This document describes and justifies user provisioning best practices in medium to large organizations.
It is intended to offer reasoned guidance to IT decision makers when they set security policies and design processes to manage user identities and entitlements across multiple systems and applications.
Look for the marks throughout this document to find best practices.
Identity management and access governance refers to a set of technologies and processes used to coherently manage information about users in an organization, despite the fact that identity data may be scattered across organizational, geographical and application boundaries.
Identity management and access governance addresses a basic business problem: information about the identity of employees, contractors, customers, partners and vendors along with how those users authenticate and what they can access is distributed among too many systems and is consequently difficult to manage.
Enterprise Identity and Access Management (IAM) is defined as a set of processes and technologies to effectively and consistently manage modest numbers of users and entitlements across multiple systems. In this definition, there are typically significantly fewer than a million users, but users typically have access to multiple systems and applications.
Typical enterprise identity and access management scenarios include:
Enterprise IAM presents different challenges than identity and access management in Extranet (B2C or B2B) scenarios:
|Characteristic||Enterprise IAM (typical)||Extranet IAM (typical)|
Number of users
under 1 million
|over 1 million|
Number of systems and directories
2 -- 10,000
|1 -- 2|
Users defined before IAM system is deployed
|Frequently only new users|
Login ID reconciliation
Existing accounts may have different IDs on different systems.
|Single, consistent ID per user.|
Orphan and dormant accounts are common.
Data inconsistencies between systems.
|Single or few objects per user. Consistent data. Dormant accounts often a problem.|
Many users have unique requirements.
|Users fit into just a few categories.|
In short, Enterprise IAM has fewer but more complex users. Extranet IAM has more users and higher transaction rates, but less complexity.
Gartner defines an entitlement as:
|An entitlement is the object in a system's security model that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in that system. It was commonly accepted that this definition of entitlement referred to the highest-order grantable object in a system's security model, such as an Active Directory group membership or SAP role and not lower-order objects such as single-file permission setting.|
Definition by Ian Glazer, in Access Certification and Entitlement Management v1, September 9, 2009.
http://www.gartner.com/technology/research.jsp (login required)
Entitlement management refers to a set of technologies and processes used to coherently manage security rights across an organization. The objectives are to reduce the cost of administration, to improve service and to ensure that users get exactly the security rights they need.
These objectives are attained by creating a set of robust, consistent processes to grant and revoke entitlements across multiple systems and applications:
As organizations deploy an ever wider array of IT infrastructure, managing that infrastructure and in particular managing users, their identity profiles and their security privileges on those systems becomes increasingly challenging.
Figure [link] illustrates some of the challenges faced by organizations that must manage many users across many systems.
In the figure, there are business challenges at each phase of the user lifecycle:
Users often change roles and responsibilities within an organization. They may also change identity attributes (e.g., changes to a user's surname, contact information, department, manager, etc.). Such changes trigger IT work, to adjust user identity profiles and security rights.
Organizations face the same challenges in managing existing users that they face when creating new ones:
In the context of routine use of systems, users often encounter problems that require technical support:
Collectively, these problems typically represent a large part of an IT help desk's call volume. This means both direct cost (support staff) and indirect cost (lost user productivity).
All users leave eventually. When they do, reliable processes are needed to find and remove their security privileges. These processes must be:
Without an identity and access management system, users are managed by separate administrators, using separate software tools and often separate business processes, on each system and application. This is illustrated in Figure [link].
Identity and access management systems externalize the administration of user objects, replacing processes that are implemented within each system with new processes that apply uniformly to all users, across all applications. This simplified process is illustrated in Figure [link].
A user provisioning system is shared IT infrastructure which is used to pull the management of users, identity attributes and security entitlements out of individual systems and applications, into a shared infrastructure.
User provisioning is intended to make the creation, management and deactivation of login IDs, home directories, mail folders, security entitlements and related items faster, cheaper and more reliable. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems.
User provisioning systems work by automating one or more processes:
As well, a user provisioning system must be able to connect these processes to systems and applications, using connectors that can:
Identity management is all about better administration of information about users: who they are and what they can access. Unsurprisingly, this often requires assistance from the users themselves to ensure their information is accurate and complete. Providing a user friendly system is essential to a successful deployment of the system.
Users need to be motivated to use the system, rather than reverting to older, manual processes. From a user's perspective, it must be easier, more obvious and more rewarding to use the automated provisioning system than to call the help desk.
