Provisioning, Deprovisioning, and Access Reviews
Key Takeaways
- Provisioning creates or changes identities and access based on an approved business need.
- Deprovisioning must remove access quickly when a person leaves, changes roles, or no longer needs a system.
- Access reviews compare current permissions against job duties, risk, and separation-of-duties requirements.
- Joiner, mover, and leaver workflows reduce orphaned accounts, privilege creep, and missed approvals.
- Good IAM evidence includes ticket approvals, role mappings, review decisions, and timestamps.
Provisioning, Deprovisioning, and Access Reviews
Identity and access management is an operational process, not just a login screen. Security+ scenarios often ask whether a control prevents unauthorized access, proves accountability, or supports least privilege. In IAM operations, the answer usually depends on the identity lifecycle: joiner, mover, and leaver.
Joiner, Mover, Leaver Workflow
| Event | Common trigger | Security goal | Example action |
|---|---|---|---|
| Joiner | New employee or contractor starts | Grant only approved baseline access | Create account from HR record and assign role-based groups |
| Mover | User changes department or responsibility | Remove old access before adding risky new access | Replace finance analyst groups with procurement groups |
| Leaver | User exits organization or contract ends | Disable access quickly and preserve evidence | Disable SSO, revoke tokens, rotate shared secrets if exposed |
Provisioning should start from a trusted source such as an HR system, student information system, or contractor management system. That source does not automatically make access safe. It only tells the IAM workflow who the person is and what business relationship exists. The security decision still needs role mapping, approval, and logging.
Scenario Walkthrough
A regional hospital hires a billing analyst. HR marks the worker as active on Monday. The IAM platform creates a directory account, assigns the "billing-analyst" group, and requires MFA enrollment before the first application launch. The user can access claims software and the document portal, but not clinical administration tools.
Two months later, the analyst transfers to patient scheduling. The mover workflow removes the billing group and adds the scheduling group. This is where many environments fail. If the old billing access remains, the user accumulates permissions that no longer match the job. That is privilege creep.
Six months later, the worker leaves. The leaver workflow disables the directory account, revokes cloud sessions, removes VPN access, and exports mailbox ownership to a supervisor. A ticket records the termination time, workflow completion time, systems affected, and any exceptions.
Access Review Table
| User | Current access | Business owner decision | Security note |
|---|---|---|---|
| arivera | Billing analyst, scheduling lead | Remove billing analyst | Mover access was not fully cleaned up |
| mpatel | Read-only claims archive | Keep | Needed for audit support through quarter end |
| svc-claims-export | Claims export writer | Keep with owner attestation | Service account; review owner and secret rotation |
| jnguyen | Domain admin | Remove | No approved privileged role in HR record |
Access reviews should be understandable by a business owner. A reviewer cannot make a good decision from a raw group name such as "APP-QA-RW-7." The review should explain what the permission allows, who owns the application, when it was last used, and whether the access creates a separation-of-duties issue.
Common Traps
- Disabling only the application account while leaving SSO, VPN, API keys, and refresh tokens active.
- Adding new role access during a transfer without removing old role access.
- Treating a manager approval as a substitute for least privilege.
- Reviewing only human accounts while ignoring service accounts and shared mailboxes.
- Keeping emergency access permanently assigned because it is "just in case."
Exam Focus
For SY0-701, expect scenario wording such as "least privilege," "orphaned account," "access recertification," "privilege creep," "separation of duties," or "termination." The strongest answer usually closes the lifecycle gap with a repeatable process and auditable evidence.
A user moved from payroll to procurement three months ago but still has payroll approval rights. What is the primary issue?
Which evidence best supports a completed deprovisioning process?
Which items should usually be included in an access review? Select two.
Select all that apply