WEBVTT

1
00:00:00.000 --> 00:00:01.290
In this lesson,

2
00:00:01.290 --> 00:00:04.320
we will learn about access provision.

3
00:00:04.320 --> 00:00:06.420
Access provision is the process

4
00:00:06.420 --> 00:00:10.710
of granting or revoking access rights to resources

5
00:00:10.710 --> 00:00:14.940
based on user roles and their associated permissions.

6
00:00:14.940 --> 00:00:18.210
Access provision concepts include provisioning,

7
00:00:18.210 --> 00:00:20.850
deprovisioning, self-provisioning,

8
00:00:20.850 --> 00:00:23.010
and credential issuance.

9
00:00:23.010 --> 00:00:26.310
Provisioning is assigning access rights and credentials

10
00:00:26.310 --> 00:00:28.830
to users based on their roles.

11
00:00:28.830 --> 00:00:31.650
Provisioning assignment may be automated

12
00:00:31.650 --> 00:00:33.720
through self-provisioning systems

13
00:00:33.720 --> 00:00:35.640
where users request access

14
00:00:35.640 --> 00:00:40.351
and receive it upon administrator approval or automatically.

15
00:00:40.351 --> 00:00:43.350
Deprovisioning involves removing access rights

16
00:00:43.350 --> 00:00:45.180
when they are no longer needed,

17
00:00:45.180 --> 00:00:48.600
such as when an employee leaves the organization.

18
00:00:48.600 --> 00:00:50.880
Credential issuance is the process

19
00:00:50.880 --> 00:00:54.840
of creating and distributing authentication credentials,

20
00:00:54.840 --> 00:00:57.900
such as passwords or security tokens,

21
00:00:57.900 --> 00:01:00.810
which can be used in user authentication.

22
00:01:00.810 --> 00:01:03.660
Let's learn more about credential issuance,

23
00:01:03.660 --> 00:01:07.800
provisioning, self-provisioning, and deprovisioning.

24
00:01:07.800 --> 00:01:10.890
First, we have credential issuance.

25
00:01:10.890 --> 00:01:14.670
Access provision involves several important steps

26
00:01:14.670 --> 00:01:18.840
to manage who can access an organization's resources.

27
00:01:18.840 --> 00:01:21.660
The first step is credential issuance.

28
00:01:21.660 --> 00:01:25.110
Credential issuance includes both identity proofing

29
00:01:25.110 --> 00:01:27.960
and generating authentication credentials.

30
00:01:27.960 --> 00:01:32.190
Identity proofing ensures the user's identity is verified

31
00:01:32.190 --> 00:01:34.320
before issuing credentials.

32
00:01:34.320 --> 00:01:37.740
For example, when a new employee joins a company,

33
00:01:37.740 --> 00:01:40.980
they might need to provide identification documents

34
00:01:40.980 --> 00:01:43.500
or undergo background checks.

35
00:01:43.500 --> 00:01:45.660
Once their identity is confirmed,

36
00:01:45.660 --> 00:01:47.550
credentials can be generated,

37
00:01:47.550 --> 00:01:50.130
including a username, password,

38
00:01:50.130 --> 00:01:53.040
or multi-factor authentication token.

39
00:01:53.040 --> 00:01:56.220
These credentials allow the user to authenticate

40
00:01:56.220 --> 00:01:59.430
and access the company's systems securely.

41
00:01:59.430 --> 00:02:03.510
Credentials can be issued in several straightforward ways.

42
00:02:03.510 --> 00:02:05.160
After identity proofing,

43
00:02:05.160 --> 00:02:08.820
the user may receive an email with a temporary password,

44
00:02:08.820 --> 00:02:12.150
which they will need to change during their first login.

45
00:02:12.150 --> 00:02:15.600
Or a new user might be sent a one-time link

46
00:02:15.600 --> 00:02:18.630
that allows them to create their own password.

47
00:02:18.630 --> 00:02:22.320
Multi-factor authentication may also be set up

48
00:02:22.320 --> 00:02:23.790
at this stage.

49
00:02:23.790 --> 00:02:27.270
For example, the user might need to configure

50
00:02:27.270 --> 00:02:29.160
a mobile authentication app

51
00:02:29.160 --> 00:02:33.120
or link a physical security token to their account.

52
00:02:33.120 --> 00:02:34.530
In some cases,

53
00:02:34.530 --> 00:02:38.280
biometric options such as fingerprint scans

54
00:02:38.280 --> 00:02:42.870
are also added as part of the credential issuance process.

55
00:02:42.870 --> 00:02:45.420
Second, we have provisioning.

56
00:02:45.420 --> 00:02:48.420
Provisioning is the assignment of access rights

57
00:02:48.420 --> 00:02:50.400
based on a user's role.

