How to Scale User Provisioning

Written by Cassa Niedringhaus on April 7, 2020

Share This Article

Whether an organization focuses on strategic acquisitions or quickly launches new offices in key markets, the IT department will play a critical role in responding with a scalable user provisioning process. Regardless of the reason an organization scales, sysadmins will be expected to keep pace, and there are various strategies and tools they can use to do so. In this post, we’ll describe a useful provisioning workflow and specific tools that complement it.

Automated User Provisioning Workflow

Organizations can scale most efficiently with centralized control over all IT resources and coordination between their IT and HR departments. Ideally, a new user should be provisioned manually just once, which can be achieved through automation strategies.

If an automation framework is in place, when a new user joins an organization, an HR admin can add that user to the human capital management system, where the user accesses payroll and benefits information. An IT admin can then oversee the import process from the HR system into the central directory service, rather than re-creating the user again. From there, they can federate the same digital identity to IT resources. The workflow looks like this:

HR System → Central Directory → Systems, Applications, Networks, & Files

This process is more scalable than manual user provisioning because it reduces data entry, increases accuracy, and accommodates creation of new users en masse. 

Tools for User Provisioning & Management

These tools can help implement an automated user provisioning workflow, and modern directory services should offer these tools as core functions. 

1. Group Membership

From a central directory service, you can use tiered user groups to administer access:

  • Organization-wide
  • System-wide
  • Office-wide
  • Department-wide

For example, an organization-wide group might include access to G SuiteTM, while an office-wide group might include access to the WiFi network specific to that office. Another example of tiered access is within an individual department, such as granting the group of engineering managers access to production servers, while placing junior engineers in a group with more limited permissions.

With groups in place, you can add a new user to their applicable groups and provision them automatically to their resources, including the email system, their workstations, servers and infrastructure, SaaS and other apps, WiFi, and printers. You can also group systems (Mac®, Windows®, Linux®) to apply security configurations and other requirements to them in bulk, such as managing BitLocker for Windows systems and FileVault2 for Mac systems.

If you’re opening a new office or quickly adding users across offices, using groups is an efficient way to provision users and configure their systems.

2. JIT & SCIM Provisioning

One analysis of the SaaS market found that the average company with 0-10 employees had to configure 47 connections between those employees and their SaaS apps, while the average company with 201-500 employees had to configure 2,478. As the number of employees grows, so does the task of connecting them to SaaS apps — the task becomes impossible to do manually.

Just-in-Time (JIT) and SCIM provisioning are two methods of automating account creation for users in SaaS apps. Although the approaches to each are different, either method eliminates the need to go into a SaaS app and create accounts for users by hand.

JIT provisioning extends the SAML protocol to pass user attributes from the identity provider to SaaS providers, rather than credentials, and users trigger creation of their app accounts the first time they try to log in to those apps through their single sign-on (SSO) portal. SCIM is a protocol that standardizes identities among identity and service providers, and it automates not only the creation but also the modification and deletion of accounts in apps. 

3. PowerShell Implementation

PowerShell, Microsoft’s open-source programming language for automation and management tasks, can be an important tool for various onboarding tasks — like adding and modifying users in bulk. Many user management systems have built PowerShell modules that can help automate the process. Of course, such modules sit on top of APIs that a user management system may have, so IT admins with strong API coding skills can easily and directly communicate with the APIs.

Admins can use a PowerShell module (or APIs) to import dozens or hundreds of new users and their attributes at once via CSV, provision all users to new apps and services, and take other actions to manage their directory at scale.

Depending on the directory service you use, these tools and others are core offerings of the platform and help you scale with ease. Click here to learn more about scaling with an agile cloud directory service.

Continue Learning with our Newsletter