Australia
Canada
New Zealand
UAE
United States
When implementing an Identity and Access Management (IAM) solution, organisations usually have a goal of centralisation. This can:
- increase the solution’s cost effectiveness by reducing the duplication of activities and infrastructure,
- reduce risks by increasing transparency and shrinking the attack surface, and
- facilitate compliance with an organisation’s corporate policies and governance.
The challenge of complexity
However, large organisations contain many business units, often operating with a degree of autonomy. They may, for example, have different management structures, business processes, and IT systems.
Business units may operate within different jurisdictions having varied regulatory requirements, making autonomy more desirable or even necessary.
This can result in a tension between the strategic goal of centralisation and the business’ day-to-day operational realities. If the organisation cannot resolve this tension, users are unlikely to be satisfied with IAM solution. Consequently, it is critical to understand how an IAM solution can manage this.
Delegation in Able+
Often the most effective strategy is delegation. By delegating, the IT department transfers some of the responsibility of operating the IAM solution to other business units. The IT department continues to have overall responsibility and control of the solution, while enabling different parts of the business to shape it to their needs.
New Era’s IAM solution, Able+, enables organisations to delegate easily, effectively, and transparently. It achieves this with three key types of tools.
- Places: an object class that can represent partially or fully autonomous business units
- Permission sets: highly bespoke and granular permission configuration that can be assigned to users in the context of their place(s)
- Self-service capabilities: a range of self-service tools to help users achieve a wide range of common and bespoke tasks.
Using places to build the organisation
Able+ has the concept of “places”, which can be thought of as distinct but related IAM systems within the organisation’s Able+ solution. Places can be managed independently of each other but can also share data and configuration. They can also be organised hierarchically, so that child places can inherit data and configuration from their parent place.
The screenshot below shows the user selecting between child places of a university. Places are powerful tools for defining and managing the organisational architecture within the solution, and delegating authority.
Using permission sets with places
In Able+ authority can be delegated using “permission sets”. They allow highly granular permissions to be granted to users, groups, and roles within the context of a place. For example, the IT team associated with a business unit could be given special privileges for managing the users and resources associated with the unit.
Any number of permission sets can be defined, and they are fully bespoke. Permission sets enable the central IT department to delegate without surrendering visibility or control. The screenshot below shows the permission set assigned to administrators of child places within this organisation.
Empowering users with self-service
Finally, Able+ offers a rich suite of self-service functionality that enables delegation to end users for some tasks. It includes the ability for users to manage their own data; workflows for service request and approval; group memberships, and user recertification. Self service enables administrators to allow users to take control of aspects of their identity and access management, intuitively and securely. The screenshot below shows part of the service discovery and access request workflow.
Summary
Organisations can be challenged by managing the tension between the two goals of centralisation and meeting the varied needs of users within large organisations. Often this tension can be resolved by delegating control to business units and their users. Able+ can help organisations delegate their IAM appropriately and so achieve both goals without compromising.
