Below is the first in a few posts looking at managing access and entitlements across an employee lifecycle (from hire to termination). This post covers some basic concepts and definition of terms.
The OASIS Provisioning Services Technical Committee describes provisioning as:
...the automation of all the steps required to manage (setup, amend and revoke) user or system access entitlements or data relative to electronically published services.
In the context of HR processes, the term "provisioning" is commonly used in a few different contexts, but it broadly describes a process of communicating to a target system the information that system needs to authenticate users and to determine their access privileges. Perhaps the most critical task within the provisioning process is "de-provisioning," which refers to the removal of access rights and entitlements.
Provisioning is a horizontal enterprise process that has special relevance for HR systems management because access and entitlements for individuals usually are derived from a individual's status as an employee or contractor and from the particular position they hold or role they play.
New hire and termination processes are of special concern in managing provisioning. The new hire process is of concern, since new employees cannot become fully productive until granted system and facility access they require to do their jobs. Termination is of concern because of the security risks posed if terminating employees are not properly de-provisioned from systems. Provisioning and de-provisioning also may be triggered by many other intervening business and life events (for example, new projects, transfer, promotion, sabbatical, etc.).
Ideally, provisioning processes are "role driven" or "role aware," but are sufficiently flexible to handle a variety possible intervening business and individual life events. Consider special cases such as system maintenance or responding to a security incident that may require that an employee or class of employees to be temporarily "de-provisioned" from systems or their accounts "suspended." Consider also that it is sometimes desirable to de-provision an employee prior to the employee’s actual termination of employment. Likewise, systems sometimes are "pre-provisioned" in advance of an employee’s actual enter-on-duty date. Again, the point here is that there are benefits if provisioning processes are "role aware," but they also must be sufficiently flexible to handle a wide range of intervening events and contingencies that may not have a direct relationship to the individual's current status or role as an employee or contractor.
There isn't much uniformity in how provisioning is handled. However, Service Provisioning Markup Language (SPML) is a standard for managing basic provisioning operations (add, delete, modify, search, suspend, password reset, etc.) that is slowly gaining adoption. SPML is supported by major ID management solutions. SPML isn't widely supported by target systems, but where it is, enterprises can readily integrate the target system into their provisioning environment using a standards-based framework. While SPML isn't widely supported by target systems, provisioning gateways or ESB technologies can be helpful to implementers in minimizing the number of point-to-point provisioning connectors (See The Value of SPML Gateways, Burton Group).
SPML 2.0 allows profile extensions, which would be the place for business or process-specific metadata. A given target system and supported business processes might need metadata relating to account configuration options or fine-grain entitlements. These profile extensions could be defined in a custom XML schema used within SPML messages.
While SPML 2.0 allows the definition of profile extensions, a provisioning service shouldn’t be overloaded with HR-specific metadata. Here is where there may be some confusion in that the term "provisioning" often is used in a loose sense in various HR contexts (sometimes in this blog) to refer to the provision of some subset of employee data with relying systems. Despite such casual usage, the provisioning of "indicative data" or the employee data relevant to the specific HR process would be separate services (enrollment, payroll setup, etc.).
