User provisioning software

Last updated June 07, 2021

User provisioning software is software intended to help organizations more quickly, cheaply, reliably and securely manage information about users on multiple systems and applications.

Background: systems, applications and users

People are represented by user objects or login accounts on different systems and applications.

Examples of systems and applications include:

LDAP directories.
Microsoft Active Directory and Novell eDirectory.
Operating systems such as Linux, Unix, Solaris, AIX, HP-UX and Windows Server.
Mainframe security products such as RAC/F, CA ACF/2 and CA TopSecret.
ERP applications such as SAP R/3, PeopleSoft, JD Edwards, Lawson Financials and Oracle eBusiness Suite.
E-mail systems such as Microsoft Exchange and Lotus Notes.
Databases such as Oracle, Microsoft SQL Server, IBM DB2 and MySQL.
A variety of other, custom or vertical-market systems and applications..

User objects generally consist of:

A unique identifier.
A description of the person who has been assigned the user object—principally their name.
Contact information for that person, such as their e-mail address, phone numbers, mailing address, etc.
Organizational information about that person, such as the ID of their manager, their department or their location.
A password and/or other authentication factors.

Note that users need not be able to log into a system or application. The user object may be a record in an HR application or an entry in a phone book system, which the user cannot log into but which nonetheless represents the user.

User objects are generally connected to other parts of a system or application through security entitlements. On most systems, this is done by placing a user into one or more security groups, where users of each group are granted some security rights.

User lifecycle processes

Organizations implement business processes to create, manage and delete user objects on their systems and applications:

Onboarding:
- Represents the steps taken when a new employee is hired, a contractor starts work, or a customer or partner is granted access to systems.
- This term alludes to the process of loading passengers onto a commercial airliner.
Management:
- Users are dynamic—they change names, addresses, responsibilities and more.
- Changes experienced by users in the physical world must be reflected by user objects on systems and applications.
Support:
- Users sometimes experience problems with systems and applications. They may forget their password or require new security entitlements, for example.
- User support means changing data about users on systems and applications, resetting user passwords and so on, to resolve user problems.
Deactivation:
- Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed.
- When users leave—termination, resignation, retirement, end of contract, end of customer relationship, etc. -- their access to systems and applications should likewise be deactivated.

Incidentally, the term lifecycle does not imply that users who have been deactivated will necessarily not be onboarded again. However, this does happen. For example, employees may leave a company and be re-hired later, or contractors may end their contract only to be hired as employees.

User provisioning systems

User provisioning systems are intended to help organizations streamline user lifecycle processes so that updates to user objects on their systems and applications can be made:

More quickly—so users don't have to wait for changes.
More efficiently—to reduce the cost of managing systems and applications in response to user lifecycle events.
More securely—to reduce the risk of system compromise due to user objects that have outlived their usefulness, due to inappropriate security entitlements and due to easily guessed or otherwise compromised passwords.

User provisioning processes

A user provisioning system may implement one or more processes to achieve the aforementioned goals. These processes may include:

Auto-provisioning. For example:
- Monitor an HR application and automatically create new users on other systems and applications when new employee records appear in the HR database.
Auto-deactivation. For example:
- Monitor an HR application and automatically deactivate users objects on other systems and applications when an employee records either disappears or is marked as inactive in the HR database.
- Automatically deactivate user objects for users, such as contractors, whose scheduled termination date has passed.
Identity synchronization. For example:
- When changes in a user's e-mail address are detected on a mail system, automatically update the same user's e-mail address on other systems.
- When changes in a user's name, phone number or mailing address are detected on an HR system, automatically update the same user's e-mail address on other systems.
Self-service profile changes. For example:
- Allow users to update their own contact information.
Self-service access requests. For example:
- Allow users to request access to systems and applications.
Delegated access requests. For example:
- Allow managers to request access to systems and applications on behalf of their direct subordinates.
Authorization workflow. For example:
- Ask business stake-holders to review and either approve or reject proposed changes to user profiles or access rights.
Access certification. For example:
- Periodically ask managers to verify that the list of their direct subordinates (a) are still employed with the organization and (b) still report to them.
- Periodically data or application owners to verify a list of users with access to their data or application.

