This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations .(November 2019) |
User provisioning software is software intended to help organizations more quickly, cheaply, reliably and securely manage information about users on multiple systems and applications.
People are represented by user objects or login accounts on different systems and applications.
Examples of systems and applications include:
User objects generally consist of:
Note that users need not be able to log into a system or application. The user object may be a record in an HR application or an entry in a phone book system, which the user cannot log into but which nonetheless represents the user.
User objects are generally connected to other parts of a system or application through security entitlements. On most systems, this is done by placing a user into one or more security groups, where users of each group are granted some security rights.
Organizations implement business processes to create, manage and delete user objects on their systems and applications:
Incidentally, the term lifecycle does not imply that users who have been deactivated will necessarily not be onboarded again. However, this does happen. For example, employees may leave a company and be re-hired later, or contractors may end their contract only to be hired as employees.
User provisioning systems are intended to help organizations streamline user lifecycle processes so that updates to user objects on their systems and applications can be made:
A user provisioning system may implement one or more processes to achieve the aforementioned goals. These processes may include:
A user provisioning system must, in general, include some or all of the following components:
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. However, Active Directory became an umbrella title for a broad range of directory-based identity-related services.
A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques.
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
In telecommunication, provisioning involves the process of preparing and equipping a network to allow it to provide new services to its users. In National Security/Emergency Preparedness telecommunications services, "provisioning" equates to "initiation" and includes altering the state of an existing priority service or capability.
An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.
Identity management (IdM), also known as identity and access management, is a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources, but also the hardware and applications employees need to access. Identity and access management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.
A white pages schema is a data model, specifically a logical schema, for organizing the data contained in entries in a directory service, database, or application, such as an address book. In a white pages directory, each entry typically represents an individual person that makes use of network resources, such as by receiving email or having an account to log into a system. In some environments, the schema may also include the representation of organizational divisions, roles, groups, and devices. The term is derived from the white pages, the listing of individuals in a telephone directory, typically sorted by the individual's home location and then by their name.
Service Provisioning Markup Language (SPML) is an XML-based framework, being developed by OASIS, for exchanging user, resource and service provisioning information between cooperating organizations.
Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to bring manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.
An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.
Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.
Microsoft Identity Integration Server (MIIS) is an identity management (IdM) product offered by Microsoft. It is a service that aggregates identity-related information from multiple data-sources. The goal of MIIS is to provide organizations with a unified view of a user's/resources identity across the heterogeneous enterprise and provide methods to automate routine tasks.
There are several forms of software used to help users or organizations better manage passwords:
In computing, delegated administration or delegation of control describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.
IBM Tivoli Identity Manager, also known as TIM, ITIM, or ISIM, is an Identity Management System product from IBM.
In information systems, identity correlation is a process that reconciles and validates the proper ownership of disparate user account login IDs that reside on systems and applications throughout an organization and can permanently link ownership of those user account login IDs to particular individuals by assigning a unique identifier to all validated account login IDs.
An identity-management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management.
A Microsoft account or MSA is a single sign-on Microsoft user account for Microsoft customers to log in to Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.
A human resources management system (HRMS) or human resources information system (HRIS) or human capital management (HCM) is a form of human resources (HR) software that combines a number of systems and processes to ensure the easy management of human resources, business processes and data. Human resources software is used by businesses to combine a number of necessary HR functions, such as storing employee data, managing payroll, recruitment, benefits administration, time and attendance, employee performance management, and tracking competency and training records.
Unified access management (UAM) refers to an identity management solution. It is used by enterprises to manage digital identities and provide secure access to users across multiple devices and applications, both cloud and on-premise. Unified access management solutions provide a single platform from which IT can manage access across a diverse set of users, devices, and applications, whether on-premise or in the cloud.