Microsoft Identity and Access Management Series

Provisioning and Workflow

Chapter 1: Introduction to the Provisioning and Workflow Paper

Published: May 11, 2004 | Updated: June 26, 2006
On This Page
Executive SummaryExecutive Summary
Paper OverviewPaper Overview

Executive Summary

Today's large organizations often have complex and poorly designed processes for provisioning systems with information for computer network users. For example, in some organizations, it can take up to two weeks before new information workers can access e-mail and the applications that they need for their jobs. The manual, task-intensive processes that are typically involved in identity provisioning add overhead, delay employee productivity, and often lead to a network environment that is not secure.

This paper discusses how to provision identities automatically into multiple directories and identity stores in a heterogeneous environment. It also discusses managing security and e-mail group memberships, and describes a workflow process that can extend automated processes.

You can use the information in this paper to enable the automated administration of user identities and reduce costs while you increase the availability and security of information resources. This paper also provides detailed configuration tasks that you can use to achieve these results by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

This paper is part of the Microsoft Identity and Access Management Series.

The Business Challenge

Organizations store identity information in numerous repositories, or data stores. Using a product that includes metadirectory functionality allows you to synchronize existing data so that it is consistent across these stores. The Identity Aggregation and Synchronization paper, which is part of this series, describes this synchronization capability in detail. The provisioning challenge is to use technology to automate the addition of new identities to these stores. Deprovisioning, which refers to processes that remove and disable accounts at the end of an identity object’s life cycle, is closely related to this challenge. Your environment might require workflow processes to provide discretionary input to provisioning tasks. For example, in cases that involve security-oriented or special-purpose requirements.

The manual administration of provisioning tasks is slow and typically does not enforce policies for access and authorization in a consistent manner. Without reliable, automated processes it will often not be practical even to attempt to implement all desirable policies.

The business challenges that relate to provisioning include how to:

Reduce costs associated with the creation and removal of accounts.

Expand an organization’s people and IT resources without increasing its IT staff.

Meet legal compliance and regulatory requirements for data access and privacy.

Ensure that all key accounts are created, modified, and disabled or deleted in a timely and reliable manner, and in accordance with defined policies.

Maintain security identities in the correct organizational units (OUs) and groups in accordance with defined policies, and remove or disable them in a timely manner.

The Business Benefits

The business benefits that organizations can achieve through efficient, largely automated administrative processes for provisioning and deprovisioning based on reliable technologies include:

Lower total cost of ownership (TCO) for maintaining digital identity information in multiple data stores.

Higher IT administrator productivity through automated time-consuming activities.

Higher employee productivity through correct access granted in a timely manner.

Stronger security through accurate and reliable OU and group maintenance, and the timely removal or disabling of accounts.

Who Should Read This Paper

The intended audience for this paper includes system architects, IT professionals, managers, technical decision makers, and consultants involved in identity life cycle management efforts.

Reader Prerequisites

This paper assumes that readers have a moderate knowledge of the identity and access management concepts and technologies described in the Fundamental Concepts paper in this series.

To implement any of the solutions in this paper, readers should understand the infrastructure described and implemented in the Platform and Infrastructure paper in this series. In addition, implementing the solutions in this paper requires the following prerequisites:

A strong familiarity with the Identity Aggregation and Synchronization paper in this series.

A familiarity with managing groups by using the Microsoft Active Directory® directory service.

An appreciation for workflow principles and using Authorization Manager to control who may perform defined tasks.

To properly understand the solution, it is also helpful to know Microsoft Visual C#® and Visual Basic® .NET, as well as MIIS 2003 with SP1.

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.

Paper Overview

This paper explains how you can design, plan, build, and operate provisioning and workflow solutions by using the following technologies:

MIIS 2003 with SP1, an identity integration product that includes metadirectory and provisioning capabilities that will interoperate with many identity data sources by using protocols such as Lightweight Directory Access Protocol (LDAP).

Active Directory, which provides authentication and authorization for network operating systems and is a key provisioning target for MIIS 2003 with SP1.

A Group Management Web application and Group Populator program, which extend the capabilities of MIIS 2003 with SP1 to include security and distribution group membership.

A sample Self-Service Provisioning Web application.

