The present invention, in some embodiments thereof, relates to user provisioning, and, more specifically, but not exclusively, to provisioning access to a target service.
User provisioning is the process of creating and managing user accounts throughout the join, move and leave phases of the user identity life cycle. Once the user accounts are established, appropriate entitlements and access rights to critical business applications and resources are assigned, maintained and withdrawn. Provisioning tools allow businesses to automate on-boarding and off-boarding of administration workforce processes.
The concept of user provisioning is not new. Information Technology (IT) organizations have provisioned access to IT resources through labor-intensive, error-prone manual processes throughout the history of computing resources. Many organizations still rely on manual processes to set up their user accounts and entitlements. However, more automated user provisioning solutions are available today.
User identities of all types—employees, customers, contractors—require accounts and access rights to support the organization's work. Users may also include applications that require access to other resources in the network. In addition to managing computer system accounts, user provisioning services automate many aspects of resource provisioning, such as equipping users with cellular phones, computer equipment, office space, or nearly any other process that has a programmatic interface. User provisioning can automate these processes, enabling users to access the resources they need on arrival on their first day, as well as providing enterprises with the ability to revoke any access a user may have at the moment his or her relationship with the organization is terminated.
User provisioning workflows automate user provisioning processes and range in complexity. A user provisioning workflow might orchestrate the entire user provisioning process from end to end.
In typical user provisioning systems, a user request must be sent to the system by the user or someone on the user's behalf before he or she attempts to connect to the target service. The user provisioning systems then activate a user provisioning process in a separate thread that usually runs in pre-defined intervals, but can be configured to run instantaneously.
The user is notified that an account has been created on the target service, and the credentials are sent to the user by email or other method.
Multiple implementations for provisioning users with credentials to access target services and other network resources are known in the art. For example, FIGS. 1A and 1B illustrate provisioning user 100 manually on the target service by an administrator 110. The administrator connects to the target service (with credential set A) and creates provisioned credentials (set B) on target service 120 (140 and 150 on FIG. 1B). Credential set B is provided to user 100 (160 on FIG. 1B). The user then connects to the target service with set B (170 on FIG. 1B).
For RDP sessions (Windows OS), an Active Directory/Domain account is automatically provisioned to target services.
FIGS. 2A and 2B illustrate using a provisioning server 220 (e.g. Oracle Identity Manager) to provision a user on a target service 210 according to a policy (230-280 of FIG. 2B). The user then connects to the target service separately.
FIGS. 3A and 3B illustrate using a provisioning server 310 (e.g. Oracle Identity Manager) to provision a user 330 on a target service 320 upon user request (340 of FIG. 3B). After verifying that the user is to be provisioned on the target (350 of FIG. 3B) the credentials are generated (360-390 of FIG. 3B). The provisioning server creates a user account on the target service with credentials that are known to the user (e.g. directory credentials). The user then connects to the target service separately.
FIGS. 4A and 4B illustrate implementing a provisioning agent 420 (such as Active Directory Bridge, e.g. Centrify, BeyondTrust) on the target service 410. An administrator 400 installs provisioning agent 420 on the target service 410 (450-460 of FIG. 4B). Provisioning agent 420 allows the user to connect by taking control of the target service login module (such as Unix/Linux Pluggable authentication module—PAM or/and Name Service Switch—NSS) and has an open protocol to an external system (e.g. Active Directory) for authentication (470-490 of FIG. 4B).
User provisioning should also ensure that only users with the proper level of authorization are able to access and operate target services, such as servers residing in organizational networks. Often, shared accounts are used for this type of access, either due to there not being an account provisioned for the specific user requiring access or due to the user's provisioned account not having the required level of authorization for the desired operation. There are multiple problems with using shared accounts, among them the lack of accountability which arises from the difficulty of attribution, i.e. it is difficult to attribute access or operation performed with a shared account to a specific user or user client.