Overview
Provisioning is the technical execution of identity management: creating accounts, assigning licenses, and granting permissions in target systems. Deprovisioning is the reverse—removing access when it is no longer needed.
While often viewed as an IT efficiency tool ("save helpdesk time"), automated provisioning is a critical security control. It ensures that users only get approved access (no "cloned" accounts with excessive privileges) and, more importantly, that access is revoked instantly upon termination. Manual deprovisioning is the leading cause of "zombie accounts" involved in data breaches.
Architecture
Reference Pattern: Hub-and-Spoke Connectors
The IGA platform acts as the central hub, pushing changes to spoke applications via connectors (Agents, API, or Standards like SCIM).
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Connectivity Strategy | Agent-based, API-based, Standards-based | Standards (SCIM) > API > Agent | Agents are fragile. Prefer SCIM where available. |
| Manual Provisioning | Email, ITSM Ticket, Portal Task | ITSM Integration | If you can't automate it, track it in the Service Desk (ServiceNow/Jira) for SLAs. |
| Retry Logic | Fail once, Linear retry, Exponential backoff | Exponential Backoff | API rate limits cause failures. Don't hammer the target system. |
| Deprovisioning Depth | Disable Account, Delete Account, Wipe Data | Disable then Delete | Immediate deletion destroys audit trails and user data. Disable first (30-90 days). |
| Reconciliation | Daily, Weekly, Real-time | Daily | You must check if someone created an account directly in the app, bypassing IGA. |
Implementation
Phase 1: Core Directory & Email
- Automate Active Directory / Entra ID provisioning.
- Automate Exchange / Google Workspace mailbox creation.
- Goal: New hires can log in and email on Day 1.
Phase 2: High-Volume / High-Risk Apps
- Connect HR system (Workday) to IGA.
- Connect Sales (Salesforce), ERP (SAP), and ITSM (ServiceNow).
- Goal: Automate access to the systems where business actually happens.
Phase 3: The "Long Tail"
- Implement "Generic" connectors for SQL/REST targets.
- Create a standardized "Manual Fulfillment" queue for apps without APIs.
- Goal: Bring disconnected apps under governance, even if fulfillment is human.
Risks
- Orphan Accounts: Accounts that exist in an app but have no owner in IGA.
- Attribute Drift: User is "Dept: Sales" in HR, but "Dept: Marketing" in AD because manual updates were missed.
- API Breaking Changes: SaaS vendor updates their API, breaking the provisioning connector.
- Silent Failures: The provisioning job fails, but the workflow marks the request as "Complete."
KPIs
- Provisioning Success Rate: Percentage of operations (Create/Update/Delete) that succeed without manual intervention (Target: > 95%).
- Time-to-Access: Average duration from Approval to Login Available.
- Orphan Account Count: Number of unmapped accounts detected during reconciliation.
- Deprovisioning SLA: Percentage of terminated users whose access was removed within the required window (e.g., 24 hours).