13 for ’13 Jumpstart: User Provisioning

A few weeks ago we published an article called 13 IT Projects to Include in Your Plans for 2013. In that post, we recommended 13 great IT projects for you to consider, since many IT departments start lining up their wish lists for the new year. We got several requests either in comments or through email asking for tips to help “jumpstart” some of these projects, so we’re publishing a few follow-up articles to help do just that.

Our third project suggestion was for User Provisioning, here’s what we had to say:

When HR hires a new employee, how long does it take to get them fully provisioned into your systems? How much longer does it take to deprovision someone when you get that email from HR at 16:59 on a Friday afternoon? 2013 should be the year where you can quickly and easily provision a new employee across all of your systems, and should the need arise, disable their access in one click, rather than an hours long fire drill.

With that in mind, here are some tips to help you jump start this project:

Decide what will be the Source of Authority

The first and most important thing you need to do is decide what in your environment will be the source of authority (SoA). For most, this will be Active Directory (and the rest of this article will be written with that in mind). However, if you have SAP or other HR applications that can feed into AD, you may decide that this application is the SoA. The point of designating something as the SoA is to determine where all changes can be made, that push out to other applications or data sources. You need one place to make all changes and then you can flow those out to other systems as needed, or configure those systems to query your SoA as needed.

Establish standards

It’s critical to establish and enforce standards in your provisioning system. You need to determine naming conventions, patterns, how to address collisions, how to enter telephone numbers, titles, addresses and even whether to use abbreviations or spell things out. Successful queries will depend upon consistent data, so making sure everyone knows what and how to enter will help get the most out of your system.

Decide what is mandatory and what is optional

Active Directory requires very little to create a user account, but your dependent systems may need much more. You need consensus on what attributes must be populated and which can be left blank.

Establish request and approval requirements

Any new user should be created only after an appropriate request has been submitted and approved by an authorized person. Decide what the requirements and the approval process should be, standardize it and publish it. Whether you use a simple email, a help desk ticket, or a SharePoint workflow, you want some kind of audit trail to be a part of the process.

Consider user self-service

User self-service portals can make updating addresses and phone numbers a breeze, and can even address password resets. There are many third party solutions on the market that range from free to very expensive, depending on just what bells and whistles you want. Discuss the need for user self-service, and if it is desired, evaluate systems based on what they can offer and how much they will cost.

Build templates

In any user provisioning system, you want to do things as consistently as possible, and that can be greatly facilitated by using templates. You should have a template for regular users in each department, administrative users, special case users, or any other category you will use repeatedly, so that when you create a new user with a template, they are automatically placed in the right groups.

Use groups

And you want them in the right groups because this is where you should assign rights and permissions to network resources. When you assign to groups, it is easy to manage and it automatically conveys to each member of the group. If a user’s job role changes, removing them from the group removes the permissions – Easy!

Establish automation

The whole point of user provisioning is to do things consistently and efficiently. Automating processes is the next step. Use scripts to generate user accounts, and if you need to create other accounts in systems that cannot tie back to AD, use scripts to create those standalone accounts as well. A fully automated user provisioning system is possible with many different third party products, and can create consistent user accounts across diverse systems.

Leverage your SoA for everything

While you will probably have at least one legacy system that requires local accounts, try to leverage your source of authority for as much as possible. Each person is a single person – they should only need to have a single account. That makes it easy for the user and also for the administrator.

Document provisioning processes

Documentation is a key part of the provisioning process. Don’t just document the system technically, document the actual process needed to provision a new user, from the original request, through authorization, to securely distributing credentials to the new user.

Document deprovisioning processes

You also want to document your deprovisioning process, so that if an urgent need arises, you can go through it by the numbers and ensure nothing is left out. That way, you can quickly and efficiently remove access completely should the need arise.

Evaluate new applications and solutions

Once you have your SoA and a provisioning solution in place, you want to leverage it. Any new applications or solutions that you want to introduce to the environment should work with your provisioning system. Make that an evaluation criteria for all new products.

So now you have some tips to help you get started on user provisioning as a project, along with some of the key things to be sure you include to make this project a success. Management sponsorship, project management and consensus are all as important as the more technical parts, even if they aren’t quite as sexy. User provisioning can offer significant benefits to the business, and can make a big impact on the security of your network, so it’s in the best interests of the entire company to make sure this is a success. With the tips above, you are in a much better position to make sure it is a success.