Provisioning is nowadays an established technology, but the increasing number of projects shows new threats, which can't be solved with todays approaches and technologies. One of these questions is the depth in which connected systems shall be controlled. Shall we stop at the level of assigning users to groups and roles? Or shall we centrally control what rights each group and role in these systems has - which would add a new level of control and a new level of complexity. On the other hand there's the auditing threat: How could an audit log really answer the question "Who has been allowed to do what in which system?" in detail? These and related questions will be discussed with the participants of this B-O-F-session.