Provisioning, Deprovisioning, and Access Reviews
Key Takeaways
- Provisioning creates or changes identities and access based on an approved business need driven from an authoritative source such as HR.
- Deprovisioning must remove every access path quickly when a person leaves or changes roles, not just the primary application login.
- Access reviews (recertification) compare current permissions against job duties, risk, and separation-of-duties requirements.
- Joiner, mover, and leaver workflows reduce orphaned accounts, privilege creep, and missed approvals.
- Strong IAM evidence includes ticket approvals, role mappings, review decisions, and timestamps that an auditor can trace end to end.
IAM as an Operational Process
Identity and access management (IAM) is an operational lifecycle, not just a login screen. On the CompTIA Security+ SY0-701 exam (up to 90 questions, 90 minutes, passing score 750 on a 100-900 scale), Domain 4 (Security Operations) and Domain 5 (Security Program Management) repeatedly ask whether a control prevents unauthorized access, proves accountability, or supports least privilege (granting only the access a role needs). The right answer almost always traces back to where you are in the identity lifecycle: joiner, mover, or leaver (sometimes called JML).
Provisioning should originate from an authoritative source (system of record) such as an HR information system, student information system, or contractor management platform. That source establishes who the person is and what business relationship exists. It does not make access safe by itself. The security decision still requires role mapping, an approval, and an audit log entry. SY0-701 expects you to know that automated provisioning without governance simply makes mistakes faster.
Joiner, Mover, Leaver Workflow
| Event | Trigger | Security goal | Example action |
|---|---|---|---|
| Joiner | New hire or contractor starts | Grant only the approved baseline (least privilege) | Create account from HR record, assign role-based group, enforce MFA enrollment |
| Mover | Department or duty change | Remove old access before adding new access | Replace finance groups with procurement groups |
| Leaver | Exit or contract end | Disable all access fast, preserve evidence | Disable SSO, revoke tokens, rotate exposed shared secrets, reassign mailbox |
The mover stage is where most environments fail. If old access is never removed, the user accumulates permissions that no longer match the job. That is privilege creep (also called permission accumulation or access aggregation), and it is one of the highest-frequency vocabulary terms in IAM questions.
Scenario Walkthrough
A regional hospital hires a billing analyst. HR marks the worker active on Monday. The IAM platform creates a directory account, assigns the billing-analyst role group, and requires multi-factor authentication (MFA) enrollment before the first application launch. The user reaches claims software and the document portal, but not clinical administration tools.
Two months later the analyst transfers to patient scheduling. The mover workflow should remove the billing group and add the scheduling group. If billing access lingers, the analyst can now both submit and approve claims and edit schedules, which may break a separation of duties (SoD) rule and enable fraud.
Six months later the worker resigns. The leaver workflow disables the directory account, revokes cloud and SSO sessions, removes VPN access, rotates any shared credential the user knew, and transfers mailbox ownership to a supervisor. A ticket records termination time, workflow completion time, systems affected, and exceptions. An account left enabled after departure is an orphaned account, a classic exam wrong-state.
Access Review (Recertification) Table
| User | Current access | Owner decision | Security note |
|---|---|---|---|
| arivera | Billing analyst + scheduling lead | Remove billing | Mover access never cleaned up (privilege creep) |
| mpatel | Read-only claims archive | Keep | Needed for audit support through quarter end |
| svc-claims-export | Claims export writer | Keep w/ attestation | Service account; verify owner + secret rotation |
| jnguyen | Domain admin | Remove | No approved privileged role in HR record |
Reviews are usually run quarterly for privileged access and at least annually for standard access, plus an event-driven review after any role change. A reviewer cannot decide from a raw group name like APP-QA-RW-7; the review must state what the permission allows, who owns the application, when it was last used, and whether it creates an SoD conflict.
Common Traps
- Disabling only the application account while leaving SSO, VPN, API keys, and refresh tokens active.
- Adding new role access during a transfer without removing the old role access.
- Treating a manager rubber-stamp approval as a substitute for least privilege.
- Reviewing only human accounts while ignoring service accounts and shared mailboxes.
- Keeping emergency "break-glass" access permanently assigned "just in case."
Time-Bound and Risk-Based Provisioning
Not every grant should be permanent. Time-based access automatically expires entitlements on a set date, which is ideal for contractors, interns, and project teams; the system deprovisions without anyone remembering to file a leaver ticket. Compare this with continuous (standing) access, which persists until manually removed and is the seedbed for orphaned accounts. SY0-701 rewards the answer that makes access expire by default.
Provisioning models also differ by trust requirement. A medical clinic might require a manager approval plus a security review before granting access to a system holding electronic protected health information, while a low-risk wiki is auto-granted from the role group. Matching approval rigor to data sensitivity is a direct application of risk-based access control.
Mapping Reviews to Compliance
Access recertification is frequently mandated by frameworks the exam references. Sarbanes-Oxley (SOX) drives financial-system reviews, PCI DSS requires reviewing user access at least every six months, and frameworks such as ISO 27001 and the NIST Cybersecurity Framework expect documented periodic review. When a question pairs an audit finding with a remediation, the recertification-with-evidence answer satisfies both the control and the auditor.
Exam Focus
Expect wording such as least privilege, orphaned account, access recertification, attestation, privilege creep, separation of duties, or termination. The strongest answer closes the lifecycle gap with a repeatable, automated process backed by auditable evidence rather than a one-time manual fix. Watch for distractors that solve only the joiner step (account creation) while ignoring the leaver and mover steps, where most real-world risk accumulates.
A user moved from payroll to procurement three months ago but still has payroll approval rights. What is the primary issue?
Which evidence best supports a completed deprovisioning process?
Which items should usually be included in an access review? Select two.
Select all that apply