The identity lifecycle extends from the creation of users, to the provisioning of access, to the management of users, to the deprovisioning of access or users. While there are several methods to manage this lifecycle, the following ordered steps provide an overview of the typical implementation process:
- A new user is hired at a company.
- The HR department creates a new employee record in the human capital management (HCM) system which is the authoritative source for identity information such as legal name, address, title and manager.
- The HCM syncs with the directory service. As part of the sync, any new users in HCM are provisioned in the directory service.
- The IT department populates additional attributes for the user in the directory service. For example, the users’ email address and role might be added.
- The IT department performs maintenance tasks such as resetting the user’s password and changing the user’s roles when they move to a new department.
- The employee leaves the company. The HR department flags the user as terminated in the HCM, and the HCM performs an immediate sync with the directory service. The directory service disables the user account to temporarily remove access.
- The IT department, after a specific period (such as 7 days), permanently deletes the user account and all associated access. Beyond these steps, there are additional processes involved in managing identity and access:
- User access review. You should perform periodic access reviews in which appropriate personnel attest that each user has the appropriate rights and permissions. Does the user have only the access they need to perform their job? Were all permissions granted through the company’s access request process? Is the granting of access documented and available for review? You should also review the configuration of your identity service to ensure it adheres to known good practices. You should review the directory service for stale objects (for example, user accounts for employees who have left the company). The primary goal is to ensure that users have the access permissions they need and nothing more. If a terminated user still has a valid user account, then you are in violation of your primary goal.
- System account access review. System accounts are accounts that are not tied one-to-one to humans. They are often used to run automated processes, jobs, and tasks. System accounts sometimes have elevated access. In fact, it isn’t uncommon to find system accounts with the highest level of access (root or administrative access). System accounts require review similar to user accounts. You need to find out if system accounts have the minimum level of permissions required for what they are used for. And you need to be able to show the details — who provided the access, the date it was granted, and what the permissions provide access to.
- Provisioning and deprovisioning. Account creation and account deletion — provisioning and deprovisioning — are key tasks in the account lifecycle. Create accounts too early and you have dormant accounts that can be targeted. Wait too long to disable and delete accounts and you also have dormant accounts that can be targeted. When feasible, it is a good practice to automate provisioning and deprovisioning. Automation helps reduce the time to create and delete accounts. It also reduces human error (although the automation code could have human error). Your company should establish guidelines for account provisioning and deprovisioning. For example, your company might have a policy that an account must be disabled while the employee is in the meeting being notified
of their termination.