Automating Workday Onboarding via APIs:Provisioning Scripts for Identity Management
The global identity and access management market reached $22.99 billion in 2025 and is projected to grow to $65.70 billion by 2034, representing a compound annual growth rate of 12.40%. Within this expanding market, the provisioning segment dominates with 31% of total market share, driven by the critical need for automated user account management and rapid employee onboarding capabilities.
Organizations implementing automated provisioning solutions experience dramatic efficiency improvements. Research from Ping Identity demonstrates that automated provisioning reduces the cost per user from $28 for manual processes to under $3.50, representing an 87.5% cost reduction. Time-to-productivity improvements are equally substantial, with automated onboarding reducing provisioning time from an average of one week to mere minutes.
Workday’s REST and SOAP APIs provide enterprises with programmatic interfaces to automate onboarding workflows, integrate identity providers, and provision access across heterogeneous application ecosystems. However, real-world Workday API integration introduces complexity beyond the documented specifications, including protocol selection trade-offs, rate limiting constraints, and data model intricacies that impact production implementations.
This article examines the technical architecture of Workday onboarding automation, identity provisioning patterns using SCIM protocol, production-grade implementation scripts, security considerations, and integration strategies that deliver measurable business outcomes at enterprise scale.
The Business Case for Automated Onboarding
Quantifiable Impact Metrics
Employee onboarding represents a critical business process with direct financial implications. Manual onboarding workflows consume significant IT resources while introducing delays that impact new hire productivity. The average enterprise manages approximately 1,295 cloud services, with individual employees requiring access to an average of 36 cloud-based applications daily according to recent cloud computing research.
Without standardized automation, IT teams spend 4-7 business days provisioning access for a single new employee across multiple systems. This delay translates directly to lost productivity—new hires cannot perform job functions without access to required tools, email systems, collaboration platforms, and business applications.
Security risks compound these operational inefficiencies. SailPoint’s 2023 Identity Security Report reveals that 71% of organizations with manual provisioning discovered orphaned accounts during audits. These dormant accounts represent exploitable attack vectors—abandoned credentials from departed employees that maintain active permissions provide unauthorized access pathways for malicious actors.
Compliance and Audit Requirements
Regulatory frameworks including GDPR, HIPAA, SOX, and CCPA mandate precise access controls and comprehensive audit trails for identity management processes. Automated provisioning systems generate immutable logs documenting every access grant, modification, and revocation—evidence required for compliance audits and forensic investigations.
The Identity Management Institute’s 2025 IAM Market Report indicates that organizations implementing IAM automation reduce compliance violations by 63% compared to manual processes. This reduction stems from consistent policy enforcement, real-time monitoring capabilities, and automated policy compliance checks embedded within provisioning workflows.
The average cost of a data breach reached $4.45 million in 2023 according to IBM research. Preventing a single breach through improved access controls justifies substantial investment in automated identity management infrastructure.
Workday API Architecture: REST vs SOAP
Protocol Selection Decision Matrix
Workday exposes two distinct API protocols—REST and SOAP—each optimized for different use cases. This architectural duality introduces complexity as developers must evaluate protocol trade-offs based on functional requirements, performance characteristics, and available endpoint coverage.
REST API characteristics:
- JSON data format with intuitive, resource-oriented design patterns
- OAuth 2.0 authentication following industry-standard security protocols
- Rate limiting: strict throttling policies requiring queuing mechanisms for bulk operations
- Limited endpoint coverage—not all Workday operations available via REST
SOAP API characteristics:
- XML-based protocol with comprehensive business logic access
- WS-Security authentication with built-in error handling mechanisms
- Complete functional coverage—all Workday operations accessible via SOAP
- Performance constraints: operations requiring 90 seconds whether retrieving 1 or 100 records
Production implementations frequently require hybrid architectures leveraging both protocols. Time-sensitive, real-time operations utilize REST endpoints where available, while complex business processes requiring comprehensive data access default to SOAP operations despite performance penalties.
Authentication Architecture
Workday REST APIs implement OAuth 2.0 with client credentials flow for machine-to-machine authentication. This approach requires:
- API client registration within Workday tenant
- Client ID and client secret credential generation
- Token endpoint requests exchanging credentials for bearer tokens
- Token refresh logic before expiration timestamps
SOAP APIs utilize username/password authentication embedded in WS-Security headers. While simpler to implement initially, this approach requires credential rotation procedures and lacks the fine-grained scoping capabilities OAuth 2.0 provides through access token claims.
