This document introduces best practices for managing users, identity
attributes and entitlements in a typical Extranet Partner /B2B
The focus is on organizations who wish to manage a portal that will
be accessed by large numbers of users, each of whom is affiliated
with a partner of the hosting organization.
There may be thousands of partner organizations and
hundreds of thousands of users.
Each portal user is affiliated with exactly one partner organization.
The relationship between the hosting organization and each of
its partners is presumably established out of band, before any of
a partner's users are on-boarded.
Partner users are likely to be infrequent users of the portal.
Partners cannot be counted on to reliably or promptly
deactivate the access of their own users to the portal.
It is desirable to enable each partner to manage their own user population
on the portal.
A central support team should be able to assist with
onboarding, deactivation, login problems, password resets, etc. where
the partner's support team cannot or will not.
The variety and complexity of security entitlements assigned to
each partner user and change management processes are significantly
less than for internal users in hosting organization.
The relationships between organizations and users is shown
in Figure [link]
Relationships between organizations and their users
The objective of this document is to present best-practices for what
information to capture about users in a typical partner portal
and business processes for managing this information.
Organizations that are able to adopt best practices processes will
benefit both from optimized change management and from reduced
total cost associated with automating their processes on an identity
and access management (IAM) platform.
Please note that this document is designed to help organizations design
the system by which users are added to, managed in and removed from
their partner portal. The scope of this document does not
extend to runtime authentication or authorization of users into
applications -- that falls under access control rather than identity
and access management.