The Complete Guide to User Provisioning with Ping Identity: Streamlining Secure Access to Enterprise Resources

User provisioning may not be the most glamorous piece of identity and access management, but any IAM manager who has ever struggled to grant users access to resources knows a tool doesn’t need to be flashy to be valuable. User provisioning is a critical component in ensuring that your workforce can access the applications, files and other information they need to be productive. With it, you can smooth the connection between HR and IT while protecting your resources from unauthorized access.

We’ve recently expanded our application provisioning catalog and added HR to directory provisioning, so now is a good time for a refresher on what user provisioning is and to look at how Ping can help you achieve automated, safe user access to resources.

User provisioning, also known as user account provisioning, is an automated process for creating user accounts and managing access to IT resources. It goes beyond simply identifying whether an individual is who they say they are and extends into that person’s rights and permissions to specific enterprise applications and other resources. To use a simple banking analogy, identity management identifies the thieves from the customers and employees, allowing the latter groups to enter the bank, while user provisioning keeps the customers from dipping into other customers’ bank accounts.

Furthermore, user provisioning allocates user privileges and permissions automatically, based on criteria such as user role. This differs from identity governance and administration, which handles user identity lifecycle administration and does more than simple user provisioning. With user provisioning, you’re not relying on access requests. There’s no certification, no attestation, no audit trail—just the exact user information needed for access management.

User provisioning becomes increasingly critical the larger an enterprise grows. The more employees and positions within an organization, the more difficult it can be to determine access rights. User provisioning can help boost productivity by relieving the burden from IT having to manually create user accounts and arrange access for each new employee and application. For instance, as titles and departments change, IT can perform group updates. They can also easily provision new applications and deprovision old ones, further reducing the risk of unauthorized information falling into the wrong hands.

Ping solutions include numerous out-of-the-box integrations that allow you to automatically provision, update and deprovision users to a wide range of applications. Provisioning from cloud and on-premises HR application sources helps you maintain accurate, up-to-date user profile information, with full CRUD (create, read, update and delete) capabilities for user or group provisioning, so you can eliminate manual processes and profile synchronization challenges.

In keeping with Ping’s standards-based approach to IAM, our user provisioning is based on the System for Cross-domain Identity Management (SCIM) standard. SCIM was developed nearly a decade ago using protocols like REST and JSON in order to reduce complexity and provide a more straightforward approach to user management, and it enables easier, more powerful and standardized communication between identity data stores. 

Ping’s provisioning capabilities fall into two main categories: inbound HR provisioning and outbound application provisioning. 

Inbound HR Provisioning

Inbound HR provisioners automatically provision, update and deprovision users from your HR system into your identity solution, making for more efficient communication between HR and IT about employee onboarding and offboarding. It takes user information from HR datastores to create users, place them in groups and then determine the HR hierarchy. It can also write back to the HR source (for example, creating an email address and sending it back to the HR information system). By having your HR system as the source of truth, your IAM platform will always have accurate user accounts and updated group memberships. A new employee is created automatically, a promotion is reflected in group memberships, and ex-employees are automatically deprovisioned.

Our partnership with Aquera has enabled us to greatly expand our inbound provisioning capabilities. Ping now offers inbound provisioning from 27 different HR systems, including Workday, Ultimate Software’s UltiPro, Oracle HCM, ADP Workforce Now, ADP Vantage HCM and Ceridian Dayforce HCM.

Let’s take a look at the Workday integration. Workday acts as the user system of record and The Workday Onboarding Bridge provides the integration required to import users and their attributes on an ongoing basis. Aquera built and maintained this bridge, and the Aquera platform is a SOC 2 Type II audited service running in Amazon Web Services:

Outbound Provisioning

If HR inbound provisioning is the first step in user provisioning, outbound provisioning covers the last mile: creating user accounts in cloud or on-premises apps. It features “just in time” access so that you aren’t creating an account until a user tries to access a specific app, saving your company time and lessening security risks. Easy to administer and configure, it offers real-time updates and is integrated with PingFederate and PingOne.

Ping offers outbound provisioning to 308 SaaS applications, including Snowflake, Kronos, Salesforce, HubSpot and Concur. For example, Snowflake user provisioning lets you automatically provision, update and deprovision users to Snowflake Business:

We also have native connectors, such as our out-of-the-box integration to Box from PingFederate and PingOne for Enterprise, that enable an enterprise to provision users and groups:

The Ping Integration Directory

We are hard at work continuing to expand our user provisioning capabilities to convey enterprise benefits including increased workforce efficiency, decreased security risks and better end user experiences. To view our complete provisioning catalog, head on over to the Ping Integration Directory.