What is User Provisioning and Deprovisioning?

User provisioning and deprovisioning involves the process of creating, updating and deleting user accounts in multiple applications and systems. This access management practice can sometimes include associated information, such as user entitlements, group memberships and even the groups themselves. Many organizations have moved to automated user provisioning, which is the systematic creation and management of user data relative to users’ ability to access resources, such as applications, that are available in one or more systems. Accessible systems can be on-premises, cloud-based, or a hybrid of the two.

Automated user provisioning is one of the main features of many identity and access management (IAM) solutions. Provisioning comes into play when an employee joins an organization, moves to a different department or division, or exits a company. This is known as the joiner/mover/leaver (JML) process. By integrating an IAM solution directly to HR and personnel systems, you connect the process of creating/updating/deleting user accounts with HR actions. Actions that result in changes to HR data, such as those related to employee onboarding and offboarding, can automatically result in changes to permissions for accessing systems and applications tied to corresponding employee accounts.

User provisioning and deprovisioning provide the following key benefits:

• Easily onboard and offboard employees: Create and maintain employees’ user attributes, such as usernames, roles, and profiles, and automatically assign access permissions and user accounts based on predefined roles and flexible entitlement rules.
• Streamline user management across applications: Automatically import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and other apps. Provisioning enables you to continuously propagate user profiles to ensure that your systems have the latest updates.
• Increase security and reduce cost: Use HR-Driven Identity Management (IM) to prevent former employees from having continued online access, to totally eliminate the possibility of zombie accounts sitting idle and at risk of being compromised.

In a basic automated provisioning workflow, you add users to apps based on specific user roles. Whenever a user is assigned a role, that user is automatically created in the associated app and granted access permissions. In the diagram below, once a new user is provisioned, that user is added to the Sales role, and is therefore granted access to the apps associated with that role. In this example, the provisioned user can access to Salesforce, Office 365, and G Suite.

When it's time to deprovision former employees from apps, you want a solution that lets you simply change the user’s status, so that the user's accounts in all apps will be deleted or suspended, depending on the configuration preferences that you set. Expanding on our example in the diagram, after deprovisioning the user, the apps associated with the employee’s role would no longer be accessible by the user.

The risk of costly security breaches for companies who fail to provision and deprovision, properly or quickly, is huge: the average cost of a data breach is $148 per record and $7.91 million per breach in the U.S. As a result, breached companies often underperform the market for years following a major breach, and 60% of small businesses fold within six months of a successful attack.

Automated user provisioning helps keep your company secure by ensuring employees have access only to the apps they need. Automated user deprovisioning helps keep your company secure by ensuring that whenever an employee leaves, their access is automatically removed for all connected applications. In addition, all existing user sessions are removed to reduce security risk.