Some additional thoughts on SaaS user provisioning…

As the term ‘provisioning’ tends to have different meanings depending on who you talk to, we wanted to follow-up on our post last week on SAML / SPML-based ‘just-in-time’ user provisioning to provide some quick additional thoughts…

Effective user provisioning requires much more than just ensuring users have an active account and access to a given service or SaaS application.  User authorizations and permissions within the service also need to be consistent with role-based access control (RBAC), least privilege and segregation-of-duties (SOD) concepts.  This requires that organizations ensure that permissions and authorizations are consistent across services, not just within each individual SaaS silo.   What makes provisioning challenging is that each SaaS service provider has their own unique role, profile and authorization model optimized around the particular problem set they address.   Virtually all SaaS user attribute and permission models are unique to the individual vendor, with some services providing the ability to configure over 50 different user attributes.  In our mind, proper user provisioning ensures that user accounts and all associated authorizations are consistent with corporate policy, which is a much deeper, more challenging problem that it first appears…