Scenarios

In addition to a general discussion of provisioning and workflow approaches, this paper also provides detailed prescriptive guidance on implementing solutions based on three typical scenarios for Contoso Pharmaceuticals, a fictitious organization.

HR-Driven Provisioning

In this scenario, synchronizing identity information is only part of the required solution for Contoso. In addition to enabling a comprehensive view of its users, the company needs a provisioning solution. Data that resides in Contoso's mySAP ERP Human Capital Management system (SAP HR system) drives this solution to initiate automated provisioning operations.

This scenario describes how Contoso implements automated full-time employee account provisioning using MIIS 2003 with SP1.

Tools and Templates

You can use a set of configuration files, source code, scripts, and other data files to quickly and effectively implement the solution for this scenario.

Group Management

In this scenario, Contoso manages the following groups in its environment:

Security groups for setting entitlements through access control lists (ACL).

Distribution groups for e-mail distribution lists to enable effective e-mail communication throughout the organization.

Historically, Contoso has found it difficult to both place users in the appropriate groups during the provisioning process, and manage groups as users change roles, positions, and locations during their careers. This situation has led to user frustration, increased help desk call volume, and inappropriate access granted to some users.

This scenario describes how Contoso implements automated group management in its environment by using a group management application.

Tools and Templates

A sample Group Management Web application is provided in this scenario. The application can provide a solution for simple cases, and you can extend it for more complex ones. Contoso developed this tool to provide the following additional functionality:

A user interface (UI) to manage rules on how groups should be populated, which includes:

Automatically-created groups that are data-driven and can generate entire families of groups based on an attribute.

Manually-created groups that are query-driven.

The ability to include or exclude individuals who do not meet group membership definitions.

A facility to import group modifications.

A configurable "grace period" before removing a group.

Self-Service Provisioning

In this scenario, although the Contoso SAP HR system is considered the authoritative source for full-time employees, department managers hire contractors on a case-by-case basis. Because there is not an authoritative data source to drive fully-automated provisioning for contractors, Contoso requires managers to use a separate mechanism to request contractor accounts. To provide adequate security and safeguards for accounts, members of the IT administrators group must approve all such provisioning requests.This scenario describes how Contoso implements a Web application to provision contractor accounts. The application includes simple workflow capability.

Tools and Templates

The sample workflow-driven provisioning application provides the following functionality:

Active Directory roles to secure the solution.

A one-step approval process.

Contoso's existing notification service.

Additional attributes that enhance functionality.

Useful configuration and other data files are also provided in this scenario.

Chapter Arrangement

Chapters 3 through 7 in this paper provide design and implementation details for the following three scenarios:

HR-Driven Provisioning

Group Management

Self-Service Provisioning

This paper includes the following seven chapters:

Chapter 1: Introduction

This chapter provides an executive summary, introduces the business challenges and benefits, suggests the recommended audience for the paper, lists reader prerequisites, and provides an overview of the chapters and scenarios in the paper.

Chapter 2: Approaches to Provisioning and Workflow

This chapter builds on the information provided in the Fundamental Concepts and Identity Aggregation and Synchronization papers in this series. It discusses approaches to provisioning, group management, and workflow.

Chapter 3: Issues and Requirements

This chapter defines the background, technology, security issues, and requirements for the HR-Driven Provisioning, Group Management, and Self-Service Provisioning scenarios. Contoso Pharmaceuticals, a fictitious organization, is used to illustrate the scenarios.

Chapter 4: Designing the Solution

This chapter highlights the key elements of the solution for each scenario; introduces the concepts, prerequisites, and architecture; and discusses how the proposed solution addresses the initial requirements.

Chapter 5: Implementing the Solution

This chapter builds on the infrastructure described in the Platform and Infrastructure and Identity Aggregation and Synchronization papers in this series to provide implementation details for the scenarios discussed in this paper. It also includes step-by-step configuration instructions.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution, including some troubleshooting steps to overcome common implementation challenges.

Chapter 7: Operational Considerations

This chapter discusses ongoing operational activities that must occur to ensure the continued success of the solution for each scenario.


**
**

Download

Get the Microsoft Identity and Access Management Series

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions