Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The pros and cons of automated user provisioning software

Automated user provisioning software can offer many benefits to enterprises, but its high cost and labor-intensive implementation may mean it's not right for yours. IAM expert Randall Gamby addresses the topic.

Our company is growing rapidly, and we're considering moving to an automated user provisioning product. What would you say are the pros and cons of these sorts of products?
The pros of automated user provisioning software are, of course, reduced administrative errors, improved Service Level Agreements (SLAs) for user access commissioning/decommissioning, automated account management, the ability to segregate populations of users (for mergers/acquisitions), automated reporting and audit of user accounts, automated workflow approvals, reduced risk of unauthorized access, consistent access policies, centralized control, and near real-time off-boarding of persons leaving the organization.

The list of cons is just as long as the list of advantages, however. There's no such thing as a best practice when it comes to implementing a provisioning system, but there are several essential steps necessary for making it work successfully:

  • You must define, and modify, if necessary, every process for account creation/modification/deletion.
  • You must meet with each business person who will be a source/recipient of account information and gain consensus on the business practices and data handling that will be used by the provisioning system.
  • You must configure and map the data to every system connected to the provisioning system.
  • You must define the workflow authorizations for each resource.
  • Existing accounts will not be in the system and must be imported through an alternative process in order for the automated provisioning product to recognize them.
  • You must define audit/reporting formats, as well as dates and times of audit execution.
  • You must build the front-end request forms and reports that will be generated.
  • You must change your business processes.
  • Finally, you must protect the provisioning system from unauthorized access due to the sensitive nature of the operations.

But perhaps the biggest con is the cost: Provisioning systems aren't cheap. And on top of that, in order to execute each of the statements above, I generally take the price of the provisioning system and multiply it by six -- since vendors don't typically consider the true cost associated with an implementation -- to get a more accurate estimated cost of deployment.

This was last published in June 2010

Dig Deeper on Privileged access management