User Provisioning and Deprovisioning in IT

Understanding provisioning IT and deprovisioning are crucial first steps.

by Erin Geiger, Director of Content at Lumos

Congrats, you’re a team admin for SaaS apps! But you’re not an IT person… what do you do now? Understanding provisioning IT and deprovisioning are crucial first steps. But are you wondering,” what is user provisioning?” Read this article to learn more about account provisioning and deprovisioning. We will discuss the user provisioning meaning, user provisioning best practices, and why it’s so important to correctly provision and deprovision your employees’ app accounts and access.

What Does User Provisioning Mean?

User account provisioning is an important part of identity management. User provisioning includes creating accounts and giving proper permissions to employees when they are hired, switch roles, are promoted, etc. Provisioning is also important when an outside individual or organization such as a contractor or partner needs access to an app account or confidential material.

Deprovisioning, on the other hand, is the identity management process of correctly disabling this access and deleting accounts when an employee leaves a company or changes roles. Again, deprovisioning also applies when another individual or organization no longer needs access to an app account or confidential material. In the simplest terms, the user provisioning definition is creating, modifying, disabling, and deleting accounts and access across the apps a business uses.

Through an employee’s lifecycle at a company, the user provisioning and deprovisioning sequence might look like this:

• An employee is hired, and they need access to a variety of apps and data sets.

• A set of new accounts are created to give the new employee access to the apps they need in order to successfully do their job.

• The permission levels in these accounts are set specifically for the individual who will be using them according to how much access they need in order to do their job.

• After some time working for the company and performing well, the employee is promoted which means they need increased access levels and a few new app accounts.

• New accounts are created for the employee in accordance with which new apps they need access to.

• The permission levels for all of their accounts are reevaluated and updated to correctly fit what information they need access to in order to do their job.

• Someday (hopefully a day very far away), the employee decides to move on to a new opportunity at a different company and leaves their position.

• The accounts are revoked, disabled, and deleted so they are no longer accessible by the previous employee.

Without a solid user provisioning and deprovisioning process, there are multiple steps in this sequence where sensitive information could slip through the cracks. And not only is security at risk, but so is the company’s app budget. When an account is forgotten about or access is overprovisioned (when an employee is given more access or accounts than needed), companies are typically paying for accounts they aren’t using. Errors typically pop up during the initial hiring phase, when re-provisioning throughout the employee’s lifecycle, and when they ultimately leave the company.

Without a solid user provisioning and deprovisioning process, there are multiple steps in this sequence where sensitive information could slip through the cracks. And not only is security at risk, but so is the company’s app budget.

SSO, SAML, and SCIM User Provisioning

Like many other areas of IT security, there are a variety of three and four letter initialisms and acronyms in the world of user provisioning. Here are some quick definitions for SSO user provisioning, SAML user provisioning, and SCIM:

SSO User Provisioning: Single Sign-on (SSO) is a provisioning practice that allows employees to sign into all of their accounts using a single username or email address and password. In today’s world, where most employees are accessing multiple apps per day, it’s extremely difficult for them to safely remember and manage multiple passwords. It’s particularly difficult for employees to remember and manage these passwords if they are unique and random enough to be safe to use in the first place. SSO makes it easier for employees to access the information and apps they need while simultaneously keeping the company safe from the security threats that may come from leaked, repetitive, or easy-to-remember passwords.

SAML User Provisioning: Security Assertion Markup Language (SAML) is a provisioning protocol that allows SSO to work correctly. SAML securely connects the identity provider (the single sign-on tool being used by the company) and the service provider (the application or website the employee is trying to sign in to) through the use of Extensible Markup Language (XML) certificates. SAML makes it easy for companies and IT team members to control exactly which apps and websites an employee has access to.

SCIM: System for Cross-domain Identity Management (SCIM) simplifies the provisioning and deprovisioning process by allowing companies and IT team members to provision and deprovision accounts and manage identities over the cloud. SCIM allows companies to save money by making it easy to close unused accounts, reduce risk thanks to stopping accounts from going unused, and streamline workflows for IT teams. Without SCIM, provisioning and deprovisioning requires a lot of time and effort to track down every account created for every app.

User Provisioning Best Practices

Having an intentional, well-managed user provisioning process is essential for avoiding these financial and safety risks. It will also allow your employees to get to work faster as they have the accounts and access they need in order to do their jobs well from the very beginning. Here are some user access provisioning best practices for you to keep in mind while developing your provisioning and deprovisioning process:

Onboarding: Simply deciding who should get access to which apps and information during the onboarding process is half the battle! Laying out exactly which job titles have access to which apps and data sets before the hire is even made will help you solve this problem before it starts. Once this decision is made and an employee is hired, submitting a user provisioning request should be much easier. Having another person, possibly a manager or IT team member, give approval to the access is a great way to make sure the process stays on track with your company’s user account provisioning procedures.