SCIM Protocol: Standards-Based Provisioning
SCIM Architecture and Market Adoption
System for Cross-domain Identity Management (SCIM) represents the de facto standard for automated user provisioning across cloud applications. Originally developed in 2011, SCIM has evolved into a foundational protocol supporting enterprise identity management at scale.
According to Evanta’s 2024 Leadership Perspective Survey of 1,900 CISOs, streamlined identity management has become the top priority for security leaders, displacing cloud security from its previous position. CISOs report that mitigating risk (72%) and improving processes and efficiencies (58%) represent their primary identity management objectives.
SCIM provides standardized REST API endpoints for Create, Read, Update, and Delete (CRUD) operations on user and group resources. The protocol defines:
- Core Schema: Common attributes including userName, emails, displayName, and group memberships
- Resource Endpoints: /Users and /Groups for identity management operations
- HTTP Methods: POST for creation, GET for retrieval, PUT/PATCH for updates, DELETE for removal
- Transport Security: TLS encryption mandatory for protecting identity data in transit
SCIM Implementation Components
SCIM architectures consist of two primary roles:
- SCIM Client (Identity Provider): The authoritative identity source initiating provisioning operations. Examples include Okta, Microsoft Entra ID (formerly Azure AD), and Workday itself when provisioning to downstream systems.
- SCIM Service Provider: The target application receiving and processing provisioning requests. SaaS applications including Salesforce, ServiceNow, and AWS implement SCIM endpoints for automated user lifecycle management.
When Workday functions as the SCIM client, it pushes identity data to downstream applications. When Workday operates as a SCIM service provider, external identity providers provision users into Workday tenants. Production environments frequently implement bidirectional flows supporting both patterns.
Organizations implementing SCIM report 65% faster cloud application onboarding compared to manual provisioning methods. This acceleration directly supports digital transformation initiatives by eliminating identity management bottlenecks that otherwise constrain deployment velocity.
Production Implementation: Onboarding Automation Scripts
Python Implementation: REST API Integration
A production-grade Python script for automating Workday employee onboarding via REST APIs implements OAuth 2.0 authentication, error handling, rate limiting, and comprehensive logging:
import requests
import json
import logging
from datetime import datetime, timedelta
from typing import Dict, Optional
class WorkdayOnboardingClient:
"""Enterprise-grade Workday onboarding automation client
Implements OAuth 2.0, rate limiting, and retry logic
"""
def __init__(self, tenant_url: str, client_id: str, client_secret: str):
self.tenant_url = tenant_url.rstrip('/')
self.client_id = client_id
self.client_secret = client_secret
self.access_token = None
self.token_expiry = None
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
self.logger = logging.getLogger(__name__)
def authenticate(self) -> bool:
"""Obtain OAuth 2.0 access token using client credentials flow"""
token_url = f"{self.tenant_url}/ccx/oauth2/{self.tenant_id}/token"
payload = {
'grant_type': 'client_credentials',
'client_id': self.client_id,
'client_secret': self.client_secret
}
try:
response = requests.post(
token_url,
data=payload,
headers={'Content-Type': 'application/x-www-form-urlencoded'},
timeout=30
)
response.raise_for_status()
token_data = response.json()
self.access_token = token_data['access_token']
# Set expiry with 5-minute buffer
expires_in = token_data.get('expires_in', 3600)
self.token_expiry = datetime.now() + timedelta(seconds=expires_in - 300)
self.logger.info("Authentication successful")
return True
except requests.exceptions.RequestException as e:
self.logger.error(f"Authentication failed: {str(e)}")
return False
def _ensure_authenticated(self):
"""Refresh token if expired"""
if not self.access_token or datetime.now() >= self.token_expiry:
self.authenticate()
def create_employee(self, employee_data: Dict) -> Optional[str]:
"""
Create new employee record via Workday REST API
Args:
employee_data: Employee attributes (firstName, lastName, email, etc.)
