Provisioning, Privilege, and Identity
Effective user provisioning and identity management are somewhat at cross-purposes. From a user provisioning standpoint, the simplest solution would be to give every user access to everything, with no passwords at all. From a security standpoint, that would be a disaster.
More practically, you need to design your provisioning structure to balance the principle of least privilege with the conservation of administrative effort. The principle of least privilege states that every user should have just the specific access he or she needs to do the job, and no more. This principle is elementary to information security and it’s being taken increasingly seriously in the wake of recent well-publicized security breaches at major companies. Microsoft has jumped on the least-privilege concept and intends to implement it in its new Vista operating system.
Provisioning is where the principle meets reality. The principle of least privilege implies that every single job, and almost every single user, should be provisioned with a different bundle of accesses. That would be secure, but it would be a major headache for provisioning.