The Real Time Myth

I was talking to a colleague last week and the topic of real time provisioning came up.  This has always been a bit of an issue with me due to the use of the term "real time"  I've almost always found that by the time we discuss what is involved in the act of provisioning and what the requirements really are, it is impossible to have this happen in "real time".  The fact is provisioning takes time.  Always has, always will.  Writing the information to your authoritative store takes a certain amount of time.  As does provisioning to LDAP.  We know it takes at least 15 minutes for AD to begin replication, and regardless of type of Directory Service used, it takes time to replicate in an international setting.

In my experience most organizations are more concerned with improving performance over the old methodology and getting initial provisioning to happen in less that a day.  There's nothing that irritates a manager more than having to sit around and wait for the new person's accounts to be created.  If we can get that time period down to a reasonable wait, hopefully to about the time it takes to fill out the remaining new hire paperwork, tour the facility, get the briefing from HR and have that welcoming cup of coffee, we will have made progress.

In the best of all possible worlds, provisioning should have already been started as soon as HR receives a signed offer letter.  Creating essential accounts in a a disabled state gets a lot of the heavy lifting done and front loads the whole process. This way all that has to be done is wait for the start date to occur and then enable accounts via a regularly scheduled work flow. However, I recognize that even creating disabled, locked accounts poses something of a risk so it will not be for all organizations. 

In the end careful analysis of current state, target state environments is called for along with a thorough examination of compliance, legal and best practices as they relate to the organization's needs.