Returns:
Employee ID if successful, None otherwise
"""
self._ensure_authenticated()
endpoint = f"{self.tenant_url}/api/v1/workers"
headers = {
'Authorization': f'Bearer {self.access_token}',
'Content-Type': 'application/json'
}
payload = {
'firstName': employee_data['firstName'],
'lastName': employee_data['lastName'],
'emailAddress': employee_data['email'],
'hireDate': employee_data['hireDate'],
'jobProfile': employee_data['jobProfile'],
'location': employee_data['location'],
'supervisoryOrganization': employee_data['organization']
}
try:
response = requests.post(
endpoint,
headers=headers,
json=payload,
timeout=30
)
if response.status_code == 201:
worker_id = response.json().get('id')
self.logger.info(f"Employee created: {worker_id}")
return worker_id
else:
self.logger.error(
f"Employee creation failed: {response.status_code} - {response.text}"
)
return None
except requests.exceptions.RequestException as e:
self.logger.error(f"API request failed: {str(e)}")
return None
This implementation demonstrates critical production patterns including token management, timeout handling, structured logging, and graceful error recovery. Real-world deployments extend this foundation with retry logic using exponential backoff, circuit breaker patterns for API failures, and metric collection for operational visibility.
SCIM Provisioning Script: Multi-System Automation
Following Workday employee creation, automated provisioning must propagate identity information to downstream systems. A SCIM-based provisioning script orchestrates multi-system account creation:
import requests
from typing import List, Dict
import logging
class SCIMProvisioningOrchestrator:
"""Orchestrate SCIM provisioning to multiple target systems"""
def __init__(self, config: Dict):
self.config = config
self.logger = logging.getLogger(__name__)
def provision_user(self, user_data: Dict, target_systems: List[str]) -> Dict[str, bool]:
"""
Provision user to multiple SCIM-enabled applications
Args:
user_data: User attributes from Workday
target_systems: List of target application identifiers
Returns:
Dictionary mapping system names to provisioning success status
"""
results = {}
for system in target_systems:
if system not in self.config['scim_endpoints']:
self.logger.warning(f"Unknown system: {system}")
results[system] = False
continue
success = self._provision_to_system(user_data, system)
results[system] = success
return results
def _provision_to_system(self, user_data: Dict, system: str) -> bool:
"""Provision single user to target system via SCIM"""
endpoint_config = self.config['scim_endpoints'][system]
scim_url = f"{endpoint_config['base_url']}/scim/v2/Users"
# Transform Workday data to SCIM schema
scim_user = {
'schemas': ['urn:ietf:params:scim:schemas:core:2.0:User'],
'userName': user_data['email'],
'name': {
'givenName': user_data['firstName'],
'familyName': user_data['lastName']
},
'emails': [{
'value': user_data['email'],
'type': 'work',
'primary': True
}],
'active': True,
'title': user_data.get('jobTitle'),
'department': user_data.get('department')
}
headers = {
'Content-Type': 'application/scim+json',
'Authorization': f"Bearer {endpoint_config['api_token']}"
}
try:
response = requests.post(
scim_url,
headers=headers,
json=scim_user,
timeout=30
)
if response.status_code in [201, 200]:
scim_id = response.json().get('id')
self.logger.info(
f"User provisioned to {system}: {scim_id}"
)
return True
else:
self.logger.error(
f"Provisioning failed for {system}: "
f"{response.status_code} - {response.text}"
)
return False
except requests.exceptions.RequestException as e:
self.logger.error(
f"SCIM request failed for {system}: {str(e)}"
)
return False
def deprovision_user(self, user_email: str, target_systems: List[str]):
"""Deprovision user from multiple systems (offboarding)"""
for system in target_systems:
self._deprovision_from_system(user_email, system)
def _deprovision_from_system(self, user_email: str, system: str):
"""Deactivate user account via SCIM PATCH or DELETE"""
endpoint_config = self.config['scim_endpoints'][system]
# First, locate user by email
filter_url = (
f"{endpoint_config['base_url']}/scim/v2/Users?"
