User Provisioning is an Identity Access Management (IAM) process that involves the process of creating, updating and deleting a user's account and access in multiple applications and systems at once. Account and access management avail user / employee’s information such as name, attributes, group name and other related data which helps to grant or deny access accordingly. Need to provision arise when information is added or changed in a “original system database” (e.g. HR system, Institute Database). Hiring, promotions, transfers, are examples of events that can set off provisioning. Provisioning ensures user’s access rights are up to date, without manual efforts.
Deprovisioning means deleting a user and removing their access from multiple applications and network systems at once. Deprovisioning action is triggered when an employee leaves a company or changes roles within the organization. Deprovisioning removes individual accounts on file servers, authentication servers, such as Active Directory, which helps organization’s to free up disk space, ports, certificates and company-issued computers for future use. Deprovisioning prevents former employees from accessing corporate resources after he leaves the organization, improving security and confidentiality of the organization.This keeps the organisation’s applications secure and reduces administrative costs and time.
Group Provisioning is required when you want to maintain the same user hierarchy and access control in multiple applications at once. You can sync users with their corresponding group names between different applications. Suppose in your organization all users are stored in AD with specific groups e.g Developer, Tester, and Marketer. If a Developer group user wants to access both Developers and Tester Tools application, then group provisioning comes in frameto help out in this use case.Group Provisioning syncs user groups with all related applications and provides equivalent access accordingly.
Improve security by assigning different permissions level on role based with automatic provisioning within apps.
Reduces the cost of identity access management (IAM) operations by automating onboarding and offboarding processes.
Provide employees, contractors and partners with access to the applications they need when they need it.
Administrators can automatically provision and administer multiple application accounts from one centralized system.
Automated User Provisioning means making manual processes of Onboarding and Offboarding
employee’s automatic. Automated User Provisioning removes the difficulties and delays
caused while manually managing profiles, account privileges thus preventing gaps in security
by minimizing the impact of human error, and provides better ease of operation. Manually creating
accounts means that someone within an organization knows your password — which is likely a very insecure
Similar sorts of situations of human error occur like, employee could accidentally be provisioned to
systems and data
that they shouldn’t have access to, or still have access once they leave your organization.
Automating user provisioning and deprovisioning removes these sorts of risks, providing individuals with permissions in a safe and private manner. The process ensures that a employee is provisioned for on-premises and external apps based on their role’s attributes. These attributes and permissions are then stored in one central database, ensuring they can be easily modified as employee role changes. When departments or teams execute a new tool or modify an employee's position, access can also be rolled out based on group rules. Provisioning provides employees with access only when it is necessary, preventing any security gaps that hackers could exploit to gain unauthorized access to sensitive organization information.
Active Directory (AD) provisioning can help your organization to manage resources between your cloud applications and on-premises systems (AD and applications). This helps enterprises to have a simplified user & access management (IAM) and permit access to the applications and systems in a simple and intuitive manner. AD provisioning allows administrators to assign employees and users the appropriate access management (IAM) provisioning levels to company resources as per their department (HR, Finance, IT, Operation, Marketing etc).
Given below are the steps to setup User provisioning in miniOrange IDP. As an example, we will be setting up Active Directory (AD) for user provisioning. At the end of this setup, we will have configured Active Directory (AD) User Provisioning. After integrating Provisioning admin will be able to perform operations like import, create, delete, update, change the password from the miniOrange console and these changes will be automatically reflected in the Active Directory.
To configure user provisioning feature refer to the steps given below:
You can also set up Group Provisioning (Sync) with miniOrange to enable syncing of Active Directory (AD) groups in miniOrange. This will also help you maintain the same user hierarchy and access control in miniOrange as in your Active Directory. You can sync users with their corresponding group names between AD and miniOrange. The user groups will be automatically provisioned and deprovisioned in miniOrange when they are created or modified in AD and vice versa. The groups will be created on the fly if they are not present in miniOrange. You can follow the below instructions to setup AD Group Sync:
dsquery ou -name (known organisational unit)