What is User Account Provisioning?

28.4k views

What is User Provisioning?

User Account Provisioning or user provisioning is to identity access management(IAM) process of creating and proper permissions, changing, disabling, and deleting user accounts on a computer system.  UAP can be done manually by using user provisioning tools such as Active Directory Users & Computers (ADUC), or it can be automated with scripts.

How does User Provisioning Work?

The first step in user access provisioning  is to create a user account. The next step is to assign the user account to a group. A group is simply a container for a set of users that share common characteristics. For example, you could have a group called “Accountants”, which contains all of your accounting employees. Another example would be a group called “Marketing Employees”, which contains all marketing employees. Groups are used to help organize users into logical categories.

Why do we Need User Provisioning?

The purpose of UAP is to provide access control for computers and resources. Access control means that only authorized users may use certain applications, files, folders, printers, etc. In other words, if someone wants to use your computer, they must have permission from you.

If you want to give them this permission, then you will need to add their username to one or more groups. When a user logs into the computer, Windows checks the list of groups assigned to that user. If the user belongs to any of those groups, he/she is allowed to log into the computer. Otherwise, the user will not be able to login.

Types of user account provisioning include

  • Self-service account provisioning- enables user participation in some aspects of the management process so that administrators don’t need to be involved in every aspect of the provisioning process.
  • Discretionary account provisioning – enables an IT admin to decide which apps and data his employees should be allowed to use. Smaller or medium-sized companies often use discretionary approaches.
  • Workflow-based account provisioning – allows users to gain approval for accessing a particular application or data. For example, the financial rules in an accounting system might require that the CFO approve every new customer account.
  • Automated account provisioning – involves managing users’ access rights using a centralised system. It allows administrators to monitor users’ access rights closely without spending too much of their valuable resources. However, there might be times when admins may need to engage in manual processes.

Manual User Provisioning

With the advent of cloud computing, users no longer require an IT department to manage them. They can simply log onto any device and start working immediately. Users can also easily share documents and collaborate with others without ever leaving the office. In addition, users can work from anywhere, so they can get things done faster and more efficiently.

Automated User Provisioning

Automated provisioning removes the problems associated with manual management of user accounts. Organizations can now manage users without any human intervention, which allows IT administrators to focus on other business processes. Users are given access to resources based on their roles and responsibilities.

When an account is created or modified, the software will automatically create or modify a corresponding record in the database. This includes creating or modifying a user account, group membership, computer account, directory service account, application server account, and other similar records. In addition, when a new domain controller is added to the forest, the software will automatically add a new domain controller account.

Business rules translate an employee’s attributes (such as age, gender, location) and role (such as manager or secretary) into the correct accounts, permission sets and scopes of permissions their job requires (e.g., read-only vs editable). Rules are checked against the user’s attributes and roles before granting them any permissions.

What is Automated Permission Assignment

User account provisioning and access management are done using an ABAC(Attribute-Based Access Control) approach. A business role model determines the rights of each user, and when a user changes roles, the software automatically removes the corresponding rights.

An attribute is something about a person or thing that identifies who they are. Attributes include things like name, address, phone number, email address, social security number, driver license number, passport number, credit card number, bank account number, birth date, etc.

Attributes can also describe how people act or what they do. These actions are known as behaviors. Behaviors include things like reading emails, writing emails, sending faxes, printing documents, accessing shared drives, changing passwords, etc.

An ABAC policy defines the relationship between attributes and behaviors. It specifies which attributes determine whether a particular behavior is permitted or denied.

User Account Provisioning

For example:

  • If you are a manager, then you should be able to change all employees’ passwords.
  • If you are an administrator, then you should be allowed to change everyone’s password.
  • If you have been granted the ability to administer computers, then you should be permitted to reset passwords for every user.

In addition to specifying what a user can do, an ABAC policy also describes the conditions under which a user can perform a specific action. For example:

  • You should be able to change your own password only if it hasn’t expired yet.
  • You shouldn’t be able to delete files from the C drive unless you’re logged in as an Administrator.
  • You shouldn’t be able to log off the system unless you’ve been idle for at least five minutes.