Consider the impact of the system on users:
Where wide-spread user involvement is needed, special care must be taken to ensure success:
It is sometimes also helpful to implement dis-incentives for inappropriate behaviour. For example, paper forms for access changes may still be accepted, but may be processed significantly more slowly than on-line requests.
One of the weaknesses of manual user administration is that people are not consistent -- they make mistakes. As a result, security administrators cannot be expected to reliably enforce standards regarding what access rights users should have.
An identity management system can and should enforce standards over how changes are requested, what they contain, how they are authorized and how they are fulfilled. This includes:
Care must be taken to define standard policy for each of the above items before deploying a user provisioning system, as described in the following sections.
Clearly, the actual policy for each type of identifier will vary between organizations. That said, some best practices that many organizations have found to be effective include:
Many algorithms can be used to assign login IDs in compliance with the above guidelines. Examples include:
Ensuring global uniqueness and preventing reuse, means that a table must be maintained on some system to track all currently-in-use IDs, plus IDs that have been reserved but not yet created and IDs that were used in the past but are not currently active. Such a table is required to prevent ID reuse.
Placing new accounts in the correct directory container and creating their new mailboxes and home directory folders on appropriate servers and disk volumes is straightforward -- it should derive directly from the directory's structure, the structure of the mail server infrastructure, etc.
A more subtle and difficult consideration is to track changes to user identity attributes and to automatically move accounts to different directory contexts, move mailboxes to new servers and relocate their home directories to reflect changes in a user's identity attributes.
For example, if a directory structure reflects an organization's departments and a user moves to a new department, then his account in the directory should be moved to the new department's OU.
Similarly, if the selection of an appropriate mail server to host a user's mailbox depends on the user's physical location and the user moves to a different branch office, then the user's mailbox should likewise be automatically moved.
In much the same way, a new user's default security entitlements should be based on standards for the user's location and job code. The key, as above, is to detect important changes to identity attributes and automatically make appropriate adjustments.
For example, if a user's initial group memberships were derived from the user's location and department and the user subsequently moved to a new location or different department., then some group memberships should be removed and others added, automatically.
In reality, this may be easier said than done, as it implies that roles have been defined for every valid combination of department and location and that a role change can be triggered. This may only be economical for combinations (roles) that are shared by many users.
First, it should be clarified what is meant by a "change request:"
A change request is essentially a document, with several participants:
A request specifies one or more changes to the recipient's profile, which may include:
A request may be immediate -- i.e., implement as soon as possible -- or scheduled for some future date. It typically has a reason associated with it.
Automatic inspection of a request to check whether it violates any business rules. For example, requests should not trigger violations of SoD rules, should not specify invalid department or location codes, etc.
Trivial requests, such as self-service updates to a user's phone number, can be processed immediately.
Requests that originate from a trusted system or person -- for example, requests that are based on an authoritative data feed from a human resources system (HR feed) or that are entered by a very trustworthy person -- for example, the CFO, may not require further authorization.
All other requests should be reviewed by business stake-holders before they are fulfilled.
For requests that do require authorization, the logical question is: who should approve them? There are only a few possible choices:
It is advisable to invite multiple types of authorizers to approve any given request. Typically this means inviting the owners of every resource being added plus the manager of the request's recipient.
Some exceptions to this rule inevitably come up. In particular, executives above a certain level in the organization may not require managerial approval for their change requests and due to their position, it would be pointless to ask for resource owner approval either (it would be granted by default).
Also, a user should not be asked to approve his own change requests -- the answer will always be "yes." This means that the workflow engine should check the list of authorizers prior to sending out invitations and if the requester was identified as an authorizer, pre-approve that part of the request.
A chronological sequence for authorization must also be considered. In manual systems, authorizers are invited to review a request one after another -- authorization simulates the movement of a paper request form. In an automated workflow system, it is possible to invite all authorizers at the same time. This is attractive, as it minimizes the total time between request submission and fulfillment. So long as all the required approvals are provided, there is no security benefit to serializing reviews and approvals -- it doesn't matter if A approved a request before B, or B before A. In other words, parallel authorization is a best practice.
To ensure prompt response, it generally makes sense to ask several candidate authorizers for approval and treat a request as approved as soon as some minimum subset of them responds. This creates a race to approve, whereby the fastest approvers move a request to fulfillment at the earliest possible time. In other words, best practice is to ask a group of N resource owners to approve a request and treat it as approved once M respond positively, where M <= N.