Here is a sample user provisioning request form to send to your manager or IT team when a new employee is hired or a current employee moves positions and needs new access:

REQUESTING FOR:
JOB TITLE:
EMAIL:
MANAGER:
REQUESTED APP:
REQUESTED PERMISSION LEVEL:
BUSINESS JUSTIFICATION:
DATE:

In reality, overprovisioning is an excellent way to overpay on app accounts, leave unused accounts ripe for security threats, and give classified information to employees who are not classified to see it.

One important thing to keep in mind during the onboarding stage of the provisioning process is the danger of over provisioning. Overprovisioning is when an employee receives access to more apps or greater permissions than they actually need to successfully do their job. Oftentimes, a company might do this because it feels easier, or because they want everyone to have access to everything “just in case.” In reality, overprovisioning is an excellent way to overpay on app accounts, leave unused accounts ripe for security threats, and give classified information to employees who are not classified to see it. Overprovisioning should be warned against in your company’s user provisioning policy.

Automation and Communication

Automating the provisioning and deprovisioning process takes the weight off of your shoulders, giving you more time to do your work, and lowers the possibility for human error. In this same vein, communicating clearly with the individual or team who grants account access is an important part of eliminating human error and confusion while provisioning and deprovisioning accounts. Try creating a user provisioning Slack channel that is used only for communication regarding the provisioning and deprovisioning process.

Invite your IT team and anyone else involved in provisioning and deprovisioning to this channel. Then, you can use this Slack user provisioning channel to directly communicate about what access you’re requesting and even automate some of the process.

Document Everything

As companies grow and account provisioning and deprovisioning is happening nearly every day for many organizations, it can be difficult to keep track of who has access to what apps and what levels of permissions they have. Tracking approvals for SOX or SOC2 relevant apps is also crucial. Not only does your IT team need detailed documentation for security compliance audits, poorly documented user management can lead to company-wide headaches when it comes time to change a user’s access level or dissolve accounts.

Including documentation instructions in your company’s user access provisioning policy is a great way to be sure this information is correctly and thoroughly tracked.

Position Changes

As mentioned throughout this article, internal job changes impact account provisioning and user permissions grately. When an employee moves roles horizontally or is promoted to a new position, there is a very high chance that their app account and permission needs will change. In order to stay on top of these minute, yet frequent changes, create a schedule for reviewing who has access to the apps you are the admin of and stick to it. While you’re creating this schedule, check in with your IT team, because they are likely to have policies you can follow and adopt regarding account provisioning.

Offboarding

When it comes time for an employee to leave your company for a new opportunity, it’s easy to forget that you need to do more than just get their company computer back and post their now-open position. This is when the deprovisioning part of your process begins. Having a strict offboarding procedure that includes deprovisioning will help you make sure that all accounts are being closed and all access is revoked before anything bad can happen.

Along with understanding these user provisioning and deprovisioning best practices, it might be helpful to look into tools that can help you safely accomplish each step of the user provisioning process. The user provisioning Salesforce use case is an example of potential high risk. IT typically needs help with Salesforce user provisioning as sales teams tend to have higher turnover…which causes high volume in provisioning work through an increased number of ITSM tickets.

Asking IT for Help

Ultimately, a poorly managed (or non-existent) provisioning and deprovisioning process can cost companies money and time and open up holes that allow major IT security threats to quietly sneak in. Because of this, we recommend that your company follows a specific user provisioning plan that is managed by a centralized team, likely the IT team, who is trained to successfully complete the process every time an employee is hired, changes positions, or leaves the company.

Asking your IT team for their provisioning process, tips, and tricks is a great way to make sure you’re doing everything you can to keep your company safe. Trust us, your IT team will thank you when you call them for help before you run into provisioning issues, instead of when you realize your team’s account provisioning and deprovisioning has gotten out of hand.

In fact, like we briefly mentioned above, your IT team is required to report user access and identity management statistics as part of your company’s SOC2 compliance. Help your IT buddies and fellow colleagues out by following user account provisioning guidelines and staying on top of provisioning and deprovisioning documentation. Better yet, check into tools that can help you manage and automate this process. Chances are, your IT team might have a tool like this they can share with you, and, bonus, it will help get you out of the admin game and back to doing what you do best!