The combination of attributes and behaviors define a rule. The software checks each rule against the current state of the user’s account. If the rule matches, the user is granted the appropriate privileges. Otherwise, the user is denied access.

Why Automated User Provisioning Still Demands a Human Touch

Users must be assigned correctly for many reasons. First, users may need to be assigned to different groups based on their needs. Second, users may need to have different levels of access depending on their job responsibilities. Third, users may need to use different types of devices such as laptops, tablets, smartphones, and desktop PCs. Finally, users may need to access sensitive data stored on servers.

When assigning users to different groups, we often assign the same group to multiple users. This creates problems when one user leaves the company or changes jobs, and we need to remove them from the wrong groups.

When assigning users with varying levels of access, we often grant more permissions than necessary. This causes unnecessary overhead because users will not always need those extra permissions.

When assigning users to different devices, we often assign the device to the user instead of the other way around. This leads to problems when users move to new devices. They need to re-provision themselves.

When assigning users access to sensitive data, we often grant too much access. This allows users to see confidential information without proper authorization.

Provisioning users manually is time-consuming and error-prone. In order to reduce errors, we usually require manual review by IT administrators. However, this process is tedious and slow.

What’s the Purpose of User Provisioning and User Deprovisioning?

User provisioning and deprovisioning are two important concepts that help us manage user accounts. We use these concepts to ensure that users have the correct level of access to resources. It does so by checking whether the user has the required permission to perform an action. If they don’t, then the user cannot complete the task.

User provisioning: Adding users to the system

User provisioning involves creating accounts for new users. It also includes granting the users permission to perform certain tasks. For example, if you’re using Microsoft Active Directory (AD), you would create a user object in AD. You could then give the user rights to read, write, execute, modify, delete, and share files.

User deprovisioning: Removing users from the system

User deprovisioning removes users from the system. It does not involve deleting the account itself. Instead, it only deletes the user’s profile from the server. If the user logs back into the system, he/she will still retain his/her previous privileges.

Why is User Provisioning Important?

User provisioning is extremely important. The reason why is simple. When you add a user to your system, you need to make sure that they don’t do anything malicious. Otherwise, you’ll end up having to deal with a security breach.

If you’re using a web application, you might want to restrict their access to specific pages. Or maybe you just want to limit their ability to view sensitive information. Whatever the case may be, you need to ensure that the user cannot access these sensitive areas.

If you’re using a database, you might want to prevent them from accessing tables containing private information. Or perhaps you want to prevent them from modifying records that contain critical data. Whatever the case may happen, you must take precautions so that no one else can access these sensitive areas. Only authorized users should be able to access these areas.

How Can We Automate User Provisioning?

There are many ways that we can automate user provisioning. One way is to use LDAP. Another way is to use Kerberos. Both methods allow us to easily manage user identities. They both provide us with a secure method of storing user credentials.

LDAP

LDAP stands for Lightweight Directory Access Protocol. It allows us to store user details in a central location. In other words, we can store all of our users in a single directory. Once we’ve stored all of our users in this directory, we can easily search for any particular user by entering their username.

Kerberos

Kerberos is a protocol used to authenticate users on a computer network. It works by allowing us to verify the identity of a remote user before giving him/her access to resources.

In order to use Kerberos, we first have to install a Kerberos client. Then, we configure the client to connect to a Kerberized server. Finally, we set up the server to accept incoming connections from clients.

Once we’ve done all of this, we can start issuing Kerberos tickets to users who wish to log in to our system. These tickets will grant them access to the system.

We can also issue Kerberos tickets to external services such as Google Drive. This means that we can securely transfer documents between different applications without worrying about exposing confidential information.

We Need a Better Solution

With the rise of cloud computing, we now have the opportunity to automate user provisioning. Cloud computing provides us with a centralized repository where we store all of our users’ credentials. Using this central repository, we can automatically assign users to different groups, assign users with varying levels of permissions, assign users to different devices, and assign users with access to sensitive data.

In conclusion, user account provisioning is one of those tasks that most companies should be doing already, but many aren’t. So, how can you start?

See how ExterNetworks can help you with Managed IT Services

Request a Quote Speak with an IT Expert

Latest Articles

Press C anytime
to Contact Us