The Leading Educational Resource for IT Professionals

Identity Management Provisioning and Workflow – A core competence

by Graham Williamson April 13, 2017 0 Comments

It all starts with provisioning. Unfortunately many CIOs struggle with a confusing array of tasks that form the provisioning process within their organisations. There’s usually some automation that creates an AD record but much of the access control to applications is done manually. A new staff member must fill in application forms or call system administrators to get provisioned into the systems they need to do their jobs; this is not only very costly, it’s wide open to abuse.

There are several issues to be addressed while deploying a provisioning facility:

  • An approval workflow to control the account creation process is essential. No one should get access to a protected resource (computer system, computer application or sensitive document) without a time-stamped, auditable approval being granted. The workflow should also record the expiry of such access, if applicable.
  • A self-service function should be available. This means that staff members should not have to fill-out forms that are then retyped by someone else into the target systems being provisioned. The initial request, and subsequent changes, should be initiated and approved via the workflow process. No manual intervention should be required other than a manager clicking on approve or deny when they receive a machine-generated approval/notification message.
  • The workflow should interface to the authoritative source for identity data. This will typically be the HR system for staff biographical and positional data, and the contract management system for contractors. Details such as telephone numbers should come from the PABx if appropriate, but should populate the ‘contact directory’ once collected (many organisations simply let staff maintain their own contact details because mobile phone numbers are usually the most important).
  • A record of approvers is required. In some cases this will be a person’s supervisor, in some cases it will be the resource owner. In some cases multiple people with need to approve a person’s access; modern provisioning system accommodate this requirement.
  • Attestation reporting is an important component of a provisioning system. Reports of staff member’s access rights should be periodically sent to managers within the organisation, to be checked. It can be combined with a re-certification process that will automatically time stamp the verification of a staff member’s access rights or disable access that has not be re-approved.

Entitlement management is important in some environments. Applications often maintain their own repository of user IDs for those staff with access rights. In this case automatically setting those access rights should be considered. If the application is AD-aware i.e. uses AD groups, this is quite simple. If an access control list is maintained within an application it is more difficult; in this instance the provisioning workflow must maintain a decision-tree for entitlements and have an interface to the application in question to be able to write-back to the access control list database.

Provisioning remains the most important aspect of an identity management system, the effort required to get it right probably represents an excellent return on investment for most organisations. Eliminating manual effort will not only save organizations money it will significantly improve security and reduce the risk associated with access to protected resources.

This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness.

Graham Williamson is the author of “Identity Management: A Business Perspective”.




Graham Williamson
Graham Williamson

Author

Graham Williamson is an identity management consultant in Brisbane, Australia. He has 27 years of experience in the IT industry, with expertise in identity management, electronic directories, public key infrastructure, smart card technology, and enterprise architecture. He is a coauthor of Identity Management: A Primer (MC Press, 2009).



Also in MC Press Articles

Customer (Citizen) Identity and Access Management

by Graham Williamson June 13, 2017 0 Comments

As a major trend in the IDM sector, consumerization has become easier and exponentially more important. Digital transformation will literally put a significant segment of the SME market out of business and propel a significant number of SMEs to new levels of prosperity.

Continue Reading →

Federated Authentication – there is no Plan B

by Graham Williamson June 05, 2017 0 Comments

Federated authentication is essential for businesses. It's the only way to effectively manage external access to business systems and it's absolutely necessary in order to manage authentication to SaaS apps. if you don't want to expose your identity records to potential compromise.

Continue Reading →

Access Control – RBAC & ABAC

by Graham Williamson May 04, 2017 0 Comments

Access Control is the core of the identity and access management task. Once we have correctly provisioned user data into the enterprise’s identity service we need to leverage it for access control. The vast majority of organizations use role-based access control, but increasingly, access control based on attributes is gaining traction.

Continue Reading →