website header 2_edited_edited.png

User & Identity Provisioning

Less humans entering data equals less human error
unsplash-ciN8mnrlvFY_edited.jpg

Provisioning implements an identity lifecycle for users and entities (i.e. human and non-human accounts), and with more and more users and entities granted access to both online and on-premises systems and applications (including workers, contractors, consultants, customers, partners, temps, guest accounts, students, faculty, staff, healthcare practitioners, bots, system accounts, service accounts, application accounts, privileged accounts, etc.) it is crucial for an organization to have a process in place to manage those identities.

Identity Administration & Provisioning Service Capabilities

 

Identity administration and user/entity provisioning provides a set of processes and an infrastructure to support the creation and maintenance of identities across all entity types. This includes attributes, credentials, and entitlements and the secure facilitation of access to Information Technology assets for various entity populations from disparate channels, including Intranet, Extranet, Internet, Mobile Devices, and more.

It is critical to the health of the overall IAM infrastructure that the identity and entitlement information held in authoritative identity repositories be accurate and of high quality.

Identity and policy administration services include centralized, delegated, and self-service administration, as well as workflow approval. These services also include the ability to programmatically update identity information from existing authoritative sources of data or to make arrangements to obtain just-in-time identity assertions from third parties.

DELEGATED ADMINISTRATION

Provides a mechanism for administrators to push privileged activities to managers and end users securely through tailored interfaces and work-flows.

IDENTITY ATTRIBUTE MAPPING

Provides meta-directory capability of mapping account attribute names to the same identity attribute, e.g. such as last name to “sn” and “surname.”

SELF-REGISTRATION AND SELF-SERVICE

Provides an interface for users to manage credentials and profile information and to request access to IT assets. Anonymous users may also be allowed to register through this interface.

USER/ENTITY & GROUP MANAGEMENT

Provides administrative tools and services that information security professionals utilize to administer user/entity identity and group entries throughout the enterprise, including privileged and application or service accounts.

IDENTITY REGISTRATION &

IDENTITY ASSURANCE (aka IDENTITY PROOFING) 

Provides on-boarding and verification of new users and/or entities. Identity Assurance, aka Identity Proofing, may require call-outs to external services such as credit agencies, utilities, and government agencies to provide a level of identity assurance that the subject matches a valid person.

APPROVAL WORKFLOWS

Provides multi-step approval flows to automate request processes that require review and sign-off from authorized parties, such as managers, data owners, system owners, information security, etc., facilitating delegation to end users while still enforcing security policy controls.

PROVISIONING WORKFLOWS

Provides multi-step account provisioning to accommodate dependencies between accounts and to increase reliability, e.g. supporting creation of accounts in a specific order, performing retries or rollback in case of failure, sending notification of down systems, and more.

DE-PROVISIONING

De-provisioning a user’s access rights is required every time an employee leaves a company. But without the proper process in place, many companies do not follow through with de-provisioning.

IDENTITY STORAGE & GOVERNANCE

Provides repositories for identity and/or account data. This typically includes services to routinely scan IT systems for discrepancies in expected and discovered accounts, and fires configurable processes which can notify application and business owners, disable or delete unknown accounts, create missing accounts, and revert or reapply authorizations.

IDENTITY DRIVEN ADAPTERS/CONNECTORS

Adapters that leverage standard and/or proprietary APIs to manage various account repositories and provide a generic interface to a provisioning system for managing account identifiers, profile attributes, credentials, and authorization information, such as group memberships. Some connectors provide the capability to directly manage generic data objects such as physical assets in LDAP stores.

RULES & ACCESS POLICIES

Provides for the application of business logic and policy in how and which assets are provisioned and how data is processed and transformed as it flows through the identity system.

JUST-IN-TIME (JiT) PROVISIONING

For when a new user tries to log in to an authorized application for the first time, they trigger the flow of information from the identity provider to the app that’s needed to create their account.