What Is Provisioning?

The term provisioning means to make a resource available, for example by provisioning a new server or provisioning a network. The most common form of provisioning is user provisioning, the creation of new accounts with all required IT privileges.

Accounts are necessary in order to provide new users with access the IT services they need for their role in an organization. As employees join or leave the company, admins need to provision new accounts, update existing ones or delete orphaned accounts. As a result, user provisioning is one of the most common tasks in user management.

While provisioning describes adding or providing a new resource, deprovisioning is the opposite process. Deprovisioning refers to the removal of IT resources that are no longer needed. This is necessary in order to prevent old accounts and applications from blocking system resources and software licenses. They can also pose a security risk if they become the target of hackers or employee data theft.

Simply put, users need accounts and permissions in order to do their jobs. Provisioning ensures that everyone in the organization receives the exact resources and privileges needed for their business role.

At the same time, organizations need to ensure that users can access only information they genuinely need. If a user receives too much access, it can violate privacy laws, increase the risk of data theft and expose your network to cyberattacks if the account is compromised.

To mitigate the risks associated with overprivileged users, organizations need to enforce strict access control and follow the principle of least privilege. Accurate user provisioning is essential to achieving least privilege access, because it ensures that two key criteria are met:

Creating and updating accounts is one of the most common activities for a sysadmin. This means that organizations that find a way to automate user provisioning can save a lot of valuable time for their IT staff and free them up for other projects.

The easiest way to automate user lifecycles – i.e. the creation, ongoing adjustment and eventual deletion of user accounts – is through an identity and access management solution. However, admins still need to determine which users should receive which privileges.

Automated provisioning should follow the responsibilities of the user, which is why most companies base it on an employee’s role within the organization.

Role-based provisioning or role-based access control is an approach to automated provisioning that groups users into roles based on factors such as location and department. Admins determine in advance which privileges different user groups should receive and create permission roles that bundle all required access rights. When a new user is added to a role, they are automatically given all permissions intended for that group.

In Active Directory, role-based provisioning can be implemented through the AGDLP principle. AGDLP represents Microsoft’s recommended group structure, with global user groups that correspond to business roles and are themselves members of different permission groups, each of which governs access to a specific resource. However, creating and managing the necessary group structure takes quite a bit of effort.

While conventional IAM solutions require a ton of custom scripting to integrate with existing systems, tenfold offers the same powerful features in a fraction of the time thanks to our no-code approach and a wide range of out-of-the-box plugins.

From automated provisioning and deprovisioning through our user lifecycle management to self-service access requests, centralized permission reporting and the ability to automate access reviews, tenfold offers an efficient, powerful and easy-to-use IAM platform that helps you protect your data and reduce your IT workload. You can see tenfold in action by watching our demo video or signing up for a free trial today.