Account provisioning is the process of creating, updating, and disabling user or service accounts and assigning the right access to them.
Account provisioning is the process of creating, updating, and disabling accounts while assigning the right access to them. In plain language, it is how an organization gives people and services the identities and permissions they need, then changes or removes that access as circumstances change.
Provisioning matters because access mistakes often begin at account creation. If a new user receives the wrong role, a service gets excessive privilege, or an old account is never removed, that exposure can persist quietly for a long time.
It also matters because consistent provisioning is what lets identity teams scale. Without a defined workflow, access becomes a collection of ad hoc exceptions that are hard to review, audit, or clean up later.
Account provisioning appears in HR-driven onboarding, SaaS administration, cloud tenant access, service identity creation, and SCIM integrations. Teams connect it to Identity Lifecycle, Access Review, and Least Privilege Access.
It is especially important in joiner, mover, and leaver workflows because access should not stay frozen while a person’s job, team, or relationship to the company changes.
| Event | Security question | Example action |
|---|---|---|
| Joiner | What should exist on day one? | Create the identity and assign only baseline access |
| Mover | What should change with the role? | Remove old privileges and grant the new minimum set |
| Leaver | What must end immediately? | Disable accounts, revoke sessions, and transfer ownership |
| Service onboarding | What should the workload really reach? | Create a tightly scoped non-human identity |
A new developer joins the engineering team. The identity platform creates a workforce account, grants source-control and ticketing access, and leaves production administrator rights unassigned until there is a separate approved operational need.
Account provisioning is not the same as Authentication. Authentication verifies identity during sign-in, while provisioning defines which identities and permissions should exist before sign-in occurs.
It is also different from Access Review. Provisioning grants or changes access; access review checks later whether that access is still justified.
It is also broader than SCIM. SCIM can automate provisioning, but the harder question is still which accounts, roles, and entitlements should be created in the first place.