The first day at a new job is exciting for a new employee. They meet their new colleagues, start learning the culture, and begin a new chapter of their career. But sometimes, if HR and IT are swamped, it takes a few days to get a new employee access to the software they need, which leaves you with an employee twiddling their thumbs.
Fortunately, there’s a solution: user provisioning.
What is provisioning? User provisioning and de-provisioning is the process of granting and restricting access to apps and systems. User provisioning can save HR and IT time by automating tedious processes, and it can increase efficiency by getting new employees access right away. User de-provisioning can increase security by restricting access to employees right when they leave the company.
In an ideal world, user provisioning is tied to HR actions. For instance, updating an employee’s record to indicate that they quit their job would automatically delete their access to databases, applications, etc. In the real world, these processes tend to be time-consuming, error-prone manual labor done by HR, IT, or a combination of the two. More on that later. Automating this work is key to worker efficiency and company security.
User provisioning, especially when automated, is a vital part of helping all employees focus on work that matters.
Speeds up employee onboarding
One of the biggest use cases for automated user provisioning is new employee onboarding. Without user provisioning, a new employee might have to wait days to be granted access to the data and applications they need. Without use of the tools they need to do their job, they will have to sit around and play solitaire (on the company dime) until they can work.
Creating accounts for new hires can feel like low-value work to the HR or IT team, who are busy with other work, like resolving personnel disputes or debugging network problems. Automating this process frees up those departments to focus on tasks that are harder to automate and help move the company forward.
Gets temp workers on the job faster
If a company uses contractors or temp workers, then new-user provisioning is even more critical because it’s a constant task. Repeatedly creating new accounts, passing them out to temporary employees, and then deactivating the accounts is not only time-consuming but also has a high margin for error. If the temp worker uses a lot of different applications, it’s easy to forget to add one they might need. Then, by the time the temp employee realizes they need it and pings HR or IT, days have passed, and ample time has been wasted.
Similarly, if an employee gets a promotion or moves to another department, odds are, their roles and permissions will change. If an engineer is too people-oriented to code all day, maybe they move into a technical sales role. They will need access to sales applications, like HubSpot or Salesforce. Waiting to grant them access will delay their work.
Smooths organization updates
User provisioning by configuring roles and groups makes it easy for IT to make updates across orgs as well. Say your company decides they don’t like their work management tools anymore. Instead of making recurring announcements to employees, asking them to sign up for the new tool and delete their old accounts (then having to track down who doesn’t have a new account yet and who left an old zombie account lying around in the old tool), IT can do it in one fell swoop. All users will get the new tool added to their role and the old one removed.
So user provisioning is all well and good, but what about when people leave? That’s where de-provisioning comes in.
User de-provisioning is essentially the exact opposite of user provisioning; it removes access to data and applications from a user. HR or IT should be able to deny access to data and apps in one action for a company’s data to be truly secure. Good HR management software, such as Rippling or BambooHR (both of which integrate with WorkOS), can make de-provisioning a simple click.
It’s critical that companies have control over their employees’ privileges, because sometimes when people leave a company (or are asked/told to leave a company), they might feel like they were wronged. If they still have access to data and applications, they can easily conduct a security breach by stealing or altering data.
Alternatively, if a current employee’s account is compromised somehow—maybe a weak password or stolen device—IT can quickly de-provision that user’s account and mitigate further problems before too much damage is done.
Automated user provisioning and de-provisioning may sound like magic. How does it actually work? Let’s take a quick peek into some of the newest tools in the space.
WorkOS Directory Sync is an identity management tool that automatically provisions and de-provisions users based on changes to the user directory. It has the ability to integrate with popular Directory Providers, including Google, Gusto, Workday, ADP, and more. This is useful because directory systems aren’t standardized—there are still tons of legacy implementations out there. SCIM, a relatively new protocol, isn’t widely adopted yet, so implementing a tool like WorkOS gets directory sync features without the headache.
Webhooks and SDKs (in multiple languages) provide for easy integrations. Webhooks include custom fields where available and can be easily customized. Regardless of the provider, WorkOS systems will listen to User and Group changes and send normalized payloads to developers so they can handle changes as they see fit. Essentially, WorkOS Directory Sync acts as a go-between to connect your applications with the directories they need in order to stay up to date with information about users, groups, and access rules.
Okta Lifecycle Management is a tool for automated user provisioning and de-provisioning that can integrate with over 120 applications, including Workday, UltiPro, BambooHR, SuccessFactors, G Suite, and Netsuite. It provides useful information and functions on one page, including custom attributes for rich profiles and role assignment through an integration with Active Directory or LDAP. Automation is done by configuring rules, policies, workflows, and APIs.
OneLogin Automated User Provisioning is a real-time user management automation tool that allows for quick and easy user provisioning and de-provisioning. Access control can be defined by role, department, location, title, or custom attributes. Each app in the tool can define entitlement by using customizable rules for user access. One of the best features is a kill switch that de-provisions user access within seconds.
Being able to quickly and accurately perform user provisioning and de-provisioning with an automated system is key to performance and security. Now that you understand what user provisioning and user de-provisioning are, and you know the tech behind automated user provisioning and de-provisioning, you can decide if it’s the right move for your company.
Check out WorkOS solutions for more information.