Supporting multiple, concurrent authorizers leads to a possible situation where some authorizers approve a request, while others reject it. The simplest way to handle this possibility is to assume that any rejections that occur prior to the request being approved act as a veto and block the request entirely. Once a request has been approved, by the smallest number of authorizers that is considered acceptable, the request should be closed and all remaining authorizers notified of this fact. This best practice eliminates uncertainty as to the state of a request, while giving authorizers the right to object to one another's approvals, so long as they act in a timely manner. This approach also encourages prompt response by authorizers -- if you mean to block a request, then you must review it quickly.
A user provisioning system, such as that illustrated in Figure (_label_fig:idm-processes), is intended to reduce administration complexity. This is done through implementation of one or more of the following business processes described in (_label_what-up).
The following sections describe each process, when and how to use it, and -- equally importantly -- when it will not work well.
Detect changes to identity attributes, such as phone numbers or department codes, on one system and automatically make matching changes on other systems for the same user.
Where multiple systems contain the same identity attributes and where that information is updated in a reliable and timely manner on at least one of them.
Impacts every user that has an account on at least two systems, and where at least one of those systems gets reliable and timely updates to identity attributes.
Periodically read identity attributes from all systems, find discrepancies, accept data from "more trustworthy" systems and push it out to systems that are "less trustworthy" for the same information.
Detect new users on an authoritative system (such as HR) and automatically provision those users with appropriate access on other systems and applications.
Detect deleted or deactivated users on an authoritative system and automatically deactivate those users on all other systems and applications.
Auto provisioning and automatic deactivation are effective if and only if:
If any one of these conditions cannot be met, this feature should not be used.
Where the system of record only relates to certain classes of users, automation will only be effective for those types of users. For example, where the only reliable and timely system of record is HR, auto-provisioning will work for employees but usually not for contractors, vendors, etc.
Finally, auto-provisioning can only be used at the level of granularity of the data available in the system(s) of record. Referring to the previous example, if the HR application only tracks user names, hire date and termination date, then it will not be possible to assign roles to users based on HR data.
In most organizations, the system of record is the human resources (HR) application. Also in most organizations, data in this system is applicable only to employees and is coarse-grained -- there is no information about contractors and employee data is very basic. Consequently, in such organizations, auto-provisioning should only be used to:
Setup and deactivation of contractors are usually handled separately, because contractors are not represented in the HR system.
Fine-grained entitlements are usually assigned using separate processes, because the HR feed cannot predict user needs with any accuracy.
Automation begins with a review of the data quality, timeliness, scope and granularity in each system of record.
Once the type and quality of reference data have been reviewed and accepted, the next step is to identity what data changes in the system of record are relevant and to map those changes to target systems.
Next, a data feed is configured to monitor each system of record and detect changes.
Finally, transformations are defined, mapping data from the format in which it appears (HR -- e.g., employee numbers) to the format needed on target systems (e.g., login IDs, e-mail addresses, etc.).
HR systems sometimes include a job code or similar field to represent the user's role in an organization. This is suggestive of role-based access control (RBAC), where roles are mapped to sets of entitlements and users are provisioned with some or all of the entitlements they will need based on their role.
RBAC is an effective mechanism for large populations of users that perform the same job and consequently need consistent security entitlements. These are typically "front-line" users -- retail point of sale, bank tellers and loans officers, etc.
RBAC may not be cost effective where users have unique requirements. High-value, high-risk employees and contractors are often unique and are consequently not well served by RBAC. For example, the security needs of a company's chief financial officer (CFO) do not benefit from a role being designed for that employee, since only one user will get the role.
Enable users to update their identity attributes and to request new entitlements (e.g., access to an application or share).
Enable managers, application owners and other stake-holders to modify users and entitlements within their scope of authority.
Self-service requests and delegated administration are effective for knowledge workers, who are comfortable using a computer, and in particular a web browser, to review current information and request changes.
Self-service is not appropriate for populations of users who do not have easy access to a computer, who are not comfortable using one, or who require significant training prior to use of each new application.
Users, their peers and their managers are the most reliable sources of information about changing business needs. It makes sense to enable users to request specific entitlements, such as new roles, accounts and group memberships. It also makes sense to delegate the maintenance of identity attributes -- full name, phone number, etc. to users themselves.
While automation is frequently effective for coarse-grained management of employees, delegated administration is often the only option for other classes of users -- contractors, vendors, etc. -- for whom a system of record may not be available.
Delegated administration makes sense in organizations where managers or IT administrators working at different locations or business units have both the responsibility and expertise to manage users in their own areas.
