<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

How We Automate User Provisioning & Keep Track of Credentials

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

You just hired a new employee, great news! Luckily you have an easy onboarding process to get them access to all of the systems that they will need to access… right? If you just had a moment of panic, then keep reading because you're not alone.

Standardize Roles

Granting access to your databases and servers for a new user can be a painful process if you have to do it in an ad-hoc manner every time. What permissions will they need? Do they just need to log in for a one-time query, or will they need persistent access? By standardizing on a set of roles and the permissions that they should receive, you can simplify the steps involved and eliminate a lot of wasted time trying to dial in to the right mix of access and control.

Provisioning an account for an employee or team member should be simple, and frictionless, and it should ideally tie into the identity system that your company is already using, whether that is a variation of Active Directory, or the perennial favorite OpenLDAP. If this can be self-service, that's even better!

At some point you will also need to deal with deprovisioning. This could be due to the individual in question moving to a new position or a new company, or it could simply be that their account is compromised and you need to protect your systems. If your provisioning process involves creating a set of credentials on each database and SSH server that you manage, whether manually or via tools such as Ansible or SaltStack, then this will be much more involved.

Why does it matter?

In a word, productivity. By ensuring that your users are able to get set up quickly and easily then you are removing barriers to their productivity. When running a critical analysis, or diagnosing a problem on one of your servers requires filing a ticket for access, and then waiting for an administrator to execute on it, that is wasted time and wasted effort.

How To Automate User Provisioning

There are a number of ways that you can provision a user in an automated or self-service fashion. The real challenge lies in keeping track of who those credentials apply to and how long they are valid for. This is of particular importance when deprovisioning the user's account.

The first pass of automating user provisioning will often be in the form of shell scripts or a module in your configuration management tool of choice. The real difficulty occurs in the handoff of credentials from administrator to user. There are tools such as Keybase, Magic Wormhole, or the recently released Firefox Send but they all still require some measure of coordination between the user requesting access and the administrator providing the credentials. There is also no oversight of what anyone does with those credentials once they have been delivered.

The next option is to perform the provisioning automatically by leveraging your existing identity platform. In the case of LDAP or Active Directory that typically involves deploying and configuring an agent that integrates with your server's authentication system. This is convenient and easy once it is set up, but getting it configured and maintaining it across your entire infrastructure can be a challenging and time-consuming endeavor.

How We Automate User Provisioning

The way that we have approached this problem in StrongDM is to push the complexity of creating and managing accounts into the proxy layer, thereby reducing the surface area of the problem. Rather than forcing you to integrate your identity service into each system that you manage, StrongDM speaks every native database & server protocol and gives you one place to manage access and authorization.

From a user's perspective, in order to query a database, ssh or RDP to a server, they log into StrongDM using their existing SSO. StrongDM acts as a local proxy, assigning a port to each database or server and then intelligently routing the session (see screenshot below). Users no longer need to keep track of individual database credentials or key pairs.

You can onboard new hires through your SSO, through StrongDM or CLI automation to provision a new user and assign them to roles that inherit all appropriate database & server permissions.

Provision a new user and assign them roles
StrongDM Admin UI

StrongDM CLI:

You may use the sdm admin users add --template > import.json command to get a JSON template to modify for later import.

Here’s an example JSON for adding two users. Each user must have a unique email.

Once you have created your JSON, you can easily import it into StrongDM.

sdm admin users add --file import.json

From an administrator's perspective, there is only one integration that needs to happen for each server or database, rather than a multitude. Once the StrongDM gateway has been configured, their job is done. Provisioning and deprovisioning of users is a much simpler process. Simply provision a new hire in your existing SSO, direct them to install the StrongDM client and you’re done. That account can live directly in StrongDM if you don't have a company directory, or they can delegate to the single sign on platform that your company uses everywhere else.

Wrapping Up

If you want to learn more about how to use StrongDM for building a push-button provisioning process, simply sign up for a free-trial and get started in minutes.


About the Author

, Podcast Host, is a dedicated engineer with experience spanning many years and even more domains. He currently manages and leads the Technical Operations team at MIT Open Learning where he designs and builds cloud infrastructure to power online access to education for the global MIT community. He also owns and operates Boundless Notions, LLC where he offers design, review, and implementation advice on data infrastructure and cloud automation.

In addition to the Data Engineering Podcast, he hosts Podcast.__init__ where he explores the universe of ways that the Python language is being used. By applying his experience in building and scaling data infrastructure and processing workflows, he helps the audience explore and understand the challenges inherent to data management.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Alternatives to ManageEngine PAM360
Alternatives to ManageEngine PAM360
ManageEngine’s PAM360 gives system administrators a centralized way to manage and audit user and privileged accounts within network resources. However, teams that need to manage secure access to Kubernetes environments or enforce password policies within their privileged access management (PAM) system may want to consider other options. This blog post will cover ManageEngine PAM 360 and some solid alternatives, along with the pros and cons of each.
Machine Identity Management Explained
Machine Identity Management Explained in Plain English
In this article, we'll cover machine identities and address the importance and challenges in machine identity management. You'll gain a complete understanding of how machine identity management works and see the concept in action through real-world examples. By the end of this article, you'll be able to answer in-depth: what is machine identity management?
The difference between SASE vs SD-WAN
SASE vs. SD-WAN: All You Need to Know
SASE is a cloud-based network security solution, whereas SD-WAN is a network virtualization solution. SASE can be delivered as a service, making it more scalable and resilient than SD-WAN. Additionally, SASE offers more comprehensive security features than SD-WAN, including Zero Trust security and built-in protection against Distributed Denial-of-Service (DDoS) attacks.
SASE vs. CASB: Everything You Need to Know
SASE vs. CASB: Everything You Need to Know
In this article, we’ll take a big-picture look at how SASE and CASB solutions fit into the enterprise security landscape. We'll explore the key differences between SASE and CASB and explain how each tool helps ensure enterprise security. You will gain an understanding of how SASE and CASB solutions compare and which might be suitable for your organization.
CyberArk vs. Thycotic (Delinea)
CyberArk vs. Thycotic (Delinea): Which Solution is Better?
In this article, we’ll compare two Privileged Access Management (PAM) solutions: CyberArk vs. Thycotic, with a closer look at what they are, how they work, and which will best fit your organization. We’ll explore product summaries, use cases, pros and cons, PAM features, and pricing to that by the end of this article, you’ll have a clearer understanding of how these PAM tools work and be able to choose the one that’s right for you.