f'filter=emails.value eq "{user_email}"'
)
headers = {
'Authorization': f"Bearer {endpoint_config['api_token']}"
}
try:
# Find user
search_response = requests.get(filter_url, headers=headers)
users = search_response.json().get('Resources', [])
if not users:
self.logger.warning(
f"User not found in {system}: {user_email}"
)
return
user_id = users[0]['id']
# Deactivate via PATCH
patch_url = f"{endpoint_config['base_url']}/scim/v2/Users/{user_id}"
patch_payload = {
'schemas': ['urn:ietf:params:scim:api:messages:2.0:PatchOp'],
'Operations': [{
'op': 'replace',
'path': 'active',
'value': False
}]
}
headers['Content-Type'] = 'application/scim+json'
patch_response = requests.patch(
patch_url,
headers=headers,
json=patch_payload
)
if patch_response.status_code in [200, 204]:
self.logger.info(
f"User deprovisioned from {system}: {user_email}"
)
else:
self.logger.error(
f"Deprovision failed: {patch_response.text}"
)
except Exception as e:
self.logger.error(f"Deprovision error: {str(e)}")
This orchestrator implements industry-standard SCIM operations including user creation via POST, deactivation via PATCH, and user lookup via filtered GET requests. Production deployments enhance this with idempotency checks, transaction rollback capabilities, and audit trail generation for compliance requirements.
Advanced Integration Patterns
Event-Driven Architecture: Workday to External Systems
Modern integration architectures implement event-driven patterns leveraging Workday’s business process framework. When specific events occur in Workday—new hire completion, job change approval, termination processing—the system triggers webhook notifications to external integration endpoints.
Event-driven provisioning provides several advantages over scheduled batch synchronization:
- Real-time responsiveness: Account provisioning initiates immediately upon business process completion rather than waiting for scheduled ETL execution
- Reduced latency: New employees gain system access on day one, eliminating productivity delays caused by provisioning backlogs
- Precise triggering: Processing occurs only when business events occur, avoiding unnecessary API calls and reducing infrastructure costs
- Security improvements: Immediate account deactivation upon termination eliminates access windows where departed employees retain system permissions
Organizations implementing event-driven provisioning report 92% faster access revocation during offboarding compared to batch-based approaches. This acceleration directly addresses the orphaned account problem that creates 71% of identity-related security vulnerabilities according to SailPoint research.
Hybrid Cloud Architecture: On-Premises and SaaS Integration
Enterprise environments rarely operate exclusively in public cloud infrastructure. Legacy on-premises systems including Active Directory, LDAP directories, and custom applications require integration with cloud-native Workday tenants.
Hybrid architectures implement integration middleware positioned between Workday and on-premises infrastructure. Solutions including MuleSoft Anypoint Platform, Dell Boomi, and custom-built integration services provide:
- Protocol translation between REST/SOAP APIs and LDAP/Kerberos authentication
- Network security through VPN tunnels or direct connect circuits avoiding public internet exposure
- Data transformation mapping Workday’s object model to on-premises directory schemas
- Queue-based messaging enabling asynchronous processing and retry capabilities
Security Architecture and Compliance
OAuth 2.0 Security Controls
OAuth 2.0 implementation for Workday API access requires several security hardening measures beyond basic credential management:
- Credential rotation: Client secrets must rotate every 90 days following security best practices. Automated rotation procedures prevent service disruption during credential updates.
- Scope limitation: Access tokens should request minimum required scopes. Integration services provisioning users require worker read/write scopes but should not receive financial data access.
- Secret management: Client secrets belong in external secret stores (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) rather than environment variables or configuration files.
- Certificate-based authentication: Production environments should implement mutual TLS authentication where Workday validates client certificates in addition to bearer tokens.
Data Protection and Privacy
Identity provisioning systems process highly sensitive personal information including names, email addresses, employee identification numbers, compensation data, and organizational affiliations. Data protection regulations mandate specific handling procedures:
- Encryption in transit: TLS 1.2 or higher for all API communications. Deprecated protocols including SSL and TLS 1.0/1.1 represent security vulnerabilities.
- Encryption at rest: Database fields containing personally identifiable information require column-level encryption with customer-managed keys.
- Data minimization: Provisioning scripts should request only attributes required for target system operation. Social security numbers and birth dates should not synchronize to systems lacking business justification.
- Audit logging: Immutable logs capturing all identity modifications with timestamps, actor identification, before/after values, and business justification.
- Right to deletion: GDPR Article 17 requires capabilities to completely remove personal data upon request. Provisioning systems must support cascading deletion across all downstream systems.
