dozens of apps on a regular basis. Trying to manually control all the user accounts across those apps is a daunting task for IT.

Users, who typically create their own passwords in each app, frequently forget them or resort to reusing them when possible. This results in security lapses, increased helpdesk calls, and lost productivity for both users and IT.

When a user leaves the company, IT usually only has a limited amount of time to get that user out of the system so that a disgruntled employee doesn’t continue to have access to secure company data within these cloud applications.

The picture becomes even more complicated when enterprises have to solve lifecycle management of not just the user and their apps, but also their mobile devices.

What Should User Provisioning Best Practices Include?

The best practices for a user provisioning process should include the following things:

  • Automatically create or update user accounts across apps
  • Deploy the right apps the first time with Single Sign-On
  • Automatically assign role-based permissions within apps
  • View who has access to which apps, how they received access, and when changes occurred
  • Ensure the prevention of unauthorized access by automatically revoking access to all apps at once – de-provisioning

Most Identity as a Service (IDaaS) vendors resolve technical provisioning challenges but neglect underlying business problems that enterprises face regarding the process of managing employee identities. Even worse, some provisioning tools require additional hardware and software, which are complex and difficult to install, and do not handle business problems such as license management.

Characteristics of the Ideal User Provisioning Solution

The ideal IDaaS solution addresses the complete application end-user lifecycle. It should handle the process from on-boarding to application authorization for both mobile and web, and when the time comes to remove a departed employee from the corporate system, the tool should function from a single point of contact for de-provisioning.

Centrify’s account provisioning functionality enables IT to automatically create user accounts across 2500+ cloud applications and platforms, including Office 365, Box, Dropbox, Concur, and Zendesk. Centrify’s unique IDaaS solution provides cloud identity management combined with mobile device and app management.

IT can instantly deploy cloud applications to new users immediately and assign their access to multiple platforms and devices, all from a single enterprise directory like AD. This capability to provision users also allows IT to assign the appropriate permissions and licensing to the user, restricting or allowing access to certain applications based on location, time, and endpoints.


User provisioning is an important aspect of managing security as well as maintaining access provisioning lifecycles. Having a process in place that creates standard company practices regarding the creation and management of user accounts can help ease IT burdens. SoftwareONE’s experts can assist organizations with their provisioning needs and create user provisioning processes that make sense.

Leave a Reply