Gartner Blog Network


How to Provision a Pope in 6 Easy Steps

by Ian Glazer  |  March 13, 2013  |  4 Comments

Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it – white smoke wafting up from the chimney. It’s time to provision a new Pope!

Step 1 – Meet the new Pope

First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)

Step 2 – Don’t wait for HR

You can’t leave the Pope just to sit on his mitre and wait for access to business systems. The new Pope has got to be productive minute one of his Popehood. But unfortunately, the new Pope won’t be in the HR feed until the next payroll run, which isn’t for another 12 days. Mussolini might have made the trains run on time but not even he could do anything about HR. To be fair, a new Pope isn’t really a new hire but a strange combination of a transfer and a new persona; needless to say, HR is going to need to take their time. This means you cannot wait for the HRMS to signal the user provisioning system to kick into action. Time for the manual bypass! Hand register the new Pope in the user provisioning system, but be ready for some strangeness when the new Pope does finally show up in the HR feed – misspellings, wrong job codes, and missing data will lead to odd provisioning events.

Step 3 – Monitor the birthrights

Once the new Pope is in the user provisioning system, birthright application provisioning ought to kick off. It did kick off, correct? Good. Ideally you’d have a way to signal that the new Pope is a VIP and that those provisioning requests should be put at the top of the queue for processing. Just like password resets, VIP provisioning should get priority through the workflow engine. If you don’t have provisioning connectors for all the birthright applications, you’ll have to phone up the user admin team and make sure that they build the new Pope’s accounts immediately.

Step 4 – Assign the “special” role

You did create a few broad enterprise roles when you deployed the user provisioning system? Good. Time to dust of the rarely assigned “special” role. This is the role that will give the new Pope access to special Pope-only resources – such as access to the complete donor registry and Cardinals communication portal. Once you’ve assigned this, don’t forget to call the CIO and CISO and make sure that they approve the role assignment immediately – hopefully via their mobile device. (If that doesn’t work, try sending another white smoke signal.)

Step 5 – Get the solid gold token

While the provisioning system is chugging along, you’ll need to get the new Pope his stronger authentication credentials. This is going to be tough. Papal-experience is key to the new Pope and a cumbersome authentication process isn’t going please the Pontiff. Try an NFC-based hardware token embedded into his staff. You might be able to fit a hardware OTP generator into his ring. Or perhaps an out-of-band OTP to those mobile devices of his. Whatever you choose, be ready with plan B and C. Remember lost devices and difficult user-interfaces are going to be your problem.

Step 6 – Authorize the Authority

Remember how you pulled the old Pope out of approval workflows when you deprovisioned him? Well, now you have to put the new Pope back into those workflows. For highly sensitive systems and segregation of duties violations, people are likely going to need the new Pope’s approval. This probably won’t happen day 1, but it will take you a while to weave the new Pope into the workflow system.

See? That wasn’t so hard. Six easy steps and your new Pope is ready to go. Maybe he’ll be so impressed that he’ll take you for a spin in the Popemobile.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: identity-and-access-governance  identity-management-market  provisioning  

Tags: pope  provisioning  

Ian Glazer
Research Vice President and Agenda Manager
4 years at Gartner
16 years IT industry

Ian Glazer is a research vice president and agenda manager on the Identity and Privacy Strategies team. He leads IdPS' coverage for authorization and privacy. Topics within these two main areas include externalized authorization management, XACML, federated authorization, privacy by design, and privacy programs. Read Full Bio


Thoughts on How to Provision a Pope in 6 Easy Steps


  1. Angie says:

    This couldn’t be better timed. WIth 7 superintendents retiring in Alberta this year, our IT leaders need to dust off the VIP de-provisioning and provisioning processes. You’ve made it accessible and fun. Well done!

  2. Sid Sidner says:

    You’re killing me, dude! These two posts are brilliant. Thanks! See at the Cloud Identity Summit in Napa in July.

  3. Ian Glazer says:

    @Angie – glad you found it useful!

  4. Ian Glazer says:

    @Sid – glad you liked it – unfortunately, barring something unforeseen, the “Learn IAM via a Pope” series of posts is over. Of course, if the Catholic Church goes on an M&A tear, then you never know…



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.