One of the most powerful features of any modern Identity and Access Management (IAM) system is delegated administration and management of users. With delegated administration, organizations can reassign control of identity management activities, such new account creation, role and group assignment, and access requests from the IT team to non-IT employees, such as business managers.
At its core, delegation is all about empowering the business by shifting technical controls away from the classic IT department and into the hands of an organization’s business owners.
This shift takes IT staff out of the business of identity management and puts control firmly into the hands of those best suited to make such decisions. After all, who knows better than the business manager or specific system owner about which employee or contractor needs what level of access and for how long? And as a result, IT staff are freed up to focus on more strategic initiatives that move the organization forward.
In part one of our three part delegation series, we’ll cover the basics of delegation—what it is, how it works, and other key functionality.
How Does Delegated Administration Work?
Delegation is a pretty simple concept where the identity management administrators give authorized individuals or groups of users (usually outside of IT) the ability to view another user’s identity data and take some form of action on that user's account.
Each delegation enables a specific set of actions that can be taken on another user or group of user accounts, such as reset edit profile, reset TOTP keys, or enable/disable account. A more advanced type of action would be delegating the ability to approve and/or deny access requests made by other users.
Other Notable Points About Delegation
While various IAM systems all handle delegations a bit differently, here are some key points about how delegations work with our solution, RapidIdentity.
For starters, delegation owners can only see delegations that they are authorized to see, keeping the interface clean and simple. Additionally, each delegation determines which attributes of an associated user are visible and editable by the delegation owner.
Delegations can be assigned statically or configured to dynamically change based on an individual’s role within an organization. So, as an individual moves and changes roles within the organization, he or she dynamically receives new delegation entitlements and has current ones removed without anyone having to remember to go into the system and make such updates. The idea here is that dynamic assignment can be used for the majority of use cases, and static assignment can be used as needed to manage exceptions.
Delegations also enable extremely granular levels of control. For example, all delegation actions can be individually granted and each delegation requires specific actions to be selected. As a result, the organization never has to worry about giving too much power to any individual group and is better prepared to handle compliance and governance considerations.
The Relationship Between Self-Service Requests and Delegations
Delegation and the self-service features of an IAM solution have a close relationship. When most people think about self-service capabilities, tools such as “Forgot My Username,” “Forgot My Password,” or “Update my Phone Number” might come to mind.
However, another extremely important self-service feature is providing users with the ability to request additional access (entitlements) to applications or systems in the organization. Depending on the entitlement or access a user requests and is granted, the user can dynamically receive new delegation/s.
For example, if a user requests an entitlement called “Help Desk Role,” after the request is approved, the user would automatically be granted a “Help Desk” delegation that gives the user the ability to reset other users’ passwords.
So, not only have we provided the delegation capability for organizations to share the management responsibility, we have provided a streamlined methodology for users to be able to receive/lose delegations.
Delegating the Ability to Approve Entitlements
With some modern IAM solutions, like RapidIdentity, organizations can delegate the ability to approve and deny access/entitlement requests to certain individuals, such as a business system owner. This eliminates the need for all requests for access to be routed to and approved by IT.
Instead, a user simply requests access to a specific application via workflow, and then the relevant business system owner has the delegated ability to approve or deny that request without IT involvement. And for situations where a request might require multiple approvals, these entitlement requests can be chained together, with everything managed using delegations.
Delegation and Compliance
A critical aspect of all the delegation capabilities we have discussed centers around auditing. Every action a users takes within modern IAM solutions, such as RapidIdentity, is audited. So, even though administration capabilities may have been delegated to individuals outside of the IT department, IT still has complete visibility.
The audit capabilities of modern IAM solutions give organizations a rich audit trail that shows everything that has been done to or by a user within an organization. A detailed audit record shows when a user submits a forgot password request, when a business owner resets the password, when a user requests access to an application or specific role, and when that request was approved or denied.
Such capability allows organizations to meet any audit requirements that must be met in order to demonstrate compliance.
Empowering the Business
And there you have it, the basics of delegation—what it is, how it works, and ultimately, how it empowers the business by shifting technical controls into the hands of an organization’s business owners. As you can see, delegated administration is the core feature that makes full identity lifecycle management possible and ultimately what allows organizations to streamline and automate their business processes.
In part 2 of our series on delegated administration, we’ll take a look at the flexibility and granularity of delegations with some common delegation examples.