User provisioning: right access to the right people

Provisioning's efficacy is not limited to employees; it can be used to manage access to business systems for contractors, partners and customers

The foundation for security and enterprise management

Last issue we touched on a new definition for identity. Today I'd like to present the definitive view of the first, both historically as well as in the context of adding identity and access management (IAM) to your organization. User provisioning has been called the "killer app" for identity management. It started us down the road to IdM over a dozen years ago. In fact, we almost take it for granted today. But what does it involve, what does it imply, and why does it matter?

Ian Glazer and Kevin Kampman of the Burton Group (now part of Gartner) issued a paper just before Christmas called "Roles and User Provisioning", which unfortunately is behind a paywall. But if you're a Burton (or, presumably a Gartner) client you should have access to it. I don't want to get into roles just now (we'll eventually get back to that subject, though, as we continue to review the fundamentals). But Glazer and Kampman present provisioning in a succinct, yet complete, definition that goes like this:

"Ensuring that the right people get access to the right business resources at the right time, provisioning is the enterprise plumbing that promotes productivity and reduces enterprise risk.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last issue we touched on a new definition for identity. Today I'd like to present the definitive view of the first, both historically as well as in the context of adding identity and access management (IAM) to your organization. User provisioning has been called the "killer app" for identity management. It started us down the road to IdM over a dozen years ago. In fact, we almost take it for granted today. But what does it involve, what does it imply, and why does it matter?

Ian Glazer and Kevin Kampman of the Burton Group (now part of Gartner) issued a paper just before Christmas called "Roles and User Provisioning", which unfortunately is behind a paywall. But if you're a Burton (or, presumably a Gartner) client you should have access to it. I don't want to get into roles just now (we'll eventually get back to that subject, though, as we continue to review the fundamentals). But Glazer and Kampman present provisioning in a succinct, yet complete, definition that goes like this:

"Ensuring that the right people get access to the right business resources at the right time, provisioning is the enterprise plumbing that promotes productivity and reduces enterprise risk.

Provisioning primarily occurs at three critical points in an employee's relationship with the enterprise: when the employee joins, changes jobs within, and leaves the enterprise. In the first of these, known as onboarding, provisioning sets up employees with access to business systems that have capabilities appropriate to each employee's job function. It is imperative that an employee starts on Day One with all of the business resources needed to be productive. Delays in receiving access means lost productivity. When an employee transfers from one role to another within the enterprise, provisioning removes access to business systems that is no longer needed -- thus reducing the risk that the employee will be able to use that access inappropriately -- while doling out new access the employee needs to be productive. Finally, when an employee leaves the enterprise, provisioning removes all access, thus reducing the risk that the employee can access business systems after separating from the enterprise.

Provisioning's efficacy is not limited to just employees; it can be used to provide and manage access to business systems for contractors, partners and even customers. A well-run provisioning process takes the manual effort and guesswork out of granting the right access to the right people."

And, really, that's it in a nutshell: granting the right access to the right people. Make sure your processes have all three parts: on-boarding, transforming (or moving) and de-provisioning. From a security standpoint, the latter two are more important than the first.

Join me when I talk about provisioning in a Webinar next Tuesday.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.