The Net Best Thing: The World of Resource Provisioning

You can call it e-provisioning, resource provisioning or even account provisioning. But whatever name you use, this software is helping to better manage a company¹s IT resources, and it is making a big impression on the market.

[From iSource Business, November 2001] The computer security policy at Denver, Colo.-based OppenheimerFunds is quite clear: passwords for the mutual funds manager's 2,500 employees must be changed every 60 days. Add up all the different systems to which these users have access and you get a total of more than 27,000 passwords, with some users having as many as 11 passwords. For Mike Hager, who in addition to being OppenheimerFunds' vice president for network security also has the ominous title of chief security officer, the company's manual processes for managing access to its systems added up to inefficient processes and imperfect security. So earlier this year, OppenheimerFunds began implementing a resource provisioning application that lets the company's information technology (IT) staff automate those processes and more easily manage access to the firm's various computer systems. The results: more productive users, relieved IT staff and a projected return on investment in about 18 months.


Broadly defined, resource provisioning software, from such companies as Access360, Business Layers and BMC Software, allows companies to centralize and automate the process of supplying, or "provisioning," employees with access to the company's resources. For example, when a company hires a new employee, the software allows the company's IT administrator to create accounts on the appropriate systems, depending on the employee's position. For example, customer relationship management (CRM) systems would be supplied for a customer service representative or supply chain management systems would be supplied for a purchasing agent. The software will then assign passwords and provide login names based on pre-defined conventions; for instance, a company can define whether John Doe's e-mail is [email protected], [email protected] or [email protected]. In addition, the software can allow a company to control access to its internal systems by contractors or outside business partners. Chevron, for example, announced in July that it was implementing Rochelle, N.J.-based Business Layers' eProvision Day One software, in part to establish a better foundation for managing both internal and external access to the company's IT resources.

Taking this one step further, an administrator could also use resource provisioning software to assign office space and furniture, a telephone and a telephone number, a cell phone, computer hardware or software, or any other resources that an employee needs, all based on the employee's role in the organization. An outside sales rep might get a laptop and a cell phone, while a purchasing manager might get a desktop computer loaded with the software necessary to access the company's e-procurement system. Once the administrator enters the new employee into the system and defines the employee's role or function, the resource provisioning software can automatically check to see if required resources are in inventory, send out messages to the purchasing department to requisition the necessary equipment and facilitate a predefined approval process.

World of Possibilities

The benefit to using this software is that employees can become more productive faster because they are receiving the system access and other IT resources they need to get started immediately. Hager, at OppenheimerFunds, says his company's resource provisioning software, from Irvine, Calif.-based Access360, eliminated entirely the three-day process of equipping a new employee with the necessary resources. Even moving an employee from one department to another used to take four hours of hands-on IT administration; the resource provisioning software made the changes immediately.

Once an employee has the necessary resources, resource provisioning software can provide increased efficiency through "self-help" capabilities, such as a self-service password facility. At OppenheimerFunds, for example, 15 percent of the calls coming into the company's help desk were from users needing to reset forgotten passwords. A time study Hager conducted as he was building the business case for resource provisioning software showed that it took a total of 15 person-minutes to reset a password -- 7.5 minutes for the employee who needed the new password, and 7.5 minutes for the help desk staffer -- plus what Hager calls "duh time" -- the five to 10 minutes it took a user to realize he or she had forgotten the password and needed to call the help desk. As part of its e-provisioning system, OppenheimerFunds has been able to establish an intranet site where employees, business partners or customers can reset their own passwords, eliminating most password-related help-desk calls.

The software can also automate the process of "deprovisioning," which could mean deleting the computer accounts of a departed employee, a temporary contractor whose term has expired or a former business partner. In addition, it could mean providing an administrator with a list of hardware that has been allocated to an employee to ensure that all computers, Palm Pilots and cell phones are accounted for when the employee leaves the organization.

Deprovisioning might be useful for a company that has a high level of turnover in staff or business partners, or for a company going through layoffs that wants to ensure against mischief by a disgruntled ex-employee. It would also be important for organizations subject to outside regulation or audits, such as financial institutions, insurance companies, health care organizations or government agencies.

OppenheimerFunds, in the much-regulated financial industry, used to have a full-time IT staffer who did nothing but go through every one of the company's computer systems manually to see if a user was still with the company and then remove that user account if the person left. With its resource provisioning software in place, an ex-employee's accounts are eliminated the instant the human resources department signals his or her departure.

Not So Fast

Implementing software from any of the resource provisioning providers, however, can be complex. "It's not straightforward at all," says Jonathan Penn, a senior industry analyst with technology consulting firm Giga Information Group.

First, the software must be linked to the various computing systems within an organization, a particular challenge when different business units employ different systems or standards. Second, the company must define the various roles within the organization, as well as the policies that are attached to each role. These same steps must then be repeated with each business partner that a company wants to involve in the e-provisioning implementation. Companies have done bits and pieces of this work in the past, but "a lot of this has been done ad hoc over the years," Penn says.

Additionally, the cost of a resource provisioning implementation depends on the numbers of users and systems involved. Business Layers' implementations start at about $45,000 for a single server, plus $9 per person, per system to which that person must be connected, according to David Lavenda, the company's vice president of product strategy.

Access360 implementations start at about $100,000 for a proof-of- concept or small-department roll-out, with a full-scale solution for a large enterprise running in the million-dollar range, according to Brian Anderson, chief marketing officer for the company. Access360 also partnered with VeriSign to offer a hosted service for resource provisioning,, which charges a per-user, per-month fee.

The Upside

Despite some drawbacks, the efficiency gains to be had from implementing resource provisioning can be significant, according to Penn. "I'm seeing it save between $300,000 and $600,000 for a 40,000-person company, or anywhere between five and 10 IT staff equivalents," Penn says. He further points to improved relations between IT staff and other business units and increased security as significant, although less easily quantified, benefits. Overall, Penn says that any company dedicating more than five IT staff and more than 20 percent of its help-desk resources to account management tasks will benefit from resource provisioning and will probably see about a one-year return on its investment.

Hager projects an 18-month payback for OppenheimerFunds, which has about 2,500 users. The company, which began implementing the Access360 software in March, already has gone from seven IT staff working on administrative matters to three, having reduced headcount by two and reassigned other staff to more strategic activities. Meanwhile, Hager says the resource provisioning software is making OppenheimerFunds' computer systems more secure by providing the company with a higher degree of control over access to those systems, and he says other corporations that must control access to internal systems could benefit from a similar solution. "For managing an extended enterprise," Hager says, "this is wonderful."