Provisioning, Deprovisioning, and Access Reviews

Key Concepts

Provisioning is the process of creating, enabling, or changing access for a subject. Deprovisioning is the process of disabling, removing, or reducing access when it is no longer needed. Together, they make up a large part of identity lifecycle management. The goal is simple: the right people and systems should have the right access at the right time, and stale access should be removed.

Many organizations describe identity lifecycle events as joiner, mover, and leaver. A joiner is a new employee, contractor, partner, service account, or system identity that needs access. A mover changes role, department, project, location, or responsibility. A leaver exits the organization or no longer needs access. Movers are often the hardest because access from the old role may remain while access for the new role is added. Over time, that creates privilege accumulation.

Good provisioning starts with a request and approval. A manager or application owner should confirm the business need. The access should map to a role or policy when possible, and exceptions should be documented. For example, a new accounts payable clerk may receive the standard accounts payable role, email group membership, and access to the invoice system. If the clerk also needs temporary access to a project folder, the request should include an end date.

Deprovisioning must be timely. When an employee is terminated, access to SSO, email, VPN, cloud applications, privileged accounts, building systems, and company devices may need to be disabled quickly. For a normal resignation, the organization may schedule removal for the employee's final day. For an involuntary termination or insider risk situation, removal may need to happen before the employee is notified. The exact process depends on policy, law, HR coordination, and risk.

Access reviews, also called access recertifications, are periodic checks that ask managers, data owners, or application owners to verify that current access is still appropriate. A review might ask: Does this user still work here? Does this user still perform this job? Does this user still need this application? Does this privileged role still have a valid owner? Reviews are especially important for privileged access, financial systems, sensitive data, and contractors.

Exam Application

Access reviews should produce action, not just a spreadsheet. If a manager marks access as no longer needed, the identity team or automated workflow should remove it. If an owner cannot identify why a service account exists, the organization should investigate before disabling it, then document the owner and purpose or retire it safely. A review that only collects approvals without checking risk can become a paper exercise.

Imagine a developer moves from the billing team to the mobile app team. The developer needs new repository access, new issue tracker permissions, and new cloud development resources. The developer probably no longer needs direct access to billing test data or deployment privileges for billing services. A mature mover process removes old access as part of granting the new access. Without that process, the developer may quietly keep both sets of permissions for years.

Automation helps, but it does not remove responsibility. HR systems can trigger joiner, mover, and leaver workflows. Identity governance tools can route approvals and reviews. SSO can centralize account disablement. Even so, business owners must define appropriate access, managers must approve accurately, and security teams must monitor for gaps. For CC exam scenarios, delayed deprovisioning, orphaned accounts, and excessive accumulated access are warning signs.

High-Yield Checkpoints

• Provisioning creates or updates access based on approved business need.
• Deprovisioning removes or disables access when it is no longer needed, especially during termination or role change.
• Joiner, mover, and leaver processes help keep access aligned with employment status and job duties.
• Access reviews ask managers or system owners to confirm that current access is still appropriate.
• Delayed offboarding and accumulated permissions are common identity lifecycle risks.