Identity Provisioning
Overview
Identity provisioning, de-provisioning, and synchronization all describe the processes that ensure consistency of identity data across multiple, connected systems. These terms are commonly used when discussing identity governance and administration (IGA) or identity lifecycle management.
You may hear the terms “provisioning” and “synchronization” used interchangeably, to generally describe all the processes of creating, updating, and deleting objects across systems. You may also hear the terms used in very specific and distinct ways to mean different things. In some cases, context clues can be used to determine in which manner the terms are being used, however, it may be necessary to verify the intended meaning of the words with your collaborator.
When used distinctly, the following definitions are typically used:
- Provisioning is the process of creating an identity in a target system based on certain conditions.
- De-provisioning is the process of removing the identity from the target system, when conditions are no longer met.
- Synchronization is the process of keeping the provisioned object up to date, so that the source object and target object are similar.
Many customers start out manually provisioning identities to each application / system in their ecosystem. This approach is easy and quick to get started, however, it poses several long-term risks:
- Costly to manage as the company grows
- High likelihood of data entry errors and data staleness
- Lingering objects that may lead to unauthorized access
To mitigate some of the risks of manual provisioning, customers then begin to deploy a mesh of point to point basic provisioning solutions, often times relying on scheduled tasks and on off scripts. Although it tends to be an improvement over manual provisioning, customers will still
- Difficult to maintain data consistency across applications
- Lack of advanced functionality, such as reconciliation
- Hard to monitor