User Provisioning Tool
A user provisioning system is shared IT infrastructure which is used
to pull the management of users, identity attributes and
security entitlements out of individual systems and applications,
into a shared infrastructure.
User provisioning is intended to make the creation, management and
deactivation of login IDs, home directories, mail folders, security
entitlements and related items faster, cheaper and more reliable.
This is done by automating and codifying business processes such
as onboarding and termination and connecting these processes to
User provisioning systems work by automating one or more processes:
Detect new user records on a system of record (such as HR) and
automatically provision those users with appropriate access on
other systems and applications.
Detect deleted or deactivated users on an authoritative system and
automatically deactivate those users on all other systems
- Identity synchronization:
Detect changes to personal data, such as phone numbers or department
codes, on one system and automatically make matching changes on other
systems for the same user.
- Self-service requests:
Enable users to update their own profiles (e.g., new home phone
number) and to request new entitlements (e.g., access to an
application or share).
- Delegated administration:
Enable managers, application owners and other stake-holders to
modify users and entitlements within their scope of authority.
- Access certification:
Periodically invite managers and application owners to review
lists of users and security entitlements within their scope of
authority, flagging inappropriate entries for further review
- Authorization workflow:
Validate all proposed changes, regardless of their origin and
invite business stake-holders to approve them before they are applied
to integrated systems and applications.
- Consolidated reporting:
Provide data about what users have what entitlements, what accounts
are dormant or orphaned, change history, etc. across multiple
systems and applications.
As well, a user provisioning system must be able to connect
these processes to systems and applications, using connectors
- List existing accounts and groups.
- Create new and delete existing accounts.
- Read and write identity attributes associated with a user object.
- Read and set flags, such as "account enabled/disabled,"
"account locked," and "intruder lockout."
- Change the login ID of an existing account
- Read a user's group memberships.
- Read a list of a group's member users.
- Add an account to or remove an account from a group.
- Create, delete and set the attributes of a group.
- Move a user between directory organizational units (OUs).
Return to Identity Management Concepts