What is Automated Provisioning?
Everything you need to know about the automated provisioning of account access.
Handling access for thousands of employee user accounts manually is a headache waiting to happen. Every new hire, role change, or termination requires individual attention from your customer’s IT team. It's slow and messy, and a single slip-up — from incorrect access to overlooked account deactivations — can pose significant security risks. And, as the number of employees and apps they use grows, so does the chaos.
Thankfully, that's where automated provisioning comes to the rescue. It lets your customers hook their user directories directly to your app and automatically provision (add), update, or deprovision (remove) users.
In this article, you’ll learn what exactly automated provisioning is, why you and your customers need it, and how you can implement it in your app using Directory Sync.
What is automated provisioning?
Automated provisioning is the process of automatically giving users access to various apps, services, or resources. It involves creating, updating, and deactivating user accounts and permissions without manual intervention from IT admins.
Why do you need automated provisioning?
Automated provisioning is beneficial to both your startup and your customers.
For your customers, automated provisioning means:
- Reduced admin burden: Automated systems, like an IT service desk or HR system, can provision accounts and access rights in seconds or minutes — a task that might otherwise take hours or days manually. This drastically reduces the time IT staff spend on repetitive tasks like setting up new user profiles, adjusting permissions as roles change, and deactivating accounts when employees leave.
- Reduced security risks: Manual provisioning is susceptible to errors, such as granting incorrect access rights or failing to revoke them when necessary (e.g when an employee leaves or changes roles) Automation minimizes these risks by consistently applying access rules across the board, ensuring that users have the correct permissions according to their current roles and status.
- Compliance: Automated provisioning systems manage the entire lifecycle of user access rights, from the initial account setup to the termination of access. Only authorized users have access to data which helps your customers comply with data and privacy regulations like GDPR, HIPAA, and SOC II — each of which has strict rules on handling sensitive data.
- Detailed logging and audit trails: Most automated provisioning systems will log every change made to user accounts, access policies, and access rights with details on who made the change and at what time. These detailed logs and reports not only support audit processes but also help your customers detect and respond to non-compliant actions or potential security breaches as they happen.
- Scalability: As the number of employees skyrockets and their roles or access needs become more complicated, automated provisioning scales to accommodate this increasing demand without a corresponding increase in admin workload.
- Easier employee onboarding: As soon as a new hire is entered into the HR system or the onboarding platform that your customer uses, automated provisioning can trigger the creation of user accounts across various systems and applications. Access rights are also assigned based on the new employee's role, so they have all the tools and information they need from day one.
For you, as a service provider, automated provisioning means:
- Likely to see more paid seats: When you eliminate the burden of adding new users to your app, your customers are likely to add more users to their subscription plan.
- Easier to close deals: By addressing the pains of manually provisioning users, your app becomes more attractive to IT teams, who often weigh in on technical decisions. They are more likely to advocate for your app if you support automated provisioning which in turn expedites the sales cycle.
- Less friction in gaining adoption with an enterprise: When a company starts using a new service, there might be some hesitation at first. This often happens because adding the service into their current tech setup seems complicated. Automated provisioning makes this process faster and easier.
Here's how it helps: When it's easy to add users to a service, people can start using it right away. This immediate access to the tools and resources you offer leads to a quicker realization of your app’s value.
- Reduces the security risks: Your customer manages the access rights of their users and the responsibility of determining who should have access to what information rests with them. This reduces security risks you take on provided you accurately provision requests and grant access exactly as specified by your customer.
What are some examples of automated provisioning?
Below are some examples of automated provisioning:
- Automatically granting extra HRIS system access when an employee is promoted to Manager.
- Creating a new email account and Slack channel access for a new hire.
- Provisioning additional cloud storage and specific software licenses when an employee joins the design team.
- Disabling all access rights and company accounts immediately after an employee is terminated.
- Granting temporary access to financial systems during end-of-month reporting for specific roles.
- Enabling access to a project management tool for a contractor with a defined start and end date.
- Dynamically adjusting access to customer data in CRM systems based on sales territory realignments.
- Revoking access to all company assets for interns or temporary workers at the end of their contract period.
How can you enable automated provisioning?
Most Identity Providers (IdPs) use the System for Cross-domain Identity Management (SCIM) protocol to enable automated provisioning.
