Sergey Nivens - Fotolia

Tip

Why automated user provisioning still demands a human touch

IT teams can automate away many -- but not all -- of the tedious tasks associated with user provisioning. A human operator is still essential to ensure accurate account details.

"Automate everything" is a catchcry of many IT professionals, with the goal to eliminate manual and repetitive tasks. And generally, IT automation is a good thing -- but not always.

The benefits of IT automation are fairly obvious: reduced human error and a more productive staff. But a business also must consider the potential limitations and drawbacks of IT automation on a case-by-case basis. For example, does the automation system require more effort and time to build and maintain than doing the work manually? Do the components of the automated task change on a regular basis, and therefore require extra work to support? Are there too many variables and exceptions to rules to be able to automate the system in the first place?

If so, the benefits of an automated IT workflow might not be worth the effort to design, implement and maintain it.

Best practices for automated user provisioning and management

User provisioning and management is often one of the first tasks an IT team looks to automate. That's because it's a significant burden to control, with different processes in place for a new hire versus a staff change or departure. User management tasks also involve a variety of systems, have a lot of room for error -- such as misspelling somebody's name -- and demand a thorough understanding of a user's job requirements and the systems they'll need to access.

Automated user provisioning requires a system that's sufficiently designed to handle the application of logic. The garbage in, garbage out concept applies; if IT admins don't enter correct and thorough user data from the start, there is no chance the automated end result meets their requirements.

From the outset of group creation, understand exactly what the group entails, and how access to the group will be controlled.

For example, when using Microsoft Active Directory or Azure Active Directory -- two common user directory services in the enterprise -- admins should create descriptive group names, wherever possible. For the purposes of automated user group management, a group named "Finance Shared Reports Folder Read/Write" is much more specific and clear than one named "Finance Files."

From the outset of group creation, understand exactly what the group entails, and how access to the group will be controlled. If the CFO wants everyone in finance, including new hires, to have access to a group, then automate the creation of that group based simply on staff being in the finance department.

In general, strive to automate user account creation and group memberships, including authorization workflows. The CFO might ask to approve any requests for access to certain financial data. Automation, in this scenario, saves everyone involved both time and effort; the CFO can simply receive an alert of the user request, and then approve or disapprove. This also gives business units a sense of ownership over the data related to their roles, as IT isn't the sole decision-maker about who can access what.

Where automation falls short

There will be some scenarios in user provisioning and management where IT admins can't apply automated logic -- for example, in cases where the decision to grant access is always situational. Although, in these cases, IT teams could automate the approval process, they can't automate the request itself. It wouldn't be feasible to implement a process that covers every possible combination of access across the entire company, as no single person would understand the access being granted or have the time to audit everything to ensure accurate information. Instead, separate these requests to have one focused on the access rights users need when they start their job, and one focused on the additional access rights they might require down the line. This streamlines the user creation process -- from the data being entered to the effort devoted to architecting a system and the amount of approvals required.

Work around the automation skills gap

If you want to create a new user in a vendor's system, but don't have anyone on staff who can code, it might not make sense to outsource this task, or spend months learning programming basics. Instead, when a user starts, trigger a notification that tells the application owner to manually create a user based on a certain set of criteria. This still uses automation, to a certain degree, and provides value to the company while it addresses the need of having someone on staff who can code.

Anything that happens as part of an automated user provisioning and management process should be auditable -- and this requires human oversight. When IT creates a new user, the system should notify all necessary parties about that user's username, department and phone number. Staff, however, should then check this information as an extra failsafe in case something is incorrect, and then resolve any inaccuracies, if necessary, before the person starts.

Certain parts of the user provisioning process simply can't be automated in a manageable way -- and that's OK. Understanding why something can't be automated is still important knowledge, and will help shape the company's future technology decisions.

Dig Deeper on IT systems management and monitoring