Of course the answer to this question is: It depends. The decision regarding who owns provisioning revolves around
the enterprise's culture, organizational structure, deployed technologies, departmental responsibilities and capabilities, and political power. Keeping in mind that any one of these parameters can overwhelm the others, know that the user provisioning process -- Active Directory (AD) or otherwise -- is generally owned by the IT department or the information security team. While the help desk may be the initial point of entry into the process, its role in provisioning is generally facilitation and tracking of requests.
As far as the best way to manage user provisioning between groups goes, I'll assume you mean Active Directory groups. This managing is generally done one of two ways: by automation or through workflow. In automated provisioning, the provisioning system has logic programmed into it to automatically create entitlements in the proper Active Directory groups based on a set of parameters entered in the request. In a workflow environment, the decision concerning which group the user will be provisioned to is made by the resource owner -- typically through an email -- and the decision is then sent back to the provisioning system -- typically through an email -- where the system provisions the user based on the resource owner's instructions.
While automated provisioning is quicker, easier and less error-prone, it's also more expensive to deploy and manage. Workflow-based methods are relatively cheap, but they take time, require coordination among stakeholders, and even the best processes are prone to errors either in communication of privileges or in implementation of intended privileges. The right choice for an enterprise depends primarily on the resources it has to invest in user provisioning management and the number of users who need provisioning on a daily or weekly basis.
For more information:
- What are the pros and cons of using authentication that is not Active Directory-based? Read more.
- Learn more about the possible future of the user provisioning market.
Dig deeper on Active Directory and LDAP Security
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.