Over the past 10 years, more and more medium and large corporates have embraced user account and group provision systems as part of their identity management strategy. In this article, Why Provisioning Should Move Away from IT
, Dell/Quest advocates moving the provisioning process away from IT entirely. (Well, that would be almost impossible, but at least get the "process" if not the technology away from IT.)
My own organization embraced a fairly customized version of Microsoft's Forefront Identity Manager (FIM) as our provision system. It integrates with our PeopleSoft system as well as a number of other databases to provide a unified identity picture.
We have about 1 1/4 full time Microsoft Consulting Services employees on staff that help us maintain this behemoth, another almost full-time contractor, and another almost full-time employee that helps operate the system. For 45,000 user objects, I'd estimate we spend about $750,000 per year in labor to maintain this.
The system is always a few generations behind where we need it to be. Feature requests are generally a year to three years behind in integration and implementation. (Part of this is due to some... "mishaps" our management is so gun-shy about anything to do with this platform that doing nothing is their IM strategy.
Meanwhile, the system works partially well for only about 75% of our employees/contractors since our PeopleSoft system maintains data for only employees not a lot of contractors. So, our help desk still manually provisions many user accounts and groups. And, our PeopleSoft system often spits out phone numbers in formats that are not usable by UC "dialer" links or software. So, dial links in Lync are useless. And, our HR department refuses to update their system to accommodate us.
I'd guess that this platform actually costs us *more* than a manual provisioning system. Sometimes, there is a reason why there is "no school like the old school."
If you are considering an automated user provisioning system, I strongly recommend going through as many different use cases as possible. Not just your full time employees, but look at temps, short term contractors, long term contractors, VIPs, etc... Go through your proposed IM system and look at all of these use cases and determine if the work flows are going to accommodate these. And, if now, how many users fall outside of the "automated" boundary and how are you going to take care of them?