Organizations of all sizes face ever-stricter regulatory and security requirements to protect their data, and that of their customers. But user provisioning systems alone cannot meet these needs because they do not provide an enterprise-wide view of user entitlements in a view business managers can understand. In addition, they do not provide the ongoing policy enforcement required to assure regulatory and security compliance as user roles and business needs change.

A true access governance platform extends the reach of existing provisioning systems to provide an enterprise-wide view of entitlements in language business managers can understand. When integrated with a provisioning system, access governance solutions can dynamically and automatically change entitlements to avoid regulatory or security lapses, and ensure the organization can pass internal or external audits.

Where provisioning falls short

Provisioning systems automated what had become a cumbersome process of managing the lifecycle of user accounts which were shared or used by multiple applications. These provisioning systems connect to user directories or account repositories to establish, for each user, their log-in credentials, their profile attributes (such as name, title, department and office) and the group memberships that enable the user to access certain applications.


With this information, a provisioning system can tell who a user is, the accounts each user maintains and the associated account attributes and group memberships. However, it cannot determine the user’s entitlements – the critical details of exactly what each user can and cannot do with the enterprise’s applications and data. That is because applications, hosts and shared security solutions across the enterprise rely on their own policies and infrastructure to bind user accounts to application access entitlements.

It is these specific policy bindings that assure, for example, the proper separation of duties (such as those that keep the same employee from submitting and approving an expense report) or that block an unauthorized employee from seeing a customer’s credit card numbers.

Provisioning systems have no knowledge of these applications and systems or of the account-to-entitlement policy bindings. This infrastructure is usually visible to and accessible by only the IT staff, not business managers. As a result, IT security teams and application owners each use their own ad-hoc solutions such as spreadsheets to track entitlements, tag them with business descriptions and certify access.