Performance Optimization and Scalability
Rate Limiting and Throttling Management
Workday REST APIs implement strict rate limiting to protect system resources. For bulk provisioning operations affecting hundreds or thousands of employees, rate limits introduce bottlenecks requiring architectural mitigation:
- Request queuing: Message queue systems (RabbitMQ, Apache Kafka, AWS SQS) buffer provisioning requests, releasing them to Workday APIs at controlled rates respecting throttling limits.
- Batch optimization: Where possible, batch operations create multiple users per API call rather than individual requests. However, Workday’s batch endpoint coverage remains limited compared to individual resource operations.
- Exponential backoff: When receiving 429 (Too Many Requests) responses, clients must implement exponential backoff with jitter before retry attempts.
- Parallel processing: Distributing provisioning load across multiple API clients or worker processes increases effective throughput while respecting per-client rate limits.
Monitoring and Observability
Production provisioning systems require comprehensive monitoring covering technical metrics, business process metrics, and security indicators:
- Technical metrics: API response times, error rates, authentication failure counts, rate limit violations, queue depths
- Business metrics: Time-to-provision for new hires, provisioning success rates by target system, deprovisioning latency during offboarding
- Security metrics: Orphaned account detection rates, access certification completion percentages, privileged access modifications
- Alerting: Real-time notifications for provisioning failures, authentication errors, or suspected security incidents
Organizations implementing comprehensive observability reduce mean time to resolution (MTTR) for provisioning incidents by 78% according to DevOps Research and Assessment (DORA) metrics. This reduction stems from rapid fault isolation capabilities enabled by detailed telemetry.
Error Handling and Resilience Patterns
Idempotency and Transaction Safety
Distributed provisioning systems must implement idempotency—the property where repeated execution of the same operation produces identical results without unintended side effects. Without idempotency guarantees, network failures or timeout scenarios can create duplicate accounts or inconsistent state.
Idempotent provisioning implementation patterns:
- Unique identifiers: Each provisioning operation receives a unique transaction ID stored with the created resource. Retry attempts check for existing resources with matching transaction IDs before creating duplicates.
- GET before POST: Before creating resources, query target systems for existing records matching unique business keys (email address, employee ID). If found, update existing records rather than creating duplicates.
- Compensating transactions: When multi-system provisioning partially fails, rollback procedures delete successfully created accounts to maintain consistency across all systems.
Circuit Breaker Pattern
When target systems experience outages or degraded performance, circuit breaker patterns prevent cascading failures across integration infrastructure. The pattern implements three states:
- Closed: Normal operation—requests flow to target systems with error rate monitoring
- Open: Error threshold exceeded—requests fail immediately without attempting network calls, preventing resource exhaustion
- Half-open: Test state—limited requests attempt to determine if target system has recovered, transitioning to closed state upon success or reopening upon continued failures
Real-World Use Cases and Implementations
Case Study: Multi-Region Enterprise Deployment
A Fortune 500 financial services organization with 45,000 employees across North America, Europe, and Asia implemented automated Workday provisioning addressing several challenges:
- Challenge: Manual provisioning required 6-8 business days per employee across 127 enterprise applications
- Challenge: Regulatory compliance (SOX, GDPR) mandated comprehensive audit trails and quarterly access certification
- Challenge: Security incidents traced to orphaned accounts from incomplete offboarding processes
Implementation approach:
- Workday REST APIs integrated with MuleSoft Anypoint Platform for orchestration
- SCIM provisioning to 87 cloud applications (Salesforce, ServiceNow, Workiva, others)
- Custom connectors for 40 on-premises systems using Active Directory groups
- Event-driven architecture triggering provisioning within 15 minutes of Workday business process completion
Measured outcomes:
- Provisioning time reduced from 6-8 days to 2-4 hours (91% improvement)
- IT workload decreased by 840 hours per month in provisioning labor
- Orphaned account discovery rate dropped from 18% to 0.3% in quarterly audits
- Access certification completion time reduced from 6 weeks to 9 days
Healthcare Industry Implementation
A multi-hospital healthcare system with 12,000 employees implemented Workday provisioning with HIPAA compliance requirements:
- Role-based access control (RBAC) automatically assigning permissions based on job classifications
- Immediate access revocation upon termination to protect patient data
- Encrypted audit logs with tamper-proof storage for seven-year retention periods