58
00:02:50.400 --> 00:02:53.910
For example, a user in the marketing department

59
00:02:53.910 --> 00:02:58.020
might be granted access to marketing tools and databases,

60
00:02:58.020 --> 00:03:01.290
while a software engineer would receive access

61
00:03:01.290 --> 00:03:03.390
to development environments.

62
00:03:03.390 --> 00:03:05.940
Provisioning ensures that the right people

63
00:03:05.940 --> 00:03:08.580
have access to the right resources

64
00:03:08.580 --> 00:03:10.800
so they can perform their jobs.

65
00:03:10.800 --> 00:03:13.350
Role-based access control systems

66
00:03:13.350 --> 00:03:15.720
often handle this automatically,

67
00:03:15.720 --> 00:03:19.470
assigning permissions based on predefined roles.

68
00:03:19.470 --> 00:03:22.170
Third, we have self-provisioning.

69
00:03:22.170 --> 00:03:24.270
Self-provisioning allows users

70
00:03:24.270 --> 00:03:27.510
to request and gain initial access to systems

71
00:03:27.510 --> 00:03:30.990
without direct involvement from IT administrators.

72
00:03:30.990 --> 00:03:34.500
For example, when a new employee joins a company,

73
00:03:34.500 --> 00:03:37.650
they may be provided with a self-service portal

74
00:03:37.650 --> 00:03:38.820
where they can log in

75
00:03:38.820 --> 00:03:41.790
and request access to the systems they need

76
00:03:41.790 --> 00:03:43.200
based on their role.

77
00:03:43.200 --> 00:03:45.180
They might request access

78
00:03:45.180 --> 00:03:48.840
to the company's main human resources system

79
00:03:48.840 --> 00:03:51.060
or communication tools.

80
00:03:51.060 --> 00:03:52.830
Once their request is submitted,

81
00:03:52.830 --> 00:03:55.950
it is reviewed and approved by an administrator

82
00:03:55.950 --> 00:04:00.150
and a user is automatically granted access to those systems.

83
00:04:00.150 --> 00:04:01.590
In some cases,

84
00:04:01.590 --> 00:04:05.160
access requests can be automatically approved

85
00:04:05.160 --> 00:04:07.590
based on predefined policies,

86
00:04:07.590 --> 00:04:10.890
such as role-based access control rules.

87
00:04:10.890 --> 00:04:15.030
This self-provisioning process speeds up onboarding

88
00:04:15.030 --> 00:04:18.570
by allowing users to initiate access requests

89
00:04:18.570 --> 00:04:21.390
while ensuring that the necessary approvals

90
00:04:21.390 --> 00:04:26.310
and security checks are in place before granting access.

91
00:04:26.310 --> 00:04:30.323
Fourth and last, we have deprovisioning.

92
00:04:30.323 --> 00:04:34.680
Deprovisioning occurs when access is no longer needed.

93
00:04:34.680 --> 00:04:37.590
For instance, when an employee leaves the company

94
00:04:37.590 --> 00:04:39.240
or changes roles,

95
00:04:39.240 --> 00:04:41.460
their access must be removed

96
00:04:41.460 --> 00:04:45.090
to ensure they cannot access or continue to access

97
00:04:45.090 --> 00:04:47.670
sensitive information or systems.

98
00:04:47.670 --> 00:04:50.670
Deprovisioning is essential for security,

99
00:04:50.670 --> 00:04:54.960
preventing unauthorized access after someone's role changes

100
00:04:54.960 --> 00:04:57.000
or their employment ends.

101
00:04:57.000 --> 00:04:59.040
This process can be automated

102
00:04:59.040 --> 00:05:02.220
to quickly revoke access to all systems

103
00:05:02.220 --> 00:05:05.370
and resources tied to the user's account

104
00:05:05.370 --> 00:05:09.450
if the employee leaves the organization, changes roles,

105
00:05:09.450 --> 00:05:11.850
or their contract expires.

106
00:05:11.850 --> 00:05:15.960
So, remember, access provision is the process

107
00:05:15.960 --> 00:05:19.320
of managing user access to resources

108
00:05:19.320 --> 00:05:22.110
based on roles and permissions.

109
00:05:22.110 --> 00:05:24.210
It includes credential issuance,

110
00:05:24.210 --> 00:05:28.230
provisioning, self-provisioning, and deprovisioning.

111
00:05:28.230 --> 00:05:32.370
Credential issuance involves verifying a user's identity

112
00:05:32.370 --> 00:05:36.900
and creating authentication credentials for secure access.

113
00:05:36.900 --> 00:05:41.190
Provisioning assigns access rights based on roles.

114
00:05:41.190 --> 00:05:45.540
Self-provisioning allows users to request initial access

115
00:05:45.540 --> 00:05:47.460
through automated systems.

116
00:05:47.460 --> 00:05:50.370
And deprovisioning removes access

117
00:05:50.370 --> 00:05:52.653
when it is no longer needed.