From the Windows administrator’s viewpoint, the ideal user provisioning system takes the administrative staff out of the loop entirely. The Windows administrator’s only job in provisioning is the purely mechanical process of granting whatever privileges the decision makers—such as the user’s boss or the Human Resources department—want the user to have. Theoretically, the administrator’s role could be automated right out of the process.
Ideally, a user provisioning system should automate the entire lifecycle. It should add new users, change users’ permissions, and "deprovision" (as they call it in the business) users who leave, all with an absolute minimum of effort from system administrators.
This leads naturally to the concept of self-service provisioning, in which the user requests and is granted access without administrator intervention. The problem with this approach is that a lot of the time the user doesn’t realize he or she needs additional access until it’s denied. At that point, work comes to a screeching halt until the additional permission is granted. This is just about guaranteed to produce an irate call to the help desk.
As a result, provisioning vendors have put a lot of effort into speeding up the "workflow"—which is what they call the process of granting or modifying permissions.
"You don’t have to have humans in the [provisioning] chain," Aisien points out. "That’s a business decision and it’s really up to the enterprise." In many cases, the provisioning can be automatic. The user goes to a web page, confirms identity, asks for permission, and it’s granted automatically.
Obviously, a lot of permissions can’t be granted like this, however, and some kinds of permissions need to be very tightly controlled indeed. One of the major jobs in establishing a provisioning system is deciding who has to grant permission for which kinds of access and how to do it as expeditiously as possible.
A provisioning request usually needs at least two approvals: The user’s manager and the manager responsible for the application need to okay the request. Some systems allow the requests to be submitted in parallel to speed up the process. Where several people need to give approval, often the systems also have the notion of "voting with veto," so that one or two non-critical people can’t stall the request.