User provisioning system components

A user provisioning system must, in general, include some or all of the following components:

Connectors, to read information about users from integrated systems and applications and to send updates (e.g., create new user, delete user, modify user information) back to those systems and applications.
An internal database, that tracks user objects and other data from integrated systems and applications.
An auto-discovery system, which populates the internal database using the connectors.
A user interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc.
A workflow engine, used primarily to invite users to review and either approve or reject changes.
A policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations.
A reporting engine, which helps organizations extract information from the internal database.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. However, Active Directory became an umbrella title for a broad range of directory-based identity-related services.

A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

In telecommunication, provisioning involves the process of preparing and equipping a network to allow it to provide new services to its users. In National Security/Emergency Preparedness telecommunications services, "provisioning" equates to "initiation" and includes altering the state of an existing priority service or capability.

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources, but also the hardware and applications employees need to access. Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.

A white pages schema is a data model, specifically a logical schema, for organizing the data contained in entries in a directory service, database, or application, such as an address book. In a white pages directory, each entry typically represents an individual person that makes use of network resources, such as by receiving email or having an account to log into a system. In some environments, the schema may also include the representation of organizational divisions, roles, groups, and devices. The term is derived from the white pages, the listing of individuals in a telephone directory, typically sorted by the individual's home location and then by their name.

Service Provisioning Markup Language (SPML) is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning information between cooperating organizations.

Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to bring manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Microsoft Identity Integration Server (MIIS) is an identity management (IdM) product offered by Microsoft. It is a service that aggregates identity-related information from multiple data-sources. The goal of MIIS is to provide organizations with a unified view of a user's/resources identity across the heterogeneous enterprise and provide methods to automate routine tasks.

There are several forms of software used to help users or organizations better manage passwords:

In computing, delegated administration or delegation of control describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.

IBM Tivoli Identity Manager, also known as TIM, ITIM, or ISIM, is an Identity Management System product from IBM.

In information systems, identity correlation is a process that reconciles and validates the proper ownership of disparate user account login IDs that reside on systems and applications throughout an organization and can permanently link ownership of those user account login IDs to particular individuals by assigning a unique identifier to all validated account login IDs.

An identity-management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management.

A Microsoft account or MSA is a single sign-on Microsoft user account for Microsoft customers to log in to Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

A human resources management system (HRMS) or human resources information system (HRIS) or human capital management (HCM) is a form of human resources (HR) software that combines a number of systems and processes to ensure the easy management of human resources, business processes and data. Human resources software is used by businesses to combine a number of necessary HR functions, such as storing employee data, managing payroll, recruitment, benefits administration, time and attendance, employee performance management, and tracking competency and training records.

Unified access management (UAM) refers to an identity management solution. It is used by enterprises to manage digital identities and provide secure access to users across multiple devices and applications, both cloud and on-premise. Unified access management solutions provide a single platform from which IT can manage access across a diverse set of users, devices, and applications, whether on-premise or in the cloud.

References

Casassa Mont, Marco; Baldwin, Adrian; Shiu, Simon (2009), Identity Analytics - "User Provisioning" Case Study: Using Modelling and Simulation for Policy Decision Support, p. 49
Hommel, Wolfgang; Schiffers, Michael (2005), Supporting Virtual Organization Lifecycle Management by Dynamic Federated User Provisioning, p. 12, CiteSeerX 10.1.1.84.6068
Becker, M; Drew, M (2005), "Overcoming the challenges in deploying user provisioning/identity access management backbone", BT Technology Journal, BT Technology Journal (published 2006), 23 (4): 71–79, doi:10.1007/s10550-006-0009-x
Witty, Roberta J (2003), The Identity and Access Management Market Landscape (PDF), p. 11

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.