May 17, 2023
Table of contents
User provisioning is a fundamental operation in companies of all shapes and sizes. Without user provisioning, it’s very difficult to provide your employees with access to the tools and services they need in order to carry out their day-to-day responsibilities.
However, there are multiple ways to implement user provisioning and automate it. This guide will explain user provisioning, how user provisioning evolves as a company grows, the importance of automation, and popular ways to automate user provisioning.
What is user provisioning?
User provisioning refers to creating and managing user accounts and permissions within a company’s IT resources, such as SaaS applications or databases. The main aims of user provisioning are to reduce security vulnerabilities caused by users having more permissions than they need and to provide a seamless experience for onboarding and offboarding employees.
Typical evolution of user provisioning in a tech startup
How a company manages user provisioning usually evolves over time:
Ad hoc requests: In their early days, most startups have a manual process for provisioning accounts on a per-case basis. Often, resource owners don’t keep track of the access granted to their team members, and this poses an increased risk of manual errors and security breaches. This process is also not scalable — it works only for small teams that don’t have too many members requesting and maintaining access at the same time. Moreover, if a company is looking into becoming ISO27001 or SOC 2 certified, it will need to track user access and permissions.
Manual documentation: When startups start to grow, a lack of documentation can make things chaotic, so some use a spreadsheet or a database to keep track of user access. While this solves the accountability issue, it’s neither scalable nor a pleasant way to work, as each tool can have its own unique access management interface and process, and this adds friction to the provisioning system.
Workflow-based access management: User provisioning reaches a maturity milestone when workflow-based processes are introduced. This means that instead of one person managing access to all resources via a spreadsheet, the system becomes self-service and scalable. Users can now request access by themselves, compliance processes and security checks can be implemented, and resource ownership can be shared among multiple people based on their roles in the organization.
Fully integrated access management: While workflow-based processes make for a fairly good user provisioning system, you can make it even better by attaching it to your human resources information system (HRIS). This allows you to automatically trigger access requests for your employees as their data is entered into your employee table. A further benefit is that this makes life easier for incoming employees.
But how do you account for employees leaving the organization? That’s handled by user deprovisioning.
What is user deprovisioning?
User deprovisioning is the process of revoking a user’s access once they leave the organization or change roles. And not having a reliable user deprovisioning system can damage your organization more than a poorly implemented one, because former employees (as well as current ones) having unauthorized or unnecessary access can easily lead to data breaches, compliance violations, and other security incidents. User provisioning and deprovisioning are often implemented together to provide a complete, unified user account management solution.
Why should you care about user provisioning?
By now, you probably already understand the importance of user provisioning. To sum up, here’s why you should care about user provisioning:
Reinforced security: User provisioning helps you control the access available to each employee in your organization and implement security best practices like PoLP, RBAC, SoD, and more. It also makes cleaning up offboarded accounts easier. And in case of security breaches, you can quickly disable access to reduce the extent of the damage.
Improved employee experience and productivity: User provisioning speeds up employee onboarding by streamlining the process of granting access to new employees. This also translates to reduced costs for your organization.
Adherence to compliance: With user provisioning, you get a consistent, descriptive audit trail of granted and revoked access. Implementing checks and validations in the process is also easier. This is crucial for industries such as fintech that rely heavily on compliance to function properly.
However, user provisioning is still quite cumbersome if you have to manually provision user accounts after receiving access requests in any manner. This is where automated user provisioning helps.
What is automated user provisioning?
Automated user provisioning refers to a system of creating and maintaining user accounts, using integrations and automations with IT resources to reduce manual intervention in the process. Automation helps improve the last step of traditional user provisioning — actually provisioning the accounts.
Automated provisioning processes bring many benefits to your organization’s provisioning workflow:
Fewer manual errors: Less manual intervention means fewer errors. It can also improve compliance and security.
Reduced costs: With automation taking care of provisioning processes, your managers can focus their time on other, more valuable tasks.
Scalability: As a company grows, manual provisioning can’t keep up with the growing number of requests. However, an automated system can scale just like any other piece of software.
Improved security: As mentioned previously, a lack of timely deprovisioning can lead to severe security incidents. Automation takes care of this, as it is triggered right after an employee or a team member loses their privileges. This further helps strengthen your security.
The best ways to automate user provisioning
Now that you understand the benefits of automated user provisioning, let’s look at ways you can implement it in your organization.
SCIM and SAML
SCIM (System for Cross-Domain Identity Management) and SAML (Security Assertion Markup Language) are popular methods of automated user provisioning. SCIM is an established open standard aimed at simplifying identity management across multiple domains. SCIM extends the idea behind SSO (single sign-on), a popular mechanism for authenticating across multiple systems with a common set of credentials, to enable permission management for user accounts in the same place.
SAML is a protocol meant to help share authentication and authorization data between identity providers (such as your IAM tool) and service providers (such as your IT resources). SAML is a mature technology and is also commonly used to implement automated provisioning.
The main benefit of these solutions is their widespread adoption. A large number of service providers support them and enable you to set up automated user provisioning for your organization. Since they’ve been around for a long time, they’re battle-tested, and security flaws have been resolved.
However, these techniques are complex to implement by yourself. Also, most vendors charge exorbitantly for you to manage user accounts via your own identity provider. In many cases, SSO is provided only in “Enterprise” plans, which often cost two, three or four times what the base plan costs. And the common implementations by most vendors restrict your ability to set up permissions on a granular level in your system. For all these reasons, SCIM, SAML, and related technologies are often not a very good fit for small and growing companies.
Public APIs for user management
Many vendors (service providers) offer public APIs for managing user accounts in their services. This includes vendors like Google Workspaces and Amazon Web Services. These APIs help you to easily create, delete, and update user accounts and manage access permissions via internal apps. In most cases, the vendors offer these APIs for free.
However, not all vendors do. Most vendors have their own unique implementations of this kind of API, which adds to the effort required to integrate them into your system. Also, such APIs offer a restricted set of functions, compared with other methods in this list. Often, they don’t give you granular control over access management.
Using public APIs from vendors is a good approach for organizations looking to make use of the complete ecosystem of tools offered by a single or a small number of service providers. If your organization relies on tools and services from a wide range of service providers, relying on their public APIs might not be an effective solution.
Integration accounts
Integration accounts are a new approach in the IAM space. Integration accounts function as a bridge between IAM provider and systems that don’t provide public APIs. Through a mix of RPA and private APIs the IAM provider can create a connection and automate otherwise manual tasks. As a result the integration can be used to read out user and permission lists as well as provision user accounts.
Needless to say, this method has endless automation possibilities. You can set up integrations with a wide range of SaaS apps, and extending support to new apps is quite simple. Most importantly, this means that you don’t need to submit to SaaS vendors that may try to upsell you to their costlier enterprise plans before you can access basic user provisioning functionality. Vendors like AccessOwl use integration accounts to help you manage user provisioning in more than100 SaaS apps.
The only downside to such a solution is that it can be costly for small organizations. Adding an integration account usually adds another paid seat to the SaaS vendor. However, one additional user account usually costs less than upgrading to an enterprise plan.
Conclusion
In this guide, you learned about user provisioning, its benefits, and why you should automate it, along with some popular ways of automating it. If you’re looking for a user provisioning solution for your organization, integration accounts might just be the perfect fit for you.