One of the most powerful features of any modern identity and access management (IAM) solution is delegated administration. This core feature gives business users of an organization the ability to perform basic IT functions, such as new account creation, role and group assignment, and access requests, all without the capabilities and permissions typically tied to a privileged IT role.
On a broader level, delegated administration makes full identity lifecycle management possible by ultimately allowing for automated and streamlined business processes. That being said, it’s crucial organizations thoroughly evaluate their current, if any, delegation functions and assess the capabilities in practice today, as well as understand where increased focus is needed.
One simple way to help make this determination is through a maturity model, a tool that helps organizations assess the current effectiveness of a particular area and what capabilities must be acquired before additional steps are made to progress forward.
Previously, we’ve discussed maturity models for three other core IAM features: Federation, Multi-Factor Authentication (MFA), and Single Sign-On (SSO). Now, we’re moving right along to delegation and how to enhance current capabilities using Identity Automation’s Delegated Administration Maturity Model. Let’s dive into the key characteristics of the first two levels before we examine the full Delegated Administration Maturity Model in our webinar.
Level 1: Basic Delegation and Self-Service Capabilities
In Level 1, also known as the Basic Level, a key characteristic is that administrators have the ability to perform simple delegation tasks, such as reset passwords. Without this primary characteristic, organizations would be considered at Level 0, meaning they have not yet implemented any delegation features or capabilities.
Generally speaking, a major focus of delegation is to give business users, such as business managers and system owners, the capability to help with some administration efforts of those accounts. In this level, we start to see the very beginnings empowering business users, with simple self-service capabilities.
Self-service capabilities allow the end user to perform basic tasks without outside help, such as resetting their own passwords or discovering their username if it has been forgotten. These automated capabilities increase productivity by providing the end user with an immediate resolution instead of having to wait for a response from an administrator to provide access.
For example, let’s say a large K12 school district has a four-person IT team, 5,000 teachers, and 50,000 students. By delegating routine IT tasks, such as resetting passwords, from the four person team into the hands of the 5,000 teachers, it’s a win-win situation for everyone. Not only can teachers easily reset their students’ passwords in the classroom, but IT is freed up to focus on more strategic tasks and students can quickly get back into their digital environments, ready to learn.
Furthermore, self-service capabilities remove the bottleneck of calling IT or the helpdesk, thus requiring the time and coordination of at least two people. As Gartner estimates that 20-50 percent of all help desk calls are for password resets, self-service and Forrester researchers have calculated the cost of a single password reset to be $70, the time and soft cost savings can add up quickly.
Another key characteristic in Level 1 is empowering end users to manage profile attributes that don't have a traditional system source or platform where this information can be easily updated. These profile attributes could include a mobile number or preferred first name, which may not come from an HR system. Rather, modern IAM solutions allow users to manage their profile information and add data that can then be shared among other applications or systems.
Level 2: Advanced Delegation to Manage External User Accounts
In Level 2, otherwise known as the Advanced Level, an organization expands on its initial offering of self-service capabilities by providing tools that empower business users to perform lifecycle management of external or sponsored accounts, such as contractors or visitors. In the world of healthcare, this could include clinicians and patients, whereas in the retail space, it’s more likely to include seasonal or temporary workers, while on the education front, substitutes and visiting professors are prime examples.
Another main characteristic of Level 2 resolves a common challenge organizations face when onboarding both internal and external workers: notifying workers of their newly created account credentials. Many companies use risky methods, such as using a default or initial password, writing credentials down, or sending them to a supervisor or manager in an email. While highly insecure, organizations need workers to be productive and want them to access applications and systems quickly. However, in Level 2, newly provisioned end users have the capability to claim their accounts by identifying themselves and without knowing the credentials, greatly enhancing the security of these account details.
Finally, the last key characteristic in this level, one that’s also dependent on a more advanced level of identity lifecycle management, is that all self-service and delegation actions flow through to all connected systems. Rather than users performing self-service functions only against a directory service, such as Active Directory, all systems and applications that the user is entitled to, including SaaS-based applications, are incorporated and carried through.
For many organizations, managing accounts for users who aren't documented by Human Resources is a major challenge. Regardless of your industry, whether it be education, healthcare, government, retail, or commercial, delegated administration can be tailored to your organization to help with efficiency.
Watch our Webinar for the Full Delegated Administration Maturity Model
Delegation enhances security, increases business agility, and reduces risk across an organization. This core feature of any modern IAM solution ultimately empowers the business by putting the decision-making into the hands of the people and system managers who have the necessary context and knowledge to make informed decisions about who should have access to which resources.
By increasing the maturity of delegated administration, an organization can shift control of IT processes, such as access requests, password resets, and even enabling employees to request and manage account credentials for external contractors or consultants, to other areas of the organization—without sacrificing security or IT oversight.
The first two maturity levels look at delegated administration as a way for internal business users to help manage contingent users. Next, we will explore Level 3, Adaptive, and Level 4, Intelligent, where application owners have the capability to manage role definitions and memberships around granting access to those applications.
For the full maturity model, make sure to watch Identity Automation's on-demand webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 4 - Delegated Administration. In this webinar, our Founder, Troy Moreland, discusses the progression from basic delegation tasks, all the way to an intelligent strategy that maximizes your organization’s investment in IAM.