Ask the Expert

What guidelines do you recommend regarding best practices for user provisioning?

What guidelines do you recommend regarding best practices for user provisioning? We want to be as efficient as possible in enabling people to do their jobs, but we want the right people to get the right access to the right systems.

    Requires Free Membership to View

The key to user provisioning is having a single system that provisions all users, no matter which systems they need to access. The worst-case scenario is a hodgepodge of tools, one for each system, that makes user provisioning not only chaotic but inconsistent.

When provisioning users, keep compliance in mind. Most regulations like SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require strict auditing of who has access to which systems. A single tool is the best way to audit user access for compliance.

Now, this might sound a bit like single-sign on (SSO), but it's different. SSO is a single password for accessing multiple systems. A single user-provisioning tool is a single device for doling out different passwords to different systems. Having only one provisioning tool also means a system administrator can provision access to multiple systems, whether they're mainframes, servers or desktop PCs.

Along with compliance, the two other drivers for user provisioning are saving money and fighting security threats. Ideally, a user provisioning system should save money by administrating user IDs and passwords, which is often one of the biggest drains on time for a help desk staff. It can also shorten the time it takes for users to get access to systems they need, and fewer delays in getting access translates into less downtime and more productivity.

Make sure the user-provisioning system can review user accounts, privileges and authorization on a periodic basis. This increases security by pruning stale and dormant accounts and dropping excessive privileges or changes in roles from the system.

Some other must-have qualities to look for in a user-provisioning system are its ability to mesh with the directory architecture, such as Active Directory or LDAP, and its ability to enforce password policy and resets (another big cost to help desks). The system should have workflow capabilities to provide management approval of access, but include a self-service feature to allow resets and delegation without having to call the help desk.

User provisioning is the largest component of today's identity and access management (IAM) suites. But when considering an IAM suite, make sure it has all these features before investing.

More information:

This was first published in May 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: