Introduction to Auto Provisioning

Auto-provisioning is the process of automatically managing user access throughout the entire lifecycle: creating accounts and assigning permissions when users need access, and removing access when they no longer need it, all without manual work from IT or application owners.

Without this feature, onboarding a new employee typically involves manually creating accounts in each app (e.g. Google Workspace, Slack, Figma), assigning roles and granting the appropriate access. Offboarding requires the reverse: manually removing access across dozens of apps, often leaving dormant accounts active for days or weeks, creating security risks and compliance gaps. Cakewalk's auto-provisioning automates the entire access lifecycle.

Why it matters

Auto-provisioning:

• Saves IT and application owners significant time across onboarding and offboarding

• Reduces human error and misconfigurations

• Ensures employees get the access they need from day one

• Automatically removes access when it's no longer needed, eliminating security risks from dormant accounts

• Supports least-privilege principles by assigning only the necessary permissions and removing them promptly

• Decreases software costs by ensuring licenses are only granted when needed and removed when not

• Ensures compliance with SOC 2, ISO 27001 and GDPR requirements through complete audit trails

Common triggers

When access is granted:

• A new hire is added to the HR system

• A hiring manager or an application owner approves a user's access request to an application

• A user's department or role changes, requiring new application access

When access is removed:

• An employee is marked as offboarding in the HR system

• A "Remove Access" request is created for a user

• A user's access needs to be revoked for security or compliance reasons

In Cakewalk, auto-provisioning runs natively via Agent Cake or by connecting your Identity Provider (e.g. Google Workspace, Entra ID). When you configure Agent Cake for an app, you can enable both automatic provisioning and deprovisioning, giving you complete lifecycle management.

Combine with No-Touch Onboarding

Auto-provisioning handles app account creation. By default, synced users still require a manual review step before onboarding begins. When you enable No-Touch Onboarding for a synced IdP group, that review step is removed. Together, they deliver fully hands-off onboarding: new employees are detected, onboarded and provisioned across all their default apps without any manual work.

📘 Learn more: HRIS & IdP