Autoprovisioning

The goal of autoprovisioning is, that a target group of users defined in the enterprise context is created in advance and provided with basic rights (specialist application and business roles).

Thus, a fully automated authorisation assignment for one or more applications takes place and the users can log in and work without further administrative effort. The master attributes incl. status (active/inactive/archived) of the users in the access account are automatically synchronised with the root account during autoprovisioning, which considerably reduces the administration and management effort during operation.

Root attributes of the users
×

The following user master attributes are automatically synchronised from the root account to the access account:
- Name (name)
- First name (firstName)
- E-mail (email)
- AddressLine1 (adressLine1)
- AddressLine2 (addressLine2)
- Status (status)
- Source system

Comment
Autoprovisioning is not applicable in the eGovernment context with citizens and business representatives.

Autoprovisioning
Autoprovisioning

Effects of autoprovisioning on the Access Account

  • With autoprovisioning, the users in the Access Account are pre-configured with a basic default profile containing the appropriate business and application roles and created in the appropriate unit.
  • The user master data in the Access Account automatically synchronises with the Root Account.
  • New user entries during operation are also automatically provisioned on the basis of the defined provisioning rule, so that the responsible delegated administrator does not have to take any further action if sufficient rights have been assigned. The automatic synchronisation of the master data from the root account to the access account is also ensured here.
  • With a clearly defined unit concept (OU structure), it is possible to configure several autoprovisioning instances in an access client, which contain different users, which are then recorded in different units. The risk of duplicate user registration exists and can lead to problems. Therefore, if you intend to configure more than one autoprovisioning instance, please be sure to contact eIAM Consulting.

Important to note!
Users added via an API (RDM/SOAP) interface or via Delegated Management must not be created in the same unit as Autoprovisioning!

Application examples

  • If you want to pre-provision all employees of an office, as well as current employee new entrants, automatically with basic rights (roles).
  • If you want to automatically pre-provision the assignment of rights for a specific user group.

    • Filter criteria specific user groups
    ×

    Regarding the possible filter criteria the system is very flexible, please contact eIAM Consulting for this.

Filter options

The following filters can be used in the current version to create the following target groups of automatically provisioned users. 

Attributes on association identity                              Description
AdminOrganizationalUnitName Only for federated identities where the AdminOrganizationalUnitName attribute matches for the defined regex. e.g. "External Auth and Identity"
AdminOUNamePath Only for federated identities where the AdminOUNamePathAttribute matches for the defined regex. e.g. "Federal Council/Federal Department of Finance/Federal Office of Information Technology and Telecommunications/Directorate/Platform Services/Chapter/Auth and Identity/External Auth and Identity"
AdminOrganizationNameAbbr Only for federated identities where the AdminOUNamePathAttribute matches for the defined regex. e.g. "BIT"
EmployeeType Only for federated identities where the EmployeeType matches for the defined regex. e.g. "External"

The attributes listed above are listed on the federated identity. If further special filters are necessary for integrations, these can be integrated in future versions if required and reasonable. 

Overview identities in eIAM, unit, profiles and roles

Identities in eIAM & Units, Profiles and Roles
Identities in eIAM & Units, Profiles and Roles

Added value of autoprovisioning

  1. Automatic mass onboarding with role assignment without user interaction (user does not need to redeem onboarding code).
  2. The synchronisation between root account and access account, for the so pre-provisioned users incl. new entrants, is ensured.
  3. The user accounts in the Access Client are available to the administrators without additional onboarding activities.
  4. User exits/entries during operation are automatically archived or added and the status is updated.
  5. Optimised administration and operational effort.

Order Autoprovisioning

For applications that already work with eIAM and want to use autoprovisioning subsequently, this must be ordered via Remedy. For new integrations, delegated management is ordered in the eIAM dossier.

Cost consequence for customers

Autoprovisioning has no cost implications for the customer, as it will be a central component of an integration in the future.