- Integration with Epic EHR system for clinical application provisioning
Future Trends and Technology Evolution
AI-Driven Identity Governance
By 2025, 50% of IAM platforms are expected to incorporate AI-driven analytics according to ForgeRock research. Machine learning applications in identity provisioning include:
- Anomaly detection: ML models identifying unusual access patterns indicating compromised credentials or insider threats
- Automated role mining: AI analyzing actual resource usage patterns to recommend optimized RBAC role definitions
- Predictive provisioning: Models predicting required access based on job function, department, location, and peer analysis
- Natural language access requests: Conversational interfaces allowing employees to request access using plain language rather than system-specific terminology
Zero Trust Architecture Adoption
By 2026, over 60% of enterprises are projected to adopt Zero Trust frameworks within IAM systems according to market research. Zero Trust principles fundamentally change provisioning architectures:
- Continuous authentication replacing single sign-on with persistent identity verification
- Contextual access controls evaluating device posture, network location, and behavior patterns
- Microsegmentation limiting lateral movement even with valid credentials
- Just-in-time provisioning granting temporary access for specific tasks rather than persistent permissions
Passwordless Authentication Integration
Passwordless authentication methods gained significant traction, with Microsoft expanding passwordless login across all Windows 10 devices in June 2024. Identity provisioning systems must adapt to support:
- Biometric authentication (fingerprint, facial recognition, behavioral biometrics)
- Hardware security keys (FIDO2, WebAuthn)
- Push notification approval via mobile authenticator applications
- Certificate-based authentication for machine identities and API access
Conclusion
Identity provisioning automation represents a fundamental requirement for modern enterprises operating at scale. With the IAM market projected to reach $65.70 billion by 2034 and provisioning commanding 31% market share, automated user lifecycle management has transitioned from competitive advantage to operational necessity.
Organizations implementing Workday API-based provisioning achieve measurable business outcomes: 87.5% cost reduction per provisioned user, provisioning time improvements from days to hours, and elimination of security vulnerabilities created by orphaned accounts affecting 71% of manually managed environments.
Technical implementation requires addressing several architectural considerations: OAuth 2.0 security hardening, SCIM protocol standardization, rate limiting mitigation, error handling resilience, and comprehensive observability. Production-grade implementations extend beyond basic CRUD operations to incorporate idempotency guarantees, circuit breaker patterns, and automated rollback capabilities.
Compliance requirements including GDPR, HIPAA, and SOX mandate specific data protection controls, audit logging capabilities, and access certification workflows. Automated provisioning systems satisfy these requirements through immutable audit trails, encryption protocols, and policy-driven access controls that manual processes cannot reliably deliver.
Future evolution will incorporate AI-driven identity governance, Zero Trust architecture principles, and passwordless authentication methods. Organizations establishing disciplined implementation practices, comprehensive monitoring, and security-first design principles position themselves to leverage these emerging capabilities without accumulating technical debt.
For enterprises evaluating identity automation strategies, Workday’s comprehensive API ecosystem combined with SCIM-based provisioning represents a proven, production-ready approach backed by substantial market adoption, technical maturity, and demonstrated ROI across diverse industry verticals.
Related Resources
For organizations implementing Workday integration and automation initiatives, SAMA Integrations provides specialized expertise:
- Workday Integration Services – Enterprise-grade integration solutions connecting Workday with HR, finance, and business systems
- Custom Integration Development – Tailored API integration, provisioning automation, and workflow orchestration
- Integration Monitoring and Support – Proactive monitoring, troubleshooting, and operational support for production integrations
- API Integration Technical Foundation – Comprehensive analysis of API-led connectivity and enterprise integration architecture
References and Data Sources
- Precedence Research. (2025). Identity and Access Management Market Size 2025 to 2034
- Straits Research. (2024). Identity and Access Management Market Size & Forecast 2025-2033
- Identity Management Institute. (2025). IAM Market Report 2025
- Microsoft. (2024). What Is SCIM? System for Cross-domain Identity Management
- Fortinet. (2025). What Is SCIM? How SCIM Authentication Works
- Avatier. (2025). What is User Provisioning? The Complete Guide
- Apideck. (2025). How to Create a Workday REST API Integration
- Knit. (2025). Workday API Integration Guide
- SailPoint. (2023). Identity Security Report
