User Provisioning and Deprovisioning

Why it matters

Unrevoked access after termination or stale accounts for role changes create orphaned credentials that attackers exploit for lateral movement and data theft. Slow or manual provisioning delays onboarding and creates the temptation to grant over-broad temporary access, expanding the attack surface and violating the principle of least privilege.

Evidence to collect

• Termination runbook (code/procedure) showing steps to disable IdP account, revoke API keys, and remove SSH access with timestamps
• HR system and IdP integration configuration or API logs showing successful account creation and deactivation events
• Last 3 termination audit logs documenting account deactivation, key revocation, and removal dates with responsible parties
• Role-based access group definitions mapped to job functions (e.g., YAML or policy document) and screenshot of group membership review from last 90 days

Testing procedure

Request the HR-to-IdP integration configuration and test it by creating a test employee in HR, verifying the account appears in the IdP within 4 hours, then removing the employee and confirming account deactivation within 24 hours. Audit the termination runbook logs for the last 3 terminations and verify API keys were revoked and SSH access removed; spot-check 5 terminated employees from 6+ months ago to confirm no orphaned access in active directories or bastion host logs.

Common gotchas