swipe to navigate

User communities

Enterprises manage identity data about two broad kinds of users:

  • Insiders: including employees and contractors.

    Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex.

  • Outsiders: including customers, partners and vendors.

    There can be many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders.

The difference between insiders and outsiders and how this impacts identity and access management, can be illustrated by an example:

Consider a bank, with 15,000 employees, 5,000 contractors and 500,000 customers. Insiders at the bank are the 20,000 employees and contractors.

Insiders log into a network operating system, corporate Intranet, line-of-business applications, corporate mainframe, e-mail systems and Internet gateway. Their identity profiles include data relating to their employment and their many login IDs to internal systems. Insiders use their access -- login IDs, passwords and entitlements -- many times each day.

Outsiders are primarily current and prospective bank customers. Their typically have just one identifier (a customer or account number). Their profiles include contact information such as a mailing address and other contact information. Outsiders only access their login IDs occasionally.

Enterprise IAM means IAM systems managing the identities, credentials and entitlements of insiders in medium to large organizations. Business-to-business (B2B) or business-to-consumer IAM systems manage, on behalf of an enterprise, the same data but about customers or partners. In practice, both the technical and business process requirements of enterprise and B2B/B2C IAM systems are quite different.

Enterprise Identity and access management (IAM) presents different challenges than identity and access management in Extranet (B2C or B2B) scenarios:

Characteristic Enterprise IAM (typical) Consumer IAM (typical)
Number of users

under 1 million

over 1 million
Number of systems and directories

2 -- 10,000

1 -- 2
Users defined before the IAM system is deployed


Frequently only new users
ID mapping

Existing accounts may have different IDs on different systems.

Single, consistent ID per user.
Data quality

Orphan and dormant accounts are common. Data inconsistencies between systems.

Single or few objects per user. Consistent data. Dormant accounts often a problem.
User diversity

Many users have unique requirements.

Users fit into just a few categories.

In short, Enterprise IAM has fewer but more complex users. Consumer IAM has more users and higher transaction rates, but less complexity.

Data that must be managed

Just as there are different user communities whose identities, credentials and entitlements must be managed, there are also different types of data to manage:

  • Identity data

    This includes names, contact information and demographic data such as gender or date of birth.

  • Legal and contractual information

    This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc.

  • Login credentials

    On most systems, these are login IDs and passwords. Other possibilities include PKI certificates, hardware devices and security questions.

  • Entitlements

    Entitlements are the access rights assigned to users. Gartner defines an entitlement as:

    An entitlement is the object in a system's security model that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in that system. It was commonly accepted that this definition of entitlement referred to the highest-order grantable object in a system's security model, such as an Active Directory group membership or SAP role and not lower-order objects such as single-file permission setting.

    Definition by Ian Glazer, in Access Certification and Entitlement Management v1, September 9, 2009.

    (login required)

  • Historical data

    For audit purposes, it is helpful to track changes to all of the above -- when was the user first granted access? Who made access requests? Who approved them? What changes have occurred in the user's contact information or name? etc.


Comment via LinkedIn