Automated user provisioning is one of multiple scenarios included in a more general automated administration system.

Automated user management works by monitoring one or more systems of record and waiting for changes to user profile data. Detected changes are then:

  1. Filtered, so that only changes within the scope of the system remain.
  2. Transformed, from the data format of the system of record, to the data format of the Identity and access management (IAM) system and of the target systems.
  3. Forwarded, from the IAM system to target systems.

Some examples of auto-provisioning/auto-deactivation are:

  1. Payroll staff create a record for a new hire in the HR application. The IAM system detects this change and submits a matching access request for a directory account, home directory, mail folder, application logins, etc.

  2. A termination date is set for an employee in an HR system. The IAM system detects this and sets the same date in the user's IAM profile. A batch process later detects that this date has lapsed and submits a deactivation request for the same user.

  3. A rogue administrator adds his accomplice's login account to the Domain Administrators security group. The IAM system detects this changed group membership, reverses it and sends an alert as a text message to a security officer.

Automatic Propagation of Changes in User Profile Data

Automatic Propagation of Changes in User Profile Data

Hitachi ID Identity Manager monitors one or more systems of record, such as HR or a corporate directory, for changes. Events such as hires, moves and terminations are transformed into administrative updates, such as creating new accounts and groups, changing identity attributes or disabling existing accounts and applied to target systems.

Automatic change propagation leverages existing business processes (in HR or payroll for example) to automate predictable systems administration tasks. Automated administration eliminates unnecessary manual work, hastens productivity for new users and ensures that access deactivation is both timely and reliable.

Return to Identity Management Concepts