User Provisioning and Deprovisioning
Create, manage, & delete your external and internal users access to on-premises, cloud, and hybrid apps.
What is User Provisioning?
User Provisioning is an Identity Access Management (IAM) process that involves the process of creating, updating and deleting a user's account and access in multiple applications and systems at once. Account and access management avail user / employee’s information such as name, attributes, group name and other related data which helps to grant or deny access accordingly. Need to provision arise when information is added or changed in a “original system database ”(e.g. HR system, Institute Database). Hiring, promotions, transfers, are examples of events that can set off provisioning. Provisioning ensures user’s access rights are up to date, without manual efforts.
What is Deprovisioning?
Deprovisioning means deleting a user and removing their access from multiple applications and network systems at once. Deprovisioning action is triggered when an employee leaves a company or changes roles within the organization. Deprovisioning removes individual accounts on file servers, authentication servers, such as Active Directory, which helps organization’s to free up disk space, ports, certificates and company-issued computers for future use. Deprovisioning prevents former employees from accessing corporate resources after he leaves the organization,improving security and confidentiality of the organization.This keeps the organisation’s applications secure and reduces administrative costs and time.
Improve security by assigning different permissions level on role based with automatic provisioning within apps.
Reduces the cost of identity access management (IAM) operations by automating onboarding and offboarding processes.
Provide employees, contractors and partners with access to the applications they need when they need it.
Administrators can automatically provision and administer multiple application accounts from one centralized system.
What is Automated User Provisioning?
Automated User Provisioning means making manual processes of Onboarding and Offboarding employee’s automatic. Automated User Provisioning removes the difficulties and delays caused while manually managing profiles, account privileges thus preventing gaps in security by minimizing the impact of human error, and provides better ease of operation. Manually creating employee accounts means that someone within an organization knows your password — which is likely a very insecure process. Similar sorts of situations of human error occur like, employee could accidentally be provisioned to systems and data that they shouldn’t have access to, or still have access once they leave your organization.
Automating user provisioning and deprovisioning removes these sorts of risks, providing individuals with permissions in a safe and private manner. The process ensures that a employee is provisioned for on-premises and external apps based on their role’s attributes. These attributes and permissions are then stored in one central database, ensuring they can be easily modified as employee role changes. When departments or teams execute a new tool or modify an employee's position, access can also be rolled out based on group rules. Provisioning provides employees with access only when it is necessary, preventing any security gaps that hackers could exploit to gain unauthorized access to sensitive organization information.
Pre-Integrated Apps for Provisioning and Deprovisioning
G Suite App
Active Directory (AD) Provisioning
Active Directory (AD) provisioning can help your organization to manage resources between your cloud applications and on-premises systems (AD and applications). This helps enterprises to have a simplified user & access management (IAM) and permit access to the applications and systems in a simple and intuitive manner. AD provisioning allows administrators to assign employees and users the appropriate access management (IAM) provisioning levels to company resources as per their department (HR, Finance, IT, Operation, Marketing etc).
Steps to setup User Provisioning
Given below are the steps to setup User provisioning in SLX Connect IDP. As an example, we will be setting up Active Directory (AD) for user provisioning. At the end of this setup, we will have configured Active Directory (AD) User Provisioning. After integrating Provisioning admin will be able to perform operations like import, create, delete, update, change the password from the SLX Connect console and these changes will be automatically reflected in the Active Directory.
To configure user provisioning feature refer to the steps given below:
- Login to the SLX Connect Admin Console as a customer.
- Go to the User Stores, Click on Add Users Store.
- Configure ldap as a User Store to set up user provisioning with AD/LDAP. You can choose any of the user store mentioned there.
- Store LDAP Configuration in SLX Connect: Keep configuration in SLX Connect. Make sure to open the firewall to allow incoming requests to your LDAP.
- Store LDAP Configuration On-Premise: Keep configuration in your premise and only allow access to LDAP inside premises. You will have to download and install SLX Connect gateway in your premise.
- Select the provisioning option.
- Select the Active Directory from the drop down menu in Select Application.
- Enable the provisioning features you want for users.
- Click on the Save Button to save the configuration and you will see the successful message on the top.
- To import the users from Active Directory, go to the Import Users tab.
- Select the Active Directory from the drop down menu and click on import.
- Now go to the Users >> User List and you will find the all the users imported from Active Directory.
- To create a user in SLX Connect, Go to Users >> User List >> click on the Add User button. Fill out user basic information and click on Create User button.
- After creating user in SLX Connect it will automatically create the same user in AD.
Steps to setup Group Provisioning (Sync) with Active Directory (AD)
You can also set up Group Provisioning (Sync) with SLX Connect to enable syncing of Active Directory (AD) groups in SLX Connect. This will also help you maintain the same user hierarchy and access control in SLX Connect as in your Active Directory. You can sync users with their corresponding group names between AD and SLX Connect. The user groups will be automatically provisioned and deprovisioned in SLX Connect when they are created or modified in AD and vice versa. The groups will be created on the fly if they are not present in SLX Connect. You can follow the below instructions to setup AD Group Sync:
- Go to SLX Connect Dashboard >> Userstore and edit the AD configuration which you have set up earlier.
- Enter the name of AD group attribute in Group Attribute textbox. If you are using default settings in AD leave it to memberof. Now, Save the settings
- Go to provisioning. Select Active Directory from Dropdown menu.
- Enable Import Groups option.
- Enter base DN for group sync. Note: if you want to find group base dn, enter following command in windows command prompt.
- Save and go to Import groups.
- Select Active Directory and click on import. Your groups will be imported.
- If you also enable Assign Users to groups, imported users will be assigned to respective groups in SLX Connect
dsquery ou -name (known organisational unit)