Provisioning is the process of providing users with access to data and technology. This data is normally enterprise-level resources such as Applications, Distribution Lists and Files or Folders. It can also include the purchase of Hardware and other external systems. Basically anything that a user requires to perform their job needs to be 'provisioned'.
For example, this can include creating Active Directory Accounts, Updating HR Leave information or Deleting and Archiving User information. Therefore provisioning tasks range from the simple, such as 'Add a User to a Group' through to 'Move all User information between these Locations'.
Manual Provisioning
Manual provisioning processes are probably the most commonly used today. IT staff use the native tools of the application (eg Microsoft Management Console) and manually perform a series of steps to perform the provisioning task.
There are a number of issues associated with manual processes:
- Lack of Consistency
- Time consuming and expensive
- Error prone - high rework costs
- Slow user response times and high level of user frustration
- Poor security
- Lack of auditing and control
Scripts
Some organizations have implemented 'scripts' to try and enhance the provisioning process. This is an attempt to automate certain parts of the manual processes. For example, creating the Active Directory User account.
While a step in the right direction, implementing scripts in this manner also tends to have a number of issues.
- Only can be run by experienced IT support staff
- Expensive to write the custom scripts
- Normally undocumented and difficult to support and change (eg when the programmer leaves nobody can change it)
- Expensive to maintain and change when the organization changes (eg adding a new server)
- Limited or no error checking
Identity Management Systems and ProvisioningIdentity Management Systems (like Microsoft MIIS) are not provisioning systems, they are primarily systems for connecting directories and mapping users and attributes between them. For example, Microsoft MIIS requires that organizations write .NET code for provisioning tasks (eg to create an Active Directory account). Provisioning rules tend to be hard coded in the .NET code or require external text files or external SQL tables to control the provisioning process.
An Identity Management System will generally implement provisioning by detecting a change in a connected system (eg a new user in the HR system), a rule will have been set up that detects this and starts a provisioning process (in the case of MIIS some .NET code).
Activate and ProvisioningActivate Provisioning takes the best features of scripting (flexibility and customisation) and integrates it with sophisticated Script Execution Environment including Parameter Management, comprehensive Error Reporting and Job Engine.
Provisioning ExampleWhen creating a new user account you often need to create a user's Home Directory and/or Profile Directory. To do this you need to 1) Determine the required server, 2) Create the Directory, 3) Share it, 4) Set the appropriate permissions.
You may decide that the user's 'location' field will determine the server. The issue becomes how do you provide this mapping between location and home server? Hard-coded? Text File? SQL Table? Each of these becomes difficult to maintain and may be implemented differently for different parameters and systems. This increases support issues and problems.
Activate handles this entire process and manages the Provisioning Parameters in a secure and consistent manner. In Activate, the 'script' to create the home directory would reference a parameter 'UserHomeServer' on the 'Users Location Role'. The following is an example of defined parameters in the Activate Administrator Console.
See Also Activate Identity ManagementActivate Password ManagementActivate Workflow, Self-Service and DelegationOxford Computer Group - Provisioning with MIIS