The vast majority of organizations experience at least one challenge when it comes to identity management, and user provisioning has historically been a laborious and seemingly never-ending task for IT departments. One way to address these challenges is by automating user provisioning — though it might seem daunting at the outset.
Here’s how to go about automating user provisioning and understanding the long-term benefits it could provide to your organization.
User Provisioning Defined
In this article, user provisioning refers to the set of processes by which an IT admin creates a new user not only in the central directory service but also in all their permitted resources. This includes their laptop/workstation, email account, web apps, servers, and networks.
Ideally, a new user will have a core identity that propagates everywhere, rather than having a different identity for each resource. If an admin is able to ensure each user has one core identity, that admin has more control, security, and visibility in their environment. To take it one step further, they can automate user provisioning so that this process happens without repeated manual input. Establishing automation processes takes initial investment but has the potential to reduce manual labor, improve accuracy, tighten security, and help achieve regulatory compliance.
Initial Investment in Automation
First, you have to identify which solution(s) you’ll invest in to automate user provisioning. There are a number of identity and access management (IAM) solutions that IT teams employ for user provisioning, chief among them being Microsoft® Active Directory® (AD). In the case of AD, the most straightforward way to do this is to seek a universal identity bridge to federate AD identities to Mac® and Linux® systems, web apps, and other resources that are not natively supported.
Alternatively, you can seek a comprehensive cloud identity provider that has these capabilities baked into it natively, which is a good route for organizations that are looking to reduce their on-premises infrastructure and move toward the cloud. Either way, you’ll want to keep in mind the suite of resources (systems, applications, networks, and files) in your organization as you select a solution.
By establishing a core identity for each user and using tools like group settings, APIs, and PowerShell, you can automate the provisioning process so that you only need to create a user identity once. An example of the initial investment required to establish automation is in SaaS app provisioning. You can automate the process using SAML Just-in-Time provisioning. You have to map user attributes from the directory to conform with the attributes required in each app — which differ from app to app. This takes initial configuration work, but once you have the connections between the directory and the app configured, you don’t have to do that work again.
To understand your initial investment, you’ll want to factor in the cost of the solution (i.e. an identity bridge or a cloud identity provider) and the cost of the labor to implement it and any automation configurations required.
Return on Investment: IT Automation
To understand the return on investment, you’ll want to take into account the ways automation will benefit your organization.
Reduce Manual Labor
If it typically takes your organization several hours to provision a new user to all their resources, you’ll save that time by automating those processes. Automating user provisioning reduces the manual labor required of IT admins. With a user provisioning workflow in place, a new user needs to be provisioned manually only once in the central directory, where it will flow onward to the user’s permitted resources.
If the IT and HR departments coordinate, that process can be automated even further by syncing the human capital management (HCM) system with the central directory and linking identities there, too.
Automation improves accuracy because it reduces the manual data entry required to onboard a user. With automation, there’s less risk, for example, that a user with an uncommon name will have it misspelled in their email or user ID. It also improves the accuracy of access permissions granted to users because it’s done based on role and group/department. You’ll save in the long term if your users’ attributes are properly inputted and they’re properly assigned to their resources.
Automation also enables admins to tighten organizational security by implementing a least privilege framework and using group permissions to automatically provision employees to the resources they need and no others. For example, sales employees can be automatically provisioned to Salesforce but not cloud servers hosted in AWS®, and vice versa for engineering employees.
Achieve Regulatory Compliance
Last but certainly not least, automation helps organizations achieve regulatory compliance by defining clear structures by which they will provision and deprovision user access.
Although some of the above categories might be difficult to quantify, they can reduce the manual labor required of IT admins and improve security against a breach — which could cost organizations millions of dollars.
Interested in learning more about how to achieve automation and the benefits it will provide? Click here to learn more about how to do so through a cloud identity provider and see gains across your organization.