Blog

What does Deprovisioning Mean?

April 5, 2024

Learn about deprovisioning user access with SCIM and the differences in deprovisioning strategies amongst major IdPs.

Every employee account left active post-employment or role change is a potential backdoor for unauthorized access, data leaks, or security breaches.

That’s why deprovisioning is extremely important – this process revokes user’s access when they no longer need it.

In this article, we'll discuss what deprovisioning is and its benefits. We’ll delve into how automated provisioning systems streamline the deprovisioning process, see how various identity providers approach it, and share some deprovisioning best practices.

What is deprovisioning?

Deprovisioning means removing access from users when they no longer need it. It involves disabling user accounts and access to applications and data.

It’s the exact opposite of another component of user lifecycle management, provisioning, which means granting users access to apps or services.

Why bother with deprovisioning accounts?

Deprovisioning benefits both you, the SaaS provider, and your end customers.

For your customer, deprovisioning accounts means:

Increased security

By immediately cutting off access for former employees, they reduce the risk of data breaches or account takeovers. Whether it's an email account that could receive confidential information, a system log in that offers a gateway to critical infrastructure, or application permissions that allow data manipulation, deprovisioning ensures that access is as temporary as the user's need for it.

Cost savings

When organizations correctly deprovision users, they stop paying for things like user licenses and storage that nobody is using – they save money by only paying for what they actually use.

Compliance

For regulated companies, deprovisioning is a must. Many regulations like GDPR require that organizations only keep personal data for as long as necessary. Deprovisioning users and wiping their accounts helps meet compliance mandates.

For you (the service provider), deprovisioning means:

Improved security

Deprovisioning ensures that users who shouldn't have access to your system anymore are removed, significantly lowering the risk of security breaches. If a user account that no longer needs access is compromised, it can't be used to gain unauthorized entry into your system

Plus, fewer accounts means a smaller attack surface for hackers and less chance of unused accounts with old passwords being exploited.

Easier to close deals

Supporting deprovisioning, especially if automated, in your app addresses critical operational, security, and compliance needs for potential clients. It’s much easier to close deals if your app doesn’t add significant admin overhead for your customers’ teams and demonstrates a commitment to security.

Reduced support costs

Effective deprovisioning can also reduce the volume of support requests related to access management and security issues. Fewer support incidents mean lower support costs and a better overall customer experience, as customers encounter fewer problems related to unauthorized access or compromised accounts.

What are automated provisioning systems?

Deprovisioning can be handled manually or automatically using automated provisioning systems.

Manual deprovisioning requires admins to manually disable logins, revoke permissions and access for each system and application one by one. Unsurprisingly, this is extremely time-consuming and notoriously error-prone. Automated provisioning systems connect directly to each system and app in a company’s IT estate to make all these changes automatically via API integrations.

Different Identity Providers (IdPs) like Okta, Ping Identity, and Microsoft Entra (formerly Azure AD) can automatically deprovision users from applications.

Here’s a brief overview of how they typically function to deprovision users:

Disabling Access

When an admin disables the account in the IdP, automated systems immediately disable their access to all systems and applications. Their login credentials are revoked so they can no longer sign in. Any access to sensitive data or administrative functions is cut off. This ensures the user can no longer access anything or make any changes the moment they are deprovisioned.

Revoking permissions

Automated deprovisioning systems also automatically revoke all the permissions and privileges assigned to a user. If the user was a system admin, their admin rights are removed. If they have access to certain applications or databases, that access is revoked. Any keys, tokens, or other credentials the account held are invalidated. All of this happens instantly behind the scenes the moment an admin disables the user account from the IdP.

Some of the main benefits of automated provisioning include:

  • Increased accuracy: By eliminating the need for manual intervention, automated systems decrease the likelihood of errors, such as forgotten account deactivations.
  • Scalability: For small businesses using a limited number of apps, manually removing user access is manageable. However, as a company grows, so does the number of its employees and the apps they use. Tracking and managing access becomes a complex task. Automated provisioning systems can effortlessly handle growing numbers of users, without adding extra workload for admins.
  • Security: Automated provisioning systems respond quickly to changes in access rights — you don’t have to worry about employees having access to critical resources long after they’ve left the company or switched roles.

Best practices for deprovisioning

To effectively deprovision users, follow these best practices:

  • Have clearly defined deprovisioning policies and procedures that cover various scenarios like employee termination, role changes, or extended leave.
  • Use automated IAM solutions to enforce deprovisioning policies. Automation reduces errors and ensures rapid account revocation.
  • Regularly audit deprovisioned accounts to ensure their access remains revoked.  These reviews should be conducted at regular intervals and whenever significant changes occur within the organization, such as restructurings or mergers.
  • To properly deprovision users, be sure to cut off access at the system level, delete or disable all accounts, and review and revoke any leftover permissions.
  • Keep records of all deprovisioning events for auditing purposes. Records should include who performed the deprovisioning, when, and which access was revoked.

How do different IdPs handle deprovisioning?

Many IdPs use the System for Cross-domain Identity Management (SCIM) protocol to enable deprovisioning. SCIM defines a common user schema for user attributes (like names, email addresses, roles, etc.) and specifies HTTP methods for exchanging user profile data between IdPs and SPs.

It allows the IdP to communicate with many SaaS apps and push or pull user profile changes. When an admin disables an account in the IdP, the IdP makes a deprovisioning request to your app, which responds by deactivating the user’s account.

While the SCIM API is standardized, it still leaves room for interpretation, meaning different IdPs may approach user deprovisioning differently.

Below are some common approaches:

Changing user attributes from active to inactive

Some identity providers like Okta, deprovision users by setting their active attribute from true to false. In this case, the user account is disabled, effectively preventing the user from logging in while retaining the account data for audit or reactivation purposes.

Removing users from groups

Groups are collections of users who share the same rights. Users assigned to groups automatically inherit the permissions associated with that group. During de-provisioning, IdPs will remove the user from the group to ensure they no longer have access or permissions associated with those groups.

Deleting user account data

Some IdPs like JumpCloud allow permanent deletion of user accounts during deprovision. This process removes all traces of the user's account and data.

Conclusion

Deprovisioning is a key part of managing user identities and access in your customer’s organization. By automating the process, they save tons of admin time and minimize security risk compared to manual approaches.

To connect to your customers’ identity providers and allow them to automatically deprovision users from your app, use Directory Sync by WorkOS.

  • Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: WorkOS’s Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they’re syncing 10 or 10,000 users with your app.

https://workos.com/directory-sync

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.