Of course the answer to this question is: It depends. The decision regarding who owns provisioning revolves around...
the enterprise's culture, organizational structure, deployed technologies, departmental responsibilities and capabilities, and political power. Keeping in mind that any one of these parameters can overwhelm the others, know that the user provisioning process -- Active Directory (AD) or otherwise -- is generally owned by the IT department or the information security team. While the help desk may be the initial point of entry into the process, its role in provisioning is generally facilitation and tracking of requests.
As far as the best way to manage user provisioning between groups goes, I'll assume you mean Active Directory groups. This managing is generally done one of two ways: by automation or through workflow. In automated provisioning, the provisioning system has logic programmed into it to automatically create entitlements in the proper Active Directory groups based on a set of parameters entered in the request. In a workflow environment, the decision concerning which group the user will be provisioned to is made by the resource owner -- typically through an email -- and the decision is then sent back to the provisioning system -- typically through an email -- where the system provisions the user based on the resource owner's instructions.
While automated provisioning is quicker, easier and less error-prone, it's also more expensive to deploy and manage. Workflow-based methods are relatively cheap, but they take time, require coordination among stakeholders, and even the best processes are prone to errors either in communication of privileges or in implementation of intended privileges. The right choice for an enterprise depends primarily on the resources it has to invest in user provisioning management and the number of users who need provisioning on a daily or weekly basis.
For more information:
- What are the pros and cons of using authentication that is not Active Directory-based? Read more.
- Learn more about the possible future of the user provisioning market.
Dig Deeper on Active Directory security
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading