Interesting read from a write which misses the most obvious about IAM and why it is so difficult do right. The tool of the trade is mostly something like NetIQ Identtity Manager (I do not work for the company) (or something else which can be changed to fit the organization), then this is connected to something like Okta for provisioning (and authorization) , Okta is then using the on Prem-AD (or Office 365) for Authentication.
And as a previous comment said; all identities start from the HR system ... and nothing should be done manually - people make mistakes (often).
RBAC can be done with online tools like NetIQ Identitty Application or Sailpoint - does not matter as long as it's online and that users can request access (roles/premissions) which are granted "now".
Any organization who is using tools like Excel for RBAC administration will at some point end up in a management nightmare.
The biggy, which no one talks about is "red button", if an employee is let go, then the identity needs to be locked down immediately, which only works with systems which act on events - which many of these systems do not.
And lets not forget about Access Governance ... reporting, a tool which suck out all the information and will report if there are things (rights) which should not be there, and especially if they are assigned to people who should not have them.
IAM is complicated, and require knowledge not only about the choosen tool, but also about all the systems which you connect it to (AD, LDAP, SQL, Unix, Cloud, REST, SOAP, etc, etc, etc.).
But it's madly fun to do....