Many of the challenges related to permissions, baseline/birthright entitlements, least privilege, role-based access control (RBAC), access requests, just-in-time (JIT) provisioning, deprovisioning, and user access reviews are categorized as Identity Governance and Administration (IGA).Documentation Index
Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt
Use this file to discover all available pages before exploring further.
Outgrowing Your IdP Automation
As you start to outgrow your SSO provider’s features, you have a few options:- Easy Button: Build automation workflows using no-code tools (n8n, Okta Workflows, Tines, Workato, Zapier, etc). You may outgrow this faster than expected, and without a centralized database, you’ll create more tech debt than you realize.
- Homegrown Scripts: Build primitive scripts that run on a schedule or on-demand. Uncomplicated, but non-scalable. See Existing Automation Limitations for more details.
- Provisionr: Continue reading these docs, see if it’s a fit, and try it out. We built Provisionr because we outgrew our scripts and couldn’t find a vendor that met all our needs.
- Buy an IGA: Evaluate IGA vendors. If you’re in a heavily regulated industry, you may need the audit, legal, and security protections that larger vendors offer.
- Hire: Add team members to your helpdesk or provisioning team to handle requests manually.
- Change the Business: Improve processes or make different policy decisions (restructuring groups, changing rules).
- Do Nothing: Your circumstances may change in 12-24 months, or you can accept inefficiency as a fact of life.
The Focus of IGA Tools
The charter of many Identity Governance and Administration (IGA) tools is to help you put a process in place for your compliance auditors to manage the access request process with assurance. Everyone wants to pass their audits and reduce risk, but few tools focus on the root cause of the problem: preventing unnecessary access requests through better policy-based provisioning. We believe our friends at IGA vendors are treating the symptoms, and doing it well (thanks neighbors for helping our customers with their pain!). We want to solve the root cause.We believe 90%+ of access requests shouldn’t exist in the first place.The Provisionr leadership team has lived this life for a long time – as system administrators, software engineers, identity architects, helpdesk support, access request provisioners, penetration testers, auditors, and end users at large companies. We practically wrote a thesis on it with Identity Foundations to explain our perspective.
IGA Capability Gaps
We’ve been on the customer side evaluating IGA vendors for years. After demos and proofs of concept with several vendors (including all the big ones), one question kept coming up.Where is the (modern) policy management for group rules?Group rules and policy management have a wider impact on role-based access control than most vendors seem to recognize. These are the key gaps we’ve observed in the IGA market.
Access Requests
Why create another ticket in another system with another process? The goal should be to automate away the need for tickets in the first place.
Necessity
Why was the access request needed in the first place? Is this missing from the pre-approved checklist?
Pre-Approval vs. Point-in-Time Approval
Is access appropriate at any time for someone in a given role, or only under specific circumstances? If the former, pre-approve the business reason so just-in-time access flows without delay.
Pre-Determined Granular Role
Don’t we know what their job role is? Can we use their profile attribute data to make a decision?
Perpetual Access
When is perpetual access acceptable? Many systems aren’t sensitive enough to require time-boxed access—it’s easier to just have access perpetually provisioned.
Checklist Automation
Most organizations maintain checklists of apps, groups, and resources that each job role needs. How does that checklist get automated rather than manually executed?
Configuration Management
How do administrators manage policies both holistically and granularly without error-prone UIs that make mistakes easy? What about all of the inefficiency with click ops?
Group Sync
Why are group memberships managed independently in each system? Team groups should stay in sync across all connected systems automatically.
Manager Approval
Managers rubber-stamp approvals anyway just to clear their queues. Is the approval really about timing, or about role appropriateness—which should have been pre-approved when the role was defined?
Policy-First Approach
If birthright and baseline policies are configured properly, why are access requests needed at all? Push updates to the policy, and let that policy provision access automatically on downstream systems.
Security Risks
Many decisions are based on security risk intentions, not security operations realities. Even fewer decisions are made with user experience in mind. How do we solve for the security risks with pre-approved access, whether or not it’s pre-provisioned?
SCIM Limitations
How do organizations avoid losing user profile data on downstream applications when users are provisioned and deprovisioned through traditional SCIM workflows?
