Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Monday morning. An IT administrator opens their inbox. Forty-three new messages. Thirty-one of them are access requests.
“Can I get access to the marketing shared drive?” “Please add me to the sales-team Slack channel.” “I need to be in the GitLab group for the platform project.” “My new hire started today and can’t access anything.”
Click. Click. Click. Add to Google Group. Click. Click. Add to Okta group. Click. Click. Invite to Slack channel. Click. Click. Add to GitLab group. By 11am, twelve requests processed. Nineteen more have arrived. Project work remains untouched. The infrastructure migration sits idle while the access request queue grows. This scene plays out in IT departments worldwide, every single day.

The Access Request Treadmill

Here’s the uncomfortable truth: most access requests shouldn’t exist in the first place. Not because the access isn’t legitimate. Not because users are asking for things they don’t need. But because IT teams already know what access employees should have based on job role, department, and team. The request is simply the mechanism for translating knowledge that already exists into action that must be manually taken. Our founder has seen this pattern repeat again and again. The IT team gets buried in access requests, they hire more people, they optimize the process, and build scripts to automate as much as they can. But the requests keep coming. The volume never goes down. They rarely get enough time to focus on the hard problems — improving security, building automation, reducing risk, because they’re stuck in the access request treadmill. It’s not for lack of trying. The problem isn’t the process. The problem is that there is a process that was meant to be the exception and became the rule. Why do all of these access requests exist in the first place? The industry simply hasn’t had the tooling or policies in place to automatically provision access based on role, team, and department. The attribute-based access control (ABAC), role-based access control (RBAC), and policy-based access control (PBAC) concepts have been around for a long time, but the tooling simply hasn’t existed to automate it for group members at scale. Every new hire, every role change, every team move generated a flood of requests that had to be manually processed. Users waiting for access experience real friction. Days, sometimes weeks, to get provisioned into systems needed on day one. Every hour without access is an hour of lost productivity. Every day of waiting breeds frustration with IT. And the managers rubber-stamping approvals? They weren’t reading the requests. They were clicking “approve” as fast as the notifications came in, because they knew the access was appropriate — the person is on their team, of course they need the team resources. So why do we bother asking them? What if the managers or department leaders could pre-approve access that makes sense based on team membership?

The Volume Problem Is a Policy Problem

When access requests become overwhelming, the instinct is to optimize the request process. Better ticketing. Faster approvals. More automation in the provisioning step. Perhaps another hire to help with the queue. But optimizing a broken process just accelerates the wrong work. The real question isn’t “how do we process requests faster?” It’s “why do these requests exist at all?” Access requests typically stem from predictable gaps:
1

Onboarding gaps create immediate friction

A new hire starts needing access to 15 different systems based on their role. The onboarding checklist covers 10 of them. The other 5 become access requests in week one.
2

Role change gaps trigger preventable tickets

Someone gets promoted or moves teams. They need new access for their new role. Nobody proactively provisions it because nobody tracks role changes against access policies. Requests follow.
3

Team membership gaps multiply across systems

The HRIS says someone is on the “Marketing” team. But “Marketing” needs access to three different Slack channels, two GitLab groups, and four shared drives. Without automation linking team membership to access, every new team member generates requests.
4

Missing baseline entitlements surface through complaints

Everyone on the sales team needs access to the sales Slack channel and the sales Google Drive. But nothing ensures that’s true. When someone joins sales, they discover missing pieces and submit requests.
5

Granularity gaps force manual intervention

The HRIS says someone is in “Engineering.” But Engineering has 47 sub-teams with different access needs. Without granular role data, specific access can’t be automated—everything becomes a request.
Notice the pattern. These aren’t exceptions. These aren’t unusual circumstances. These are predictable, routine access needs that should be automatic but aren’t because the policies and automation don’t exist.
Access request volume correlates directly with policy gaps. Each manual request represents a control that exists in intent but not in automation. SOC 2 CC6.1 expects logical access to be provisioned according to policy—when policies live only in checklists and tribal knowledge, that control operates on hope rather than evidence.

The 90% Hypothesis

Here’s a hypothesis worth testing: 90% of access requests could be eliminated with better policy management. Not reduced. Eliminated. Access automatically provisioned before the user even knows they need it. Consider the employee perspective. Someone joins the company on Monday. By the time they sign in, they should already have access to:
1

The Google Groups for their department and team

These memberships are predictable from HRIS data—department and team are known attributes.
2

The Slack channels their team uses

Team membership determines channel access. No request needed.
3

The GitLab groups their team works in

Engineering teams have standard repository access patterns. These follow from team assignment.
4

The Okta applications everyone in their role needs

Job title and department define application access. The data exists.
5

The shared drives their team collaborates in

Team collaboration happens in predictable locations. Access should follow automatically.
None of this requires asking. The team is known. The department is known. The job title is known. That information exists in the HRIS, flows to the IdP, and should drive automatic access provisioning. The same logic applies to role changes. When someone moves from Sales Development to Account Executive, the new role is known. The systems needed are predictable based on that role. A human clicking buttons adds no value.

Why Adding Headcount Doesn’t Solve It

When access request volume becomes painful, someone inevitably suggests hiring more help. Another helpdesk analyst. A dedicated provisioning specialist. A bigger team. But here’s the math: if an organization processes 50 requests per day and adds another person, it can now process 100 requests per day. Request volume hasn’t decreased—capacity to absorb a broken process has increased. And the request volume will grow. More employees means more onboarding. More team changes. More systems to provision access to. This is an arms race no one wins. The only sustainable solution is to stop the requests from being necessary in the first place.

What Policy-Based Access Management Delivers

Imagine this instead: Monday morning. An IT administrator opens their inbox. Seven new messages. Two are access requests—actual exceptions, edge cases requiring human judgment. Five are status updates from automated systems detailing what got provisioned overnight. The two exceptions get reviewed. Decisions made. Twenty minutes total. Then the rest of the morning goes to the infrastructure migration. Or improving security posture. Or building automation to handle the next edge case. Or taking a coffee break without guilt. This isn’t fantasy. It’s what happens when organizations shift from request-based access management to policy-based access management. The key insight: access requests are symptoms of missing or broken policies. Every request that arrives is evidence of a gap in pre-approved access automation. Fix the gap, and that category of request stops coming. Over time, IT teams stop processing requests and start eliminating the reasons requests exist.
Policy-based provisioning creates continuous evidence of least-privilege enforcement. Instead of point-in-time attestation spreadsheets, auditors receive system-generated proof that access matches policy—satisfying SOC 2 CC6.1 (logical access controls) and ISO 27001 A.9.2.1 (user registration and de-registration).

The Path Forward

Organizations drowning in access requests should ask a different question. Not “how do we process these faster?” but “why do these exist?” For each common request type, trace it back:
1

Is this onboarding access that should be automatic?

Fix the onboarding automation.
2

Is this role-based access that's predictable?

Build a policy for that role.
3

Is this access everyone on a team needs?

Automate team membership.
4

Is this a gap in attribute data?

Enrich the user metadata.
The requests reveal exactly where policies are broken. Each one is a signal pointing to automation not yet built. Fix the policies. Build the automation. Eliminate the requests. Ready to stop drowning?

Start a Free Trial

Jump to the Launchpad and start provisioning today.

Architecture Deep Dive

Learn more about the architecture concepts and security of Provisionr behind the scenes.