Account provisioning is the process of establishing and maintaining user accounts within an application. Provisioning capabilities are usually restricted to administrator accounts. Penetration testers must validate account-provisioning functions are done by users providing proper identification and authorization. A common venue for account provisioning is through Representational State Transfer (REST) API calls. Many times, developers may not put the same authorization checks in place for API calls that are used in the UI portion of an application.