To deploy a self-service request system and/or a delegated administration system, one must address the following design variables:
Organizations are often tempted to organize the set of requestable resources into a hierarchy. This is often undesirable because users don't know where in the hierarchy to find the resource they are interested in. It is better to offer a search mechanism rather than a "tree view."
Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are applied to integrated systems and applications. Please refer to (_label_validation-authorization) for more on this.
Whenever a user provisioning system may accept requests that are not automatically approved, authorization is required. This includes self-service requests for new entitlements and delegated administration requests, by managers or application/data owners.
Every change processed by a user provisioning system which does not either come from a 100% trustworthy source or which represents no business risk, should be authorized before it is fulfilled.
Authorization normally impacts managers, application or data owners and security officers, any or all of whom may have to review and approve or reject change requests.
To deploy an enterprise-scale authorization process, one must address the following design variables:
Each of these design considerations must be resolved before deploying the authorization system -- and in many cases before deploying the user provisioning system in general.
In a realistic, full-scale user provisioning deployment, there may be hundreds of different kinds of requests -- to create, modify or delete accounts on a variety of applications. Because of this scale, it is too expensive to define a separate authorization process for every kind of request. Who will draw hundreds of flowcharts? Who will maintain them?
Instead, it makes sense to define globally-applicable logic for routing requests to the appropriate authorizers, based on the contents of each request -- requester, recipient, resources, type of change, etc.
Authorizers are just human beings, so are unreliable actors in a process which must, in its totality, be reliable. It is essential to allow for the possibility that authorizers may not respond to invitations to approve a request -- on time or at all. In practical terms, this means:
Provide data about what users have what entitlements, what accounts are dormant or orphaned, about change history, etc. across multiple systems and applications.
Every organization that deploys a user provisioning system should take advantage of its ability to report on identity and entitlement data across systems.
Every user, identity attribute and entitlement managed by the system should be visible in reports.
There are two broad scenarios where IAM reports are helpful:
Data about users, identity attributes and entitlements should be stored in a normalized, relational database with a well documented schema. This makes it possible to develop custom reports that augment those built into the IAM system.
Both corporate governance and privacy protection depend on strong security over applications and IT infrastructure. Without such security, internal controls cannot be relied upon and regulatory compliance cannot be assured.
IT security depends heavily on an infrastructure of user authentication, access authorization and audit, commonly referred to as AAA. AAA, in turn, depends on accurate and appropriate information about users -- who are they, how are they authenticated and what can they access?
It is in managing these entitlements where organizations have problems. There are too many users, accessing too many systems and they keep moving as a result of hiring, transfer and termination business processes.
AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to the manage passwords and entitlements on which AAA rests.
With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate security entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology -- it's in the business process for managing security entitlements and credentials.
To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time.
This is accomplished with:
Role-based access control (RBAC) is an approach to managing entitlements, intended to reduce the cost of security administration, ensure that users have only appropriate entitlements and to terminate no-longer-needed entitlements reliably and promptly.
In the context of a single system or application, RBAC means granting privileges directly to roles and attaching users to roles. Users acquire privileges through role membership, rather than directly. Within a single system, roles are sometimes called security groups or user groups.
Single-system RBAC is a time tested and successful strategy, as it allows administrators to group users, group privileges and attach groups of privileges to groups of users, rather than attaching individual privileges to individual users.
Identity management and access governance systems extend RBAC beyond single applications. Roles in an IAM system are sets of entitlements that may span multiple systems and applications. The key element of roles is to replace many technical entitlements with fewer roles that business users can understand. Business users can then a reasonable determination of which users should have which roles. This implicitly specifies which users should have which technical entitlements.
Roles consist of entitlements -- login accounts and security group memberships. Roles are often also nested -- i.e., one role can contain others. Nesting roles can reduce the cost of role administration.
Using roles, it is possible to:
A best practice is to leverage RBAC for:
RBAC can technically be used to manage the entitlements assigned to every user, but it is not normally cost effective to define a new role for every user with unique requirements.
Segregation of duties (SoD) policies allow organizations to define toxic combinations of entitlements, which no one user should possess. The most common business driver for these policies is fraud prevention -- i.e., ensuring that fraud cannot be committed without collusion by at least two users.
An effective SoD engine has several components:
There are inevitably situations where an SoD policy should, legitimately, be violated. It should be possible to define approved exceptions to SoD rules.
Change requests that pass through an IAM system should be subject to SoD policy checking. Changes that would trigger an SoD violation should be blocked at source.
