Active Directory provisioning is a vague abstract term. Is a user provisioned once they have an AD account? Once they have an Exchange mailbox? Once they are in a few security groups? Or once they can do their job?
I posit that it is once they can do their job. And that’s where the rub is, the National Institute of Standards & Technology concluded that a user is only 58% productive without his or her permissions. So, next time you “provision” a user, consider when/where you stop. Do you assign them to security groups or roles? Do these groups or roles encompass everything this user needs to do his or her job?
What about when the inevitable change occurs? When a user moves from operations to marketing? Do you get rid of old permissions (reducing the possibility of overentitlement) and add the new permissions (reducing the possibility of underentitlement). You have to be able to automate that, get the new identity information from HRIS or some other authoritative source and dynamically manage their group or role membership.
No business will survive with 58% productivity every time a user changes or starts a position. Think about internal and external turnover in your environment and think of how your business will prosper with that lost 42% productivity just by managing permissions and completing the user provisioning process.