Recently, we discussed delegated administration, a robust tenet of modern Identity and Access Management (IAM). Essentially, delegated administration gives organizations the ability to reassign control of identity management activities from the IT team directly to non-IT employees, without elevating their privileges to administrators or other types of privileged accounts. Furthermore, delegated administration enables employees to securely request access and manage account credentials for external contractors or consultants.
When planning any comprehensive IAM strategy, delegated administration should be an important factor to consider, as it has a direct positive impact on your end users, IT department, and organization as a whole.
In part one of this blog, we introduced the four-part Delegated Administration Maturity Model and discussed its first two levels. As a refresher, in Level 1 administrators have the ability to securely perform self-service capabilities, such as password resets. In Level 2, an organization expands on this initial offering of self-service capabilities by providing tools that empower business users to perform lifecycle management of sponsored accounts for external users.
Now, let’s dive into the capabilities and characteristics of Levels 3 and 4, where we will explore how an organization can use delegated administration to continue to empower business users, as well as application owners.
Level 3: Distributed and Fine-Grained Delegation
Level 3 of the Delegated Administration Maturity Model is comprised of two main capabilities. First, end users are empowered to help their peers based on birthright relationships (a user’s attributes or roles), such as a department, project, or class. Essentially, this allows business users to be a second line of support.
An example of this can be seen in any business organization between a manager and direct report. Let’s say an employee reset his or her password right before going on vacation, and upon returning to the office is drawing a blank. With delegated administration, the employee can just stop by their manager’s office and ask for a password reset, rather than calling the help desk and waiting for a resolution.
The second capability of Level 3 speaks to empowering your application owners, the staff who are responsible for particular applications, by giving them the tools to manage access to the applications they own. Specifically, at Level 3 access is centralized, so application owners can manage role definitions and memberships around granting access to their applications. By allowing application owners to be in control of creating and removing roles, as well as the rules for membership into these roles, application owners and end users alike benefit.
Delegated administration also enables end users to request access from the application owner, rather than it having to be queued up and taken care of by IT through a ticketing system.
It’s also important to note that organizations in Level 3 support fine-grained delegation policies that provide certain users with specific actions they can perform on target users. These policies could be based on birthright relationships, or they could be based on exceptional access— meaning the user requested an entitlement that will give them this delegation.
Level 4 - Intelligent
Level 4, Intelligent, can also be broken into two main areas. First, organizations at this level have implemented some level of governance, another tenet of the IAM maturity model, maturing their delegated administration capabilities to allow full system visibility to application owners and business owners (non-IT users who are responsible for the line of business associated with an application or system).
For example, a finance manager is the business owner of the organization’s financials system. A dashboard or report allows the business owner to not only know who has access, but how they received that access. The manager would also have the ability to approve, certify, and remove access. Furthermore, modern delegated administration tools will present this information in a way that it is appropriate for a nontechnical person, like a business manager, to consume.
The second area of Level 4 speaks to granular controls that empower end users to give others the ability to act as their proxy. By defining proxy as policies, authorized users and administrators can view information as another user and perform actions on their behalf. This is particularly helpful for users who are responsible for other users, such as managers or teachers, because they can view an employee or student’s information and perform actions as needed.
At this level, business owners can even create their own delegation policies and define the business rules. Usually, the IT group defines delegation policies that allow certain users to have delegated rights. However, Level 4 takes this to a whole new level by allowing end users to provide these policies to their peers.
By allowing individuals to define delegation policies, Level 4 extends a new level of independence and flexibility. For example, if the only user who is authorized to approve certain requests goes on vacation, the tool gives them the ability to delegate those actions to someone else while they are out of the office. Audit logs show the action that was delegated and who performed the action on behalf of another user.
At Level 4, an organization is running at maximum efficiency, and help desk calls are dramatically reduced. End user relationships with IT have shifted from "necessary evil" to a genuine partnership.
Gain Expert Insight with our Delegation Maturity Model Webinar
Delegated administration is a tenet of IAM that enables business users to perform basic IT functions in a secure and guided fashion, allowing for more flexibility and control. Delegation maturity can progress from giving an individual self-service capabilities, to enabling them to own an application and determine who has access, all the way to empowering them to write the rules for that application or system.
Looking for best practices and actionable insight into how to take your delegation strategy to the next level? Make sure to watch on our demand webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 4 - Delegated Administration. In this webinar, our Founder, Troy Moreland, discusses the progression from basic delegation tasks, all the way to an intelligent strategy that maximizes your organization’s investment in IAM.