The Administrator Shortcut Guide to User Management and Provisioning

by Dave Kearns


The Administrator Shortcut Guide to User Management and Provisioning is authored by Dave Kearns, one of the industry's most respected experts. The book provides critical information and real-world examples to administrators, managers, directors, and CTOs at any stage in planning or deploying a user management and provisioning solution.


Chapter 1: Provisioning and the Management of Users

User management is the process of adding, maintaining, changing, and removing user accounts, passwords, authorizations, and attributes from a (usually networked) resource - files, printers, applications, databases, Web sites, and other hardware or software. In today's network, these tasks typically involve using a directory service. However, user management, as you will see, has a longer history than does the enterprise directory system.

Provisioning is the process of insuring that managed users have the requisite information and privileges to enable access to various services, systems, and resources within the enterprise when and where they need it. Further, provisioning allows this access to be modified or removed quickly, efficiently, and automatically whenever the situation changes. Provisioning also usually includes components that are normally considered outside the scope of the Information Technology (IT) organization such as phones, premises access devices, and even company cars.

User management can be thought of as a function of IT; in contrast, provisioning is generally an enterprise function that is facilitated by IT. The difference will become clearer as we delve further into these two topics. Both subjects, by the way, are aspects of the larger arena of Identity Management.

In this chapter, we'll explore the history of user management and provisioning and take a look at the current impediments blocking implementation in many enterprises. We’ll also delve into the realm of directory services, the "plumbing" on which both user management and provisioning are built. There are a number of choices that must be made in the area of directory services for a successful user management and provisioning implementation and this chapter will present the pros and cons of each. Finally, I'll present a few ideas gleaned from forward-looking enterprises (or, at least, those on the bleeding edge) about ways to improve the process and streamline decision making. Chapter 2 will explore user management in depth and Chapter 3 will discuss electronic provisioning in detail.

Chapter 2: User Management

Many of you might secretly hope that a chapter about user management will include subheadings such as "Cattle Prods" and "Holding Pens." In fact, user management really isn't about users very much at all. Rather, it's about the accounts of users on enterprise networks. For example, a discussion about a user's authorizations - the rights and privileges that the user has - is actually an exploration of the rights controlled by a particular account. Should the physical user log on to a different account, it's likely that the authorizations-the access privileges-would be different. Thus, although user management isn't a completely accurate term, it is embedded in the Identity Management discussion, so we will use it throughout this guide. Simply remember that it isn't the physical users we’re talking about, but their digital presence on the network.

Chapter 3: Applying the Technology: The Details

When you stop to consider the scope of what provisioning applications are designed to do, you can fully appreciate why deploying one is neither simple nor easy. By implementing provisioning, you are trying to automate IT processes via corporate policy that will ensure that the people who are using your enterprise resources have all the necessary access to systems and information - and, yet, have only the type of access that they are supposed to have.

In addition, this capability must work both ways - automatically providing the user accounts and access rights where appropriate and automatically disabling the same user accounts and access rights once they are no longer needed. Yet, the provisioning process, while rooted in IT operations, extends into enterprise operations beyond managing users and the information they access.