Many users and entitlements will exist before the IAM system is deployed or before a given SoD policy is defined. Moreover, system administrators may assign entitlements to users outside the IAM system. These scenarios mean that not all SoD violations can be prevented -- some have to be detected after the fact and remediated manually.
An effective SoD engine should detect violations even if the policy is stated in terms of roles but the violation is in terms of lower-level entitlements -- or vice-versa.
Consider the following variations, where R1 is a role that consists of entitlements Ea and Eb and R2 is a role that consists of entitlements Ec and Ed:
|Why this is a violation|
R1 and R2 are mutually exclusive.
|User would effectively get R2.|
Eb and Ec are mutually exclusive.
|User has Eb from R1, would get Ec from R2.|
|User has Eb directly, would get Ec from R2.|
|User has Eb directly, would get Ec.|
Some best practices for SoD enforcement are:
Regulatory compliance requirements and security policies increasingly demand that organizations maintain effective controls over who has access to sensitive corporate information and personal data about employees and customers:
Meeting these requirements can be challenging as users often have unique and changing business responsibilities, thus making their entitlements difficult to model using formal roles and rules.
The difficulty in modeling complex, heterogeneous entitlements is compounded by the fact that although users accumulate entitlements over time, they rarely ask IT to terminate old, unneeded rights. Moreover, it is difficult to predict when, after a change in responsibilities, a user will no longer function as a backup resource for his old job and so old entitlements can be safely deactivated.
These challenges together mean that it is difficult to model all of the entitlements that users need across multiple systems and applications at a single point in time and likely impossible to model those needs for thousands of users, over multiple systems, over an extended period of time.
Access certification is a process where business stake-holders are periodically invited to review entitlements, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal.
There are several components to access certification:
Before entitlements can be reviewed, they have to be collected from systems and applications and mapped to users. Technical identifiers should be replaced by human-legible descriptions that reviewers will understand. Since entitlements change all the time, discovery should be a regularly scheduled, automated process, not a one-time data load.
Options include managers -- asked to review their subordinates, application or data owners -- asked to review lists of users who can access their applications or data or security officers -- asked to review high risk entitlements.
The frequency may vary with the business risk posed by the entitlements in question.
The highest level review is of employment status -- should the user in question still have access to any systems? Slightly more granular is a review of roles -- should the user in question still have these roles? At the lowest level of granularity are basic entitlements -- should the user in question have a login ID on this system or belong to this security group?
Not every entitlement poses a significant business risk. User membership in the social committee mailing list is not really worth reviewing, for example. Some determination must be made of the risk level posed by each entitlement, as this forms the basis for deciding whether to review it and how often.
Reviewers may flag entitlements as inappropriate, in which case something should be done. Does this raise a work order in an IT issue management system or trigger a connector to revoke the entitlement immediately? Should further reviews take place before the entitlement is reviewed?
Some best practices for access certification are:
Medium to large organizations typically have thousands of users who need access to hundreds of applications.
Even if integrating a user provisioning system with an application is very fast and inexpensive -- say 1 day of effort, including integration, testing, ID mapping, etc. -- it would still take hundreds of person-days of effort to integrate every application. Waiting for these integrations to be completed before rolling out the user provisioning system would unacceptably increase the cost of the system and the delay before it starts to produce value.
In most organizations, the mix of systems and applications includes a few widely-used systems and hundreds of smaller applications, which have relatively few users:
To maximize the value of a user provisioning system and to minimize delay between acquisition and production use of the system, it makes sense to:
This approach creates a "one stop shopping" experience for requesters and authorizers and supports uniform audit processes, SoD policy enforcement and access certification, regardless of the integration status of any given application.
Taking things one step further, it makes sense to implement limited integrations with as many applications as possible, as early as possible. In practical terms, this means that the user provisioning system should be configured to list accounts on each application automatically, so that it has up-to-date data about what users already have access to each application. This is essential if SoD and access certification processes are to have any meaning -- otherwise, what is being certified?
An open question is where should the workflow processes that invite system administrators to make changes reside? One option is to place these workflow processes on an existing IT infrastructure management platform, such as BMC Remedy or HP Service Manager. Another approach is to track requests for action, acknowledgement of tasks and indication of completion right in the user provisioning system.
Either approach can work, but in any case the process should support:
User provisioning systems create value by lowering IT support costs, improving user service and strengthening network security. They do this by:
By taking advantage of best practices presented in this document, organizations will be able to minimize the cost of deploying a user provisioning system while maximizing its value.