This document explores challenges that prevent organizations
from easily automating business processes related to the movement
of people through an organization and the resulting access that should
be granted and revoked on systems and applications. It explains how
a reference implementation of an identity and access management (IAM)
system enables lower cost, lower risk process automation, as compared
to a fully custom approach.
IAM implementation patterns
IAM systems are deployed in many contexts. Among these, they may
be used to create and delete identities and to grant and revoke
The workforce of an organization, be it a corporation
or non-profit, government or military entity. In this case, it is
normally the identities and security access rights (entitlements)
of employees and contractors that are managed. This is sometimes
called the "business to employee" or B2E pattern, or the corporate
The partners of an organization -- i.e., users who work
for organizations that are affiliated with the one hosting an
IAM system. Such IAM systems typically support some sort of a
partner portal. This is also called the "business to business"
or B2B pattern.
The customers of an organization -- whether they are
retail customers of a commercial entity, or citizens interacting
with a government, or patients interacting with a healthcare
provider. This is also called the "business to consumer"
or B2C pattern, and it also applies to "e-Health" and "e-Government."
Faculty, students, staff and alumni of an institution of higher
learning. This is also called the "EDU" pattern.
Employees, doctors and other caregivers and clinicians in a single
hospital or group of affiliated hospitals. This is also called the
The patterns described above are called out because there is often
a great deal of commonality between the requirements of different
IAM deployments within the same pattern. On the other hand, business
processes, required controls and typical integrations differ greatly
between any two patterns.