Automated User Provisioning
Automated user provisioning is one of multiple scenarios included in a more general automated administration system.
Automated user management works by monitoring one or more systems of record and waiting for changes to user profile data. Detected changes are then:
- Filtered, so that only changes within the scope of the system remain.
- Transformed, from the data format of the system of record, to the data format of the identity management and access governance system and of the target systems.
- Forwarded, from the identity management and access governance system to target systems.
Some examples of auto-provisioning/auto-deactivation are:
- Payroll staff create a record for a new hire in the HR application.
The user provisioning system detects this event,
notes that it is in scope and reformats the event into workflow
requests to create a Windows/AD account, an Exchange mailbox
and a mainframe login ID.
- HR staff set a termination date for an employee in the HR
application. The user provisioning system detects this and sets
the same date in the user's IAM profile. A batch process runs
nightly and automatically submits "deactivate all accounts"
workflow requests for every user whose termination date has passed.
- A rogue administrator adds his accomplice's login account to the Domain Admins AD group. The user provisioning system detects this new group membership, removes the user from the group and sends an SMS message describing what it detected to a security officer.
Automatic Propagation of Changes in User Profile Data (1)
(2)Hitachi ID Identity Manager monitors one or more systems of record, such as HR or a corporate directory, for changes. Events such as hires, moves and terminations are transformed into administrative updates, such as creating new accounts, changing identity attributes or disabling existing accounts and applied to target systems.
Automatic change propagation leverages existing business processes (in HR or payroll for example) to automate predictable systems administration tasks. Automated administration eliminates unnecessary manual work, hastens productivity for new users and ensures that access deactivation is both timely and reliable.