System Access Provisioning
A procedure for granting, modifying, and managing user access to organisational systems, applications, and data resources based on role requirements and security policies.
Purpose
To ensure that employees receive timely and appropriate system access aligned with their role, while maintaining security through proper authorisation, documentation, and the principle of least privilege.
Scope
Covers all system access requests including new user provisioning, role changes, additional access requests, and temporary access grants across all organisational systems and applications.
Prerequisites
- Approved role-based access control matrix defining access levels per role
- Active employee record in the human resources system
- System access request form or ticketing system
- Authorisation from the employee direct manager
Step-by-Step Procedure
Receive Access Request
Accept the system access request submitted through the approved channel and verify that all required information is provided.
- 1.1Receive the access request via the IT service desk or ticketing system
- 1.2Verify that the request form is complete with user details, systems requested, and business justification
- 1.3Confirm the request includes manager authorisation
Validate the Request
Check that the requested access aligns with the user role and complies with the role-based access control matrix and security policies.
- 2.1Compare the requested access against the role-based access control matrix
- 2.2Verify the user employment status and role in the HR system
- 2.3Identify any access that requires additional approval such as elevated privileges
- Flag any access requests that exceed standard role entitlements for additional review
Obtain Additional Approvals
For access that exceeds standard role entitlements or involves sensitive systems, obtain additional approval from the system owner or security team.
- 3.1Route the request to the relevant system owner or data custodian for approval
- 3.2Obtain IT security approval for elevated or privileged access requests
- 3.3Document all approvals in the access request record
Provision Access
Create or configure user accounts and permissions in the target systems according to the approved request.
- 4.1Create the user account in the identity management system
- 4.2Assign the appropriate group memberships and access permissions
- 4.3Configure email, file shares, and application access as specified
- 4.4Set initial password and enable multi-factor authentication if required
Verify Access Configuration
Test the provisioned access to confirm that the user can log in and access the required systems with the correct permissions.
- 5.1Log in with the new credentials to verify access works correctly
- 5.2Check that permissions match the approved request and role requirements
- 5.3Verify that the user does not have unintended access to restricted resources
Notify the User and Manager
Inform the user and their manager that access has been provisioned, provide login credentials securely, and share any relevant usage guidelines.
- 6.1Send access confirmation to the user with login instructions
- 6.2Deliver initial credentials through a secure channel
- 6.3Provide links to relevant acceptable use policies and training materials
- Never send passwords in plain text email; use a secure delivery method
Close the Request and Update Records
Close the access request ticket, update the access register, and file all documentation for audit purposes.
- 7.1Update the access register with the new user entitlements
- 7.2Close the service desk ticket with resolution details
- 7.3File approval documentation for compliance records
Quality Checkpoints
Common Mistakes to Avoid
Expected Outcomes
Average time from approved request to active access, measuring the efficiency of the provisioning process.
Percentage of access grants that match the approved request without requiring correction.
Percentage of user accounts that align with the role-based access matrix during periodic reviews.
Frequently Asked Questions
How often are user access rights reviewed?
User access rights are typically reviewed quarterly for standard systems and monthly for sensitive or critical systems. Reviews verify that access remains appropriate for the user current role.
How long does access provisioning take?
Standard access provisioning is typically completed within one to two business days. Requests requiring additional approvals for elevated or privileged access may take longer.
What is the principle of least privilege?
The principle of least privilege means granting users only the minimum access necessary to perform their job functions. This reduces security risk by limiting exposure to sensitive systems and data.
What happens when an employee changes roles?
When an employee changes roles, a new access request should be submitted for the new role entitlements, and the previous role access should be reviewed and removed if no longer required.
Want this customised for YOUR business?
We'll tailor every step to your exact operations, tools, and team structure.