ⓘ User provisioning software is software intended to help organizations more quickly, cheaply, reliably and securely manage information about users on multiple sy ..


ⓘ User provisioning software

User provisioning software is software intended to help organizations more quickly, cheaply, reliably and securely manage information about users on multiple systems and applications.


1. Background: systems, applications and users

People are represented by user objects or login accounts on different systems and applications.

Examples of systems and applications include:

  • LDAP directories.
  • Operating systems such as Linux, Unix, Solaris, AIX, HP-UX and Windows Server.
  • Databases such as Oracle, Microsoft SQL Server, IBM DB2 and MySQL.
  • A variety of other, custom or vertical-market systems and applications.
  • Microsoft Active Directory and Novell eDirectory.
  • E-mail systems such as Microsoft Exchange and Lotus Notes.
  • Mainframe security products such as RAC/F, CA ACF/2 and CA TopSecret.
  • ERP applications such as SAP R/3, PeopleSoft, JD Edwards, Lawson Financials and Oracle eBusiness Suite.

User objects generally consist of:

  • A unique identifier.
  • Organizational information about that person, such as the ID of their manager, their department or their location.
  • Contact information for that person, such as their e-mail address, phone numbers, mailing address, etc.
  • A description of the person who has been assigned the user object - principally their name.
  • A password and/or other authentication factors.

Note that users need not be able to log into a system or application. The user object may be a record in an HR application or an entry in a phone book system, which the user cannot log into but which nonetheless represents the user.

User objects are generally connected to other parts of a system or application through security entitlements. On most systems, this is done by placing a user into one or more security groups, where users of each group are granted some security rights.


2. User lifecycle processes

Organizations implement business processes to create, manage and delete user objects on their systems and applications:

  • Onboarding
  • This term alludes to the process of loading passengers onto a commercial airliner.
  • Represents the steps taken when a new employee is hired, a contractor starts work, or a customer or partner is granted access to systems.
  • Management
  • Changes experienced by users in the physical world must be reflected by user objects on systems and applications.
  • Users are dynamic - they change names, addresses, responsibilities and more.
  • Support
  • Users sometimes experience problems with systems and applications. They may forget their password or require new security entitlements, for example.
  • User support means changing data about users on systems and applications, resetting user passwords and so on, to resolve user problems.
  • Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed.
  • Deactivation
  • When users leave - termination, resignation, retirement, end of contract, end of customer relationship, etc. -- their access to systems and applications should likewise be deactivated.

Incidentally, the term lifecycle does not imply that users who have been deactivated will necessarily not be onboarded again. However, this does happen. For example, employees may leave a company and be re-hired later, or contractors may end their contract only to be hired as employees.


3. User provisioning systems

User provisioning systems are intended to help organizations streamline user lifecycle processes so that updates to user objects on their systems and applications can be made:

  • More quickly - so users dont have to wait for changes.
  • More efficiently - to reduce the cost of managing systems and applications in response to user lifecycle events.
  • More securely - to reduce the risk of system compromise due to user objects that have outlived their usefulness, due to inappropriate security entitlements and due to easily guessed or otherwise compromised passwords.

4. User provisioning processes

A user provisioning system may implement one or more processes to achieve the aforementioned goals. These processes may include:

  • Auto-provisioning. For example
  • Monitor an HR application and automatically create new users on other systems and applications when new employee records appear in the HR database.
  • Auto-deactivation. For example
  • Automatically deactivate user objects for users, such as contractors, whose scheduled termination date has passed.
  • Monitor an HR application and automatically deactivate users objects on other systems and applications when an employee records either disappears or is marked as inactive in the HR database.
  • When changes in a users name, phone number or mailing address are detected on an HR system, automatically update the same users e-mail address on other systems.
  • When changes in a users e-mail address are detected on a mail system, automatically update the same users e-mail address on other systems.
  • Identity synchronization. For example
  • Allow users to update their own contact information.
  • Self-service profile changes. For example
  • Self-service access requests. For example
  • Allow users to request access to systems and applications.
  • Allow managers to request access to systems and applications on behalf of their direct subordinates.
  • Delegated access requests. For example
  • Authorization workflow. For example
  • Ask business stake-holders to review and either approve or reject proposed changes to user profiles or access rights.
  • Periodically data or application owners to verify a list of users with access to their data or application.
  • Periodically ask managers to verify that the list of their direct subordinates a are still employed with the organization and b still report to them.
  • Access certification. For example


5. User provisioning system components

A user provisioning system must, in general, include some or all of the following components:

  • An auto-discovery system, which populates the internal database using the connectors.
  • A user interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc.
  • Connectors, to read information about users from integrated systems and applications and to send updates back to those systems and applications.
  • A policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations.
  • A reporting engine, which helps organizations extract information from the internal database.
  • An internal database, that tracks user objects and other data from integrated systems and applications.
  • A workflow engine, used primarily to invite users to review and either approve or reject changes.
  • Provisioning may refer to: Provisioning cruise ship supplying a vessel for an extended voyage Provisioning of USS Constitution Provisioning telecommunications
  • The concept of network provisioning or service mediation, mostly used in the telecommunication industry, refers to the provisioning of the customer s services
  • An end - user license agreement EULA is a legal contract entered into between a software developer or vendor and the user of the software often where
  • administrators, information technology experts, software professionals and computer technicians. End users typically do not possess the technical understanding
  • over - the - air service provisioning OTASP over - the - air provisioning OTAP or over - the - air parameter administration OTAPA or provisioning handsets with the
  • using Chef or Puppet, and the user does not have to directly use any other virtualization software Machine and software requirements are written in a
  • organizations. The Service Provisioning Markup language is the open standard for the integration and interoperation of service provisioning requests. SPML is an
  • making sure that user profiles are portable in one manner or another from one session to the next. User environment management is a software solution which
  • as the number of processors required. The relatively low cost for user provisioning i.e., setting up a new customer in a multitenant environment enables