Explore these topics in depth in Identity Foundations:
- Identity Governance Gap — IGA vendors built for compliance, not operations
- Access Reviews Are Audit Theater — why quarterly reviews don’t improve security
- RBAC Reality Check — why traditional RBAC fails in practice
- Policy-Based Access Control — building access control from first principles
- Exception Management — handling the 5% that doesn’t fit policy
- Graceful Role Changes — the art of not breaking things when access changes
The Problem with JIT Access
The industry has over-rotated on context-aware access, focusing on “giving access at the right time for the right reason” through access requests and reviews that require human intervention. Identity Governance and Administration (IGA) vendors built their products around manual approvals, with automation happening only after humans approve each request. But what about the access employees need on Day 1? Organizations know who someone is, what job they were hired for, what team they belong to, who their manager is, and what region they work in. Why can’t employees just have access on Day 1 without submitting a ticket and waiting for approval? Not everything needs to be just-in-time (JIT). Many access needs are predictable based on role, team, location, and other attributes that are known ahead of time. If you had to request access to every single Google Drive folder or Slack channel you needed to do your job, you’d never get any work done. It seems so obvious. Why is this so hard?Identity Data
There hasn’t been an easy-to-use directory service that combines granular role-based metadata with the ability to automate multi-dimensional calculations for “who belongs to what” for application, group, and resource assignments. We rely on HRIS data for user attributes, however it’s not comprehensive enough to define all of the granular teams, special projects, and inter-department organizational rules (ex. sales territories) that determine access needs. Existing vendor tools were built for different audiences — HRIS platforms for HR teams, authentication systems for security, zero trust tools for network access, and compliance tools for auditors. What if we need an Identity Information Management System (IIMS), or a Least Privilege Directory Service (LPDS)? You don’t need to look those up, we just made them up. 🤪 But you see the problem, right? You need one, and your current tools don’t solve it. Well, we invented one because we outgrew our string-matching rules too.Where Provisionr Fits
We look at the broader industry as a series of pillars that each have specialized areas of focus.
Overarching Question: If our birthright/baseline/role policies are configured properly, why do we need access requests? Why not just push updates to the policy that provisions access on downstream systems?Access requests become a permanent band-aid for many organizations. The exception has become the rule instead of fixing the underlying policy. With proper policy management, access requests should be rare exceptions, not a daily workflow. Provisionr deploys alongside your existing tools with just a few API keys (read-only to start). You don’t need to manage all 1,500 Google or Okta groups on Day 1—start with the 5-10 that cause the most headaches, then expand as you’re ready.
IGA Vendor Landscape
Large Vendors
SailPoint, Saviynt, and CyberArk may fit if your organization has the philosophy of “no one was fired for buying IBM.” They have extensive features for larger IT teams (50+ people) with complex integration requirements, legacy enterprise applications, and expectations that Professional Services is available for custom development. Keep in mind they’re complex and expensive—analogous to a Boeing 747 cockpit. If you have 3-10 full-time IGA administrators just for your IGA software, these vendors are worth considering. If your IT or Security team is 1-10 people who prefer the simplicity of a Cessna cockpit, these vendors are likely not a fit. These tools are built for companies with thousands to tens of thousands of employees in regulated industries that need extensive audit evidence and compliance workflows. They are not built for modern SaaS-first organizations using Google Workspace and Okta.Small and Mid-Sized Vendors
Several startups and mid-sized offerings have appeared in recent years focused on the IGA market. Smaller vendors tend to cater to smaller and mid-sized organizations in a partnership mentality.Okta Identity Governance (OIG)
Okta Identity Governance (OIG) focuses on just-in-time access request approvals, compliance audits, and user access reviews integrated with Okta Workforce Identity. OIG is designed to work with your existing Okta application catalog and Okta Workflows. If your provisioning needs expand outside of what you’ve configured in Okta, you may run into limitations. It’s a feature add-on rather than a standalone product.ConductorOne
ConductorOne also focuses on just-in-time access request approvals, compliance audits, and user access reviews, with founders previously from Okta. ConductorOne does one thing well rather than trying to do too many things. They’ve built a foundation and user experience that appeals to power-user IT and Security administrators for managing back-office IGA and compliance work. They’ve invested heavily in extensibility with their API, CLI, and extensive documentation. If your pain points come from your compliance team and your IT administrators like to build scripts with APIs, ConductorOne may be a good fit. We like ConductorOne and are friends with their executive team. If your needs align better with their product, we encourage you to evaluate them.Lumos
Lumos focuses on providing a seamless end user experience for the users your team serves. If you’re familiar with app tiles in Okta, you’ll feel at home with their app store for users to request access and streamline approval workflows, while providing license procurement insights into application usage. If you’re looking for a turnkey solution for access requests that feels painless for your users, Lumos may be a good fit.Lumos is the easy button to make IT loved by making access requests easy for users.We like Lumos and are friends with their executive team. If your needs align better with their product, we encourage you to evaluate them.