In part 1 of our delegated administration blog series, we discussed how delegation is an Identity and Access Management (IAM) system feature that gives authorized individuals or groups of users the ability to view another user’s data and take some form of action on that user's account.
A common example of delegation would be delegating the ability to change and reset passwords for all or a specific group of users to the help desk staff, so they can assist users who need assistance logging into company systems and applications.
However, delegation is much more powerful than just enabling a few people to reset other users’ passwords.
To get a better understanding of how delegation works, let’s look at some types of delegation within our IAM solution, RapidIdentity, that enable administrators to delegate identity management tasks to end-users, team managers, and support personnel.
In a recent post, we discussed how data was the lifeblood of an IAM system. By enabling My Profile delegation, organizations immediately start improving their data quality.
With My Profile delegation, administrators grant users the ability to view and correct their own identity data, such as as Name, Department, Location, Title, Email, Phone, Roles, and/or Entitlements. This allows users to correct potential issues or incorrect data.
When users are unable view their account data, any discrepancies or malformed data will persist, which can result in granting the wrong access or incorrectly denying access rights, which in turn, leads to user downtime and diminished productivity.
My Profile delegation also provides users with self-service capabilities to change passwords and challenge questions, as well as the ability to update their profile data.
These types of self-service capabilities not only reduce the help desk burden, but can also lead to significant soft cost savings. For instance, Lone Star College, the third-largest higher education system in the US, saw a 50 percent drop in help desk calls that represented a soft cost savings of more than $400,000 per year after implementing our IAM solution RapidIdentity and its end-user self-service functionality.
Manage My Team
Manage My Team delegations give a specific team lead the ability to take certain actions on users within that department or project. As such, team leads can see authorized data attributes about users and then take the authorized actions on those accounts. This delegation can be given for a small team or even expanded to the entire organization.
An of example of a variation of this would be members of a support team getting a delegation called Manage Staff where they can see and take authorized actions on all users across the organization.
The Whitepages delegation is simply a replacement for the organization/company directory that often already exists at an organization. Instead of someone within the organization having to manage a spreadsheet and manually update and print it whenever employees join, leave, or change roles within the organization, Whitepages dynamically updates from the user profile, which is driven by authoritative source data, like an ERP, SIS, or other CRM system—instantly providing updated and accurate data that can easily be seen and accessed.
And for those that still need a hard copy, the ability for users to export and print is just a checkbox away.
You can also have more than one whitepage and specify who can see a whitepage delegation and what user data is visible in each one. Whitepage delegations can be open to the entire organization or limited to specific groups, departments, or divisions.
This flexibility and granularity is important because the attributes of another user that someone is authorized to see may vary. For example, limiting employees at the manager level or below to only see name, email, and office phone number for other users, but allowing Directors, VPs, and C-Level members the ability to see additional attributes, like cell phone number, home address, and start date.
Auditor delegation gives certain individuals inside an organization read-only/view access to user accounts. Moreover, specific user attributes can be individually selected, enabling fine grained access of data that prevents delegation owners from viewing any data they should not see.
This type delegation is very useful when checking for data consistencies, use by support team members, and general compliance/audit use cases.
The Flexibility & Granularity of Delegations
And there you have it, these are just a few delegation examples we frequently see in IAM implementations. It‘s important to note that while these examples are common, they aren’t required and can be configured to align with your organization’s own policies and needs. The granularity and flexibility of delegation is second to none and the benefits can be virtually limitless.
Stay tuned for part 3 of our delegation blog series where we’ll dig deeper into the delegation model for IAM and how it enables an organization to maximize the value of its IAM investment, while embracing security.