User provisioning software
Encyclopedia
User provisioning software is software intended to help organizations
more quickly, cheaply, reliably and securely manage information about users
on multiple systems and applications. They are a type of identity management system
.
on different systems and applications.
Examples of systems and applications include:
User objects generally consist of:
Note that users need not be able to login
to a system or
application. The user object may be a record in an HR application or
an entry in a phone book system, which the user cannot log into but
which nonetheless represents the user.
User objects are generally connected to other parts of a system or
application through security entitlements. On most systems, this is
done by placing a user into one or more security groups, where users of
each group are granted some security rights.
user objects on their systems and applications:
Incidentally, the term lifecycle does not imply that users who have been
activated will necessarily be onboarded again. However, this does happen.
For example, employees may leave a company and be hi-hired later, or
contractors may end their contract only to be hired as employees.
user lifecycle processes so that updates to user objects on their systems
and applications can be made:
the aforementioned goals. These processes may include:
more quickly, cheaply, reliably and securely manage information about users
on multiple systems and applications. They are a type of identity management system
Identity management systems
An identity management system refers to an information system, or to a set of technologies that can be used to support the management of identities.An identity management system:# Establishes the identity...
.
Background: Systems, Applications and Users
People are represented by user objects or login accountsLogin
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
on different systems and applications.
Examples of systems and applications include:
- LDAP directories.
- Microsoft Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
and Novell eDirectory. - Operating systems such as LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, UnixUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
, Solaris, AIX, HP-UX and Windows Server. - Mainframe security products such as RAC/F, CA ACF/2ACF2ACF2 is a commercial discretionary access control software security system developed for MVS , VSE and VM by SKK, Inc. Barry Schrager, Eberhard Klemens, and Scott Krueger combined to develop ACF2 at London Life Insurance in London, Ontario in 1978...
and CA TopSecret. - ERP applications such as SAP R/3SAP R/3SAP R/3 is the former name of the main enterprise resource planning software produced by SAP AG. It is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing.- History of...
, PeopleSoft, JD Edwards, Lawson Financials and Oracle eBusiness Suite. - E-mail systems such as Microsoft ExchangeMicrosoft Exchange ServerMicrosoft Exchange Server is the server side of a client–server, collaborative application product developed by Microsoft. It is part of the Microsoft Servers line of server products and is used by enterprises using Microsoft infrastructure products...
and Lotus NotesLotus NotesLotus Notes is the client of a collaborative platform originally created by Lotus Development Corp. in 1989. In 1995 Lotus was acquired by IBM and became known as the Lotus Development division of IBM and is now part of the IBM Software Group...
. - Databases such as Oracle, Microsoft SQL Server, IBM DB2 and MySQL.
- A variety of other, custom or vertical-market systems and applications..
User objects generally consist of:
- A unique identifier.
- A description of the person who has been assigned the user object -- principally their name.
- Contact information for that person, such as their e-mail address, phone numbers, mailing address, etc.
- Organizational information about that person, such as the ID of their manager, their department or their location.
- A password and/or other authentication factors.
Note that users need not be able to login
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
to a system or
application. The user object may be a record in an HR application or
an entry in a phone book system, which the user cannot log into but
which nonetheless represents the user.
User objects are generally connected to other parts of a system or
application through security entitlements. On most systems, this is
done by placing a user into one or more security groups, where users of
each group are granted some security rights.
User Lifecycle Processes
Organizations implement business processes to create, manage and deleteuser objects on their systems and applications:
- Onboarding:
- Represents the steps taken when a new employee is hired, a contractor starts work, or a customer or partner is granted access to systems.
- This term alludes to the process of loading passengers onto a commercial airliner.
- Management:
- Users are dynamic -- they change names, addresses, responsibilities and more.
- Changes experienced by users in the physical world must be reflected by user objects on systems and applications.
- Support:
- Users sometimes experience problems with systems and applications. They may forget their password or require new security entitlements, for example.
- User support means changing data about users on systems and applications, resetting user passwords and so on, to resolve user problems.
- Deactivation:
- Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed.
- When users leave -- termination, resignation, retirement, end of contract, end of customer relationship, etc. -- their access to systems and applications should likewise be deactivated.
Incidentally, the term lifecycle does not imply that users who have been
activated will necessarily be onboarded again. However, this does happen.
For example, employees may leave a company and be hi-hired later, or
contractors may end their contract only to be hired as employees.
User Provisioning Systems
User provisioning systems are intended to help organizations streamlineuser lifecycle processes so that updates to user objects on their systems
and applications can be made:
- More quickly -- so users don't have to wait for changes.
- More efficiently -- to reduce the cost of managing systems and applications in response to user lifecycle events.
- More securely -- to reduce the risk of system compromise due to user objects that have outlived their usefulness, due to inappropriate security entitlements and due to easily guessed or otherwise compromised passwords.
User Provisioning Processes
A user provisioning system may implement one or more processes to achievethe aforementioned goals. These processes may include:
- Auto-provisioning. For example:
- Monitor an HR application and automatically create new users on other systems and applications when new employee records appear in the HR database.
- Auto-deactivation. For example:
- Monitor an HR application and automatically deactivate users objects on other systems and applications when an employee records either disppears or is marked as inactive in the HR database.
- Automatically deactivate user objects for users, such as contractors, whose scheduled termination date has passed.
- Identity synchronization. For example:
- When changes in a user's e-mail address are detected on a mail system, automatically update the same user's e-mail address on other systems.
- When changes in a user's name, phone number or mailing address are detected on an HR system, automatically update the same user's e-mail address on other systems.
- Self-service profile changes. For example:
- Allow users to update their own contact information.
- Self-service access requests. For example:
- Allow users to request access to systems and applications.
- Delegated access requests. For example:
- Allow managers to request access to systems and applications on behalf of their direct subordinates.
- Authorization workflow. For example:
- Ask business stake-holders to review and either approve or reject proposed changes to user profiles or access rights.
- Access certification. For example:
- Periodically ask managers to verify that the list of their direct subordinates (a) are still employed with the organization and (b) still report to them.
- Periodically data or application owners to verify a list of users with access to their data or application.
User Provisioning System Components
A user provisioning system must, in general, include some or all of the following components:- Connectors, to read information about users from integrated systems and applications and to send updates (e.g., create new user, delete user, modify user information) back to those systems and applications.
- An internal database, that tracks user objects and other data from integrated systems and applications.
- An auto-discovery system, which populates the internal database using the connectors.
- A user interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc.
- A workflow engine, used primarily to invite users to review and either approve or reject changes.
- A policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations.
- A reporting engine, which helps organizations extract information from the internal database.
External links
- User provisioning best practices: http://identity-manager.hitachi-id.com/docs/user-provisioning-best-practices.html (free white paper published by Hitachi ID Systems, Inc.Hitachi ID Systems, Inc.Hitachi ID Systems, formerly M-Tech Information Technology, is a leading publisher of identity management software. Hitachi ID products help organizations strengthen network security, lower IT support costs and improve user productivity...
- no registration required.) - User Provisioning and downstream provisioning from any application or system in your network
- User provisioning software - Identity Management Frequently asked questions