User Provisioning Workflow Tips

Written by Cassa Niedringhaus on February 17, 2020

Share This Article

User provisioning has historically been a tedious manual task. However, automation of user provisioning is on the rise thanks to the benefits of modern technology. What you want to avoid — for the sake of sanity and efficiency — is manually provisioning a user, whether in the directory, email system, SaaS apps, human capital management system, etc.

Here, we’ve outlined a legacy user provisioning workflow, how to improve it, and how to implement an entirely cloud-based user provisioning workflow that syncs HR and IT processes.

Active Directory User Provisioning Workflow

For decades, Active Directory® has been the go-to directory service for most organizations. In the traditional AD approach, the admin created a new user in AD and provisioned them to their Windows® and on-prem resources via group- and role-based permissions.

However, modern innovations like SaaS apps and cloud servers — not to mention human capital management (HCM) systems — have challenged this model because AD does not extend to them natively. In the case of SaaS apps, cloud servers, and other non-Windows resources, IT admins might end up managing identity stores separate from AD in those resources. This approach requires more manual management and impairs organizational security postures because it contributes to identity sprawl. 

HCM systems might be operated entirely by the HR department and contain identities separate from AD identities and out of IT’s purview because the two systems have not been integrated. In practical terms, this means two departments are replicating one another’s work, which is an inefficient use of company resources that introduces greater opportunities for error. One way to remedy both of these problems is to seek a universal AD identity bridge

Supplemented AD Workflow

IT admins managing users in AD might seek various third-party resources to federate those identities to resources that don’t natively integrate with AD, like Mac® and Linux® systems, SaaS apps, and HCM systems.

A universal identity bridge can extend AD identities outside the domain, and it’s a powerful improvement over the traditional AD-only approach.

However, this still means that admins are managing add-ons in addition to their directory, while dealing with on-premises infrastructure. In the modern cloud era, there’s another way: automated user provisioning from the cloud.

User Provisioning Workflow from the Cloud

User provisioning from a cloud directory service is the ideal workflow for modern organizations. This workflow is designed to be as light-touch as possible, with zero-touch employee onboarding as the gold standard — and it integrates HR and IT processes.

With a cloud directory service as the link between the HR system and all other IT resources, the identity of a user provisioned in the HR system can automatically propagate to the directory and then to all the user’s IT resources, without repetitive manual data entry. It looks like this:

HR System → Central Directory → Systems, Applications, Networks, & Files

A central cloud directory can translate the HR user identity into a directory object and then map that directory object to all the user’s permitted resources via protocols such as SAML, LDAP, and RADIUS. Different resources require different attributes and refer to them by different names (i.e. “username” in one resource is “uid” in LDAP). Ideally, the directory is able to translate the core identity to other resources via attribute mapping in an automated way.

Just-in-Time provisioning is an example of this in action for SaaS apps. A user is provisioned once in the directory, and their digital identity flows to all apps (like Salesforce, for example) they are permitted to access via pre-configured SAML connectors. Users trigger the creation of their accounts the first time they try to log in to those apps — rather than the admin provisioning them manually in each.

This same process can be put in place for other resources so that a user is provisioned and automatically has access to productivity suites like G SuiteTM or Office 365TM, cloud servers in AWS® or GCP®, networks like VPNs or organizational WiFi, and more.

Example Workflow: JumpCloud & Workday

An example of this workflow in action is JumpCloud®’s Workday integration. Via JumpCloud’s Directory-as-a-Service®, admins can automatically import Workday users into their cloud directory. They can also review and modify users during the import stage. They can then use JumpCloud to automatically provision users to their systems (Mac, Linux, Windows), apps, networks, and files via group-based permissions. They can also automatically sync core identities with G Suite and Office 365.

This integration establishes an end-to-end workflow from initial hiring to provisioning because, once a user is imported from Workday, the admin doesn’t need to re-create the identity in the directory or the permitted resources. Learn more about HR and IT integration in the cloud and how it can get your users onboarded more efficiently.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter