This document introduces best practices for managing users, identity
attributes and entitlements in a typical Extranet Partner /B2B
The focus is on organizations who wish to manage a portal that will
be accessed by large numbers of users, each of whom is affiliated
with a partner of the hosting organization.
There may be thousands of partner organizations and
hundreds of thousands of users.
Each portal user is affiliated with exactly one partner organization.
The relationship between the hosting organization and each of
its partners is presumably established out of band, before any of
a partner's users are on-boarded.
Partner users are likely to be infrequent users of the portal.
Partners cannot be counted on to reliably or promptly
deactivate the access of their own users to the portal.
It is desirable to enable each partner to manage their own user population
on the portal.
A central support team should be able to assist with
onboarding, deactivation, login problems, password resets, etc. where
the partner's support team cannot or will not.
The variety and complexity of security entitlements assigned to
each partner user and change management processes are significantly
less than for internal users in hosting organization.
The relationships between organizations and users is shown
in Figure [link]
Relationships between organizations and their users
The objective of this document is to present best-practices for what
information to capture about users in a typical partner portal
and business processes for managing this information.
Organizations that are able to adopt best practices processes will
benefit both from optimized change management and from reduced
total cost associated with automating their processes on an identity
and access management (IAM) platform.
Please note that this document is designed to help organizations design
the system by which users are added to, managed in and removed from
their partner portal. The scope of this document does not
extend to runtime authentication or authorization of users into
applications -- that falls under access control rather than identity
and access management.
In this document, we will refer to two types of organizations and
five user roles:
A single hosting organization, which owns and operates a partner
Multiple partner organizations, each of which has a business
relationship with the hosting organization.
A partner user -- these are the most numerous. The main
purpose of the system is to manage the identities, access rights
and login credentials of these users.
A partner administrator -- there should be at least one of these
associated with each partner organization. The idea is to
delegate the administration of partner users to partner administrators.
An account manager -- there should be at least one of these
per partner organization. This is an employee or contractor of
the hosting organization who has some responsibility for the
relationship between the hosting organization and the partner
organization. A single account manager may be
responsible for multiple partner organizations and multiple
account managers may be linked to the same partner organization.
Technical support -- these users work for the hosting
organization, are responsible for maintaining the list of
valid partners and for associating account managers with partners.
These users can, but should only rarely have to directly
manage partner users.
Product administrator -- from one to a few people responsible
for installing, configuring, troubleshooting and upgrading
the identity and access management system itself. Their
responsibility is to manage the infrastructure and business
processes, rather than to assist individual users.