What is User Provisioning & Deprovisioning?

Written by Cassa Niedringhaus on May 11, 2020

Share This Article

Granting and revoking access to organizational resources is a core — and sometimes time consuming — task for any IT admin. It’s also become more complex as the market fractures and expands and as new products, services, and protocols come online.

However, through a cloud identity provider, admins find a more consistent and secure approach to provisioning and deprovisioning in this modern era.

User Provisioning Defined

User provisioning is the process of creating user accounts in the requisite IT resources, including the directory — as well as systems, networks, and applications — and is a component of onboarding. For example, let’s say an admin is alerted that a new employee will start the following Monday. The admin needs to provision that user first in the central directory and then to their authorized resources, including their computer, email account, WiFi network, and web and on-prem apps. This process will depend on the directory service and the resources in question, but admins can take steps to automate the process.

In an ideal IT environment, a user has one authoritative identity in the directory that is synced with their identities elsewhere. Admins want to avoid, for purposes of security and efficiency, maintaining disparate directory stores.

User Deprovisioning Defined

User deprovisioning, then, is the opposite process: Admins revoke access and delete accounts of users who have left the organization. This process refers not only to credentials and accounts but also to SSH keys, which need to be decommissioned.

This process can be automated as well. Ideally, as soon as an admin learns that someone has left the organization, they’re able to suspend or delete the user in the directory and immediately deprovision their accounts in all resources that the directory manages.

An admin shouldn’t be forced to track down all the resources the user had access to (like an array of SaaS apps) and manually delete individual accounts — or, worse, have no knowledge of those resources to begin with.

Even in areas where deprovisioning is not automated, admins need to be able to revoke access immediately through the central directory. They might still have to delete a few accounts manually, but the task is not as urgent because they’ve already ensured users don’t have access to company resources or data. 

Provisioning & Deprovisioning Best Practices

These are best practices to keep in mind as you decide how you will provision and deprovision user accounts in your organization.

Implement Central Identity and Access Management (IAM)

Implement a centralized cloud directory service that can sync identities among G Suite™, Office 365™, HR systems, and other major directories (for example, Active Directory® if you have it). 

Modern cloud directories can create, delete, and modify users and utilize all major protocols (i.e. LDAP, SAML, RADIUS, OAuth, etc.) to federate those changes to accounts elsewhere — including Mac®, Windows®, and Linux® machines; SaaS apps; and networks.

Adhere to Least Privilege Concept

The concept of least privilege stipulates that users should only have access rights to the IT resources they absolutely need, and only as long as they need them.

Admins can apply this concept to the practice of provisioning and deprovisioning through a cloud directory service. They determine what resources to grant new users, as well as monitor unused accounts and delete them accordingly.

This is applicable in provisioning as admins are determining what resources to grant new users, and applicable in deprovisioning as they monitor unused accounts and delete them accordingly. You can enforce this concept through a cloud directory service, too.

Automate Where Possible

Various tools are available to automate user provisioning and deprovisioning, which makes for an easier, more accurate process. Through a cloud directory service, you can create a user and map their attributes to systems, apps, files, and networks via automation tools like group settings, PowerShell modules, and APIs. Specifically for web apps, you can implement Just-in-Time and SCIM provisioning. JIT automates account creation, while SCIM automates account creation, modification, and deletion.

Regardless of what automation tools you decide to use, you should be able to suspend user access to all resources with one click from the directory for tighter organizational security. 

JumpCloud® Directory-as-a-Service® is one avenue to consider. From a central web console, admins can use JumpCloud to provision and manage users, introduce automation, and immediately suspend user access when needed. Learn more about achieving a unified point of user management and authentication with a cloud directory service.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter