This document introduces best practices for managing users, identity attributes and entitlements in a typical Extranet Partner /B2B web portal:
- The focus is on organizations who wish to manage a portal that will be accessed by large numbers of users, each of whom is affiliated with a partner of the hosting organization.
- There may be thousands of partner organizations and hundreds of thousands of users.
- Each portal user is affiliated with exactly one partner organization.
- The relationship between the hosting organization and each of its partners is presumably established out of band, before any of a partner's users are on-boarded.
- Partner users are likely to be infrequent users of the portal.
- Partners cannot be counted on to reliably or promptly deactivate the access of their own users to the portal.
- It is desirable to enable each partner to manage their own user population on the portal.
- A central support team should be able to assist with onboarding, deactivation, login problems, password resets, etc. where the partner's support team cannot or will not.
- The variety and complexity of security entitlements assigned to each partner user and change management processes are significantly less than for internal users in hosting organization.
The relationships between organizations and users is shown in Figure [link]
Relationships between organizations and their users
The objective of this document is to present best-practices for what information to capture about users in a typical partner portal and business processes for managing this information.
Organizations that are able to adopt best practices processes will benefit both from optimized change management and from reduced total cost associated with automating their processes on an identity and access management (IAM) platform.
Please note that this document is designed to help organizations design the system by which users are added to, managed in and removed from their partner portal. The scope of this document does not extend to runtime authentication or authorization of users into applications -- that falls under access control rather than identity and access management.
In this document, we will refer to two types of organizations and five user roles:
- A single hosting organization, which owns and operates a partner portal.
- Multiple partner organizations, each of which has a business relationship with the hosting organization.
- User roles:
- A partner user -- these are the most numerous. The main purpose of the system is to manage the identities, access rights and login credentials of these users.
- A partner administrator -- there should be at least one of these associated with each partner organization. The idea is to delegate the administration of partner users to partner administrators.
- An account manager -- there should be at least one of these per partner organization. This is an employee or contractor of the hosting organization who has some responsibility for the relationship between the hosting organization and the partner organization. A single account manager may be responsible for multiple partner organizations and multiple account managers may be linked to the same partner organization.
- Technical support -- these users work for the hosting organization, are responsible for maintaining the list of valid partners and for associating account managers with partners. These users can, but should only rarely have to directly manage partner users.
- Product administrator -- from one to a few people responsible for installing, configuring, troubleshooting and upgrading the identity and access management system itself. Their responsibility is to manage the infrastructure and business processes, rather than to assist individual users.