Manage the Identity and Access Provisioning Lifecycle
The life cycle consists of the assignment of privileges through roles and designation. The following design, a typical identity and provisioning life cycle consists of these steps:
- Enrolment of user or create user
- Determining roles, privileges, and access requirements to systems and applications
- Provisioning user accounts to systems
- Periodic updates based on changes in roles, changes in authentication methods, privileges, and access requirements
- Access termination
Provisioning and Deprovisioning
Provisioning manages the creation, modification, and revocation of user accounts. In fact, the Provisioning component is also a means of spreading security policy. For example, by setting user access rights on managed systems.
Deprovisioning is the act of removal or disabling the user account after the end of the user’s work in the organization (due to retirement, or due to resignation, or because he/ she was fired).
The act of deprovisioning should always be audited, and the audit information should include the identity of the person who authorized the act and any technical actions the system took to deprovision the user.
The act of deprovisioning is often overlooked in many organizations, and it has been widely observed that a person has not worked in that organization for many years (such as months or years) or has died at all, but his or her account is still active. This is actually a very dangerous security hole.