SCIM is an open standard designed to manage user identities in cloud-based applications and services. It simplifies user management by providing a common user schema and defines standard HTTP requests with JSON payloads for automatically exchanging user profile data between systems (specifically your customer's IdP and your app).
SCIM allows an IdP to communicate with many SaaS apps and push or pull user profile changes. So when an account is created, updated, or deactivated in the IdP, the change triggers a SCIM request to your app and other connected apps to make the corresponding updates (like deactivating a user or creating a new user account in your system.
Other options for enabling automated provisioning include:
- Custom integration and APIs: This approach requires you to provide API access to your app that your customers can integrate with using custom scripts or APIs.
- Configuration management tools: Tools like Ansible, Chef, and Puppet, traditionally used for infrastructure automation, can also automate the provisioning of user accounts and configurations on servers and workstations. They are especially useful in environments with significant on-premises infrastructure.
- Workflow automation platforms: Platforms like Zapier, Microsoft Power Automate, or Workato can be used to create custom workflows that trigger provisioning actions across various applications and services.
How can you implement automated provisioning?
One of the easiest ways you can implement automated provisioning is by using Directory Sync by WorkOS.
Directory Sync provides simple APIs and SDKs for connecting your app to your customer’s directory providers, like Microsoft Entra (formerly Azure AD), Okta, OneLogin, and even HRIS platforms like Workday, and Google Workspace. Through these integrations, your customers are able to automatically provision or de-provision users in your app.
Here’s how you can enable automatic provisioning using WorkOS Directory Sync:
Sign up for a WorkOS account
You’ll get access to the WorkOS dashboard and API keys. Copy the API key somewhere safe. The API key is crucial as it authenticates your app’s requests to WorkOS.
Install the WorkOS SDK
WorkOS provides dozens of SDKs for most of the popular programming languages including Node, Python, and Java. Install the one that matches the platform you use.
Create a directory connection
There are two ways to go about this:
- Manually configure it from the WorkOS dashboard. You’ll need to ask the customer you’re onboarding for their directory authentication details like API keys, or secret keys (the actual details will depend on their provider) and also map any custom attributes they use to your user model.
- Send the admin portal to your customer’s admin team — this approach is much easier and faster than configuring the connection yourself. Your customer’s admin can connect to their directory and map the necessary attributes. You don’t have to have endless meetings to exchange connection details.
Handle events
Events are the requests your customer’s IdP sends to your app like creating a user, updating a user role, adding a user to an access group, deactivating a user, and so on. There are two ways to handle events: You can configure your app to listen for incoming HTTP POST requests from WorkOS using Webhooks or use the Events API to periodically request new events.
By configuring Webhooks, your app will receive real-time notifications when an admin updates a user or group details in the IdP. You can then process these notifications and update user access rights and roles in your system accordingly.
The issue with Webhooks is they don’t guarantee ordered events. You may receive directory updates in the incorrect order and end up processing a stale event after a more recent one, which is terrible for security. Additionally, WorkOS does not rate limit webhooks, so you must design your system to scale as more events come in otherwise it’ll crash or slow down.
The Events API is a more robust solution compared to Webhooks. Instead of being bombarded with events all at once (like with Webhooks), you can retrieve events when you're ready and process them at your own place. Plus, it sends events in the exact order they happened, so you never have to worry about processing out-of-sync events.
Process events
Processing an event starts with verifying its authenticity — did it actually come from WorkOS and is it from a directory you’re connected to?
The next step is to parse the event data, to understand what action your app needs to take in response to the event. WorkOS has different event types, including:
- dsync.user.created, dsync.user.updated, and dsync.user.deleted for user-related events.
- dsync.group.created, dsync.group.updated, and dsync.group.deleted for group-related events.
The type of event will determine how you process it. If you receive a dsync.user.created event, for instance, you’ll respond by creating the user’s account.
Error handling and logging
Finally, add logic to handle and log any errors that happen when you’re processing the events. It’ll make diagnosing and debugging issues way easier if anything goes wrong.
For more in-depth implementation guides with code examples, visit the WorkOS Directory Sync documentation.
Conclusion
By automating user provisioning, your customers save tons of admin time and minimize security risks compared to manually setting up and maintaining each of their employee's accounts in your app. While you could invest engineering calories into building and hosting your own SCIM endpoint for automated provisioning, WorkOS Directory Sync saves you the time and effort with just a single API-based integration.