It wasn't even *close* to cheap (either in implementation or ongoing support) but we added OIM (Oracle Identity Manager) to our existing Oracle suite of products (we have tons of databases, and Oracle owned "Health Sciences" apps, so we were already in bed with the devil to begin with) It uses SOA for workflows and approvals, and we built a series of templates for system access. Employee A starts the company as a Tech Writer? Automatically provision AD, OID, exchange, home directory, 5 shared folders, 3 sharepoint sites, and the QA logging application. (You get the idea) It also has the ability to provide self service, so if the previously mentioned user wants access to the Oracle Health Sciences cluster, he clicks the button next to it on the menu
... and the OHS Admin, and his manager get emails with links to approve.
Getting buy in from the business for this kind of spend took almost 2 years, and 9+ months to implement (defining workflow, approvers etc takes waaaay longer then you think it will!) The legal dept is also in love with the idea they can now request access reports for users, which makes the process of external audits go from days or information gathering .... to an automated email. At least for us (medium sized company, ~10,000 employees, currently growing at a rate of 75 a week) this has been a long trip... its not something you can simply bang out over a weekend with a 6 pack of Mtn. Dew and a spare server.