However, large organisations contain many business units, often operating with a degree of autonomy. They may, for example, have different management structures, business processes, and IT systems.
Business units may operate within different jurisdictions having varied regulatory requirements, making autonomy more desirable or even necessary.
This can result in a tension between the strategic goal of centralisation and the business’ day-to-day operational realities. If the organisation cannot resolve this tension, users are unlikely to be satisfied with IAM solution. Consequently, it is critical to understand how an IAM solution can manage this.
Often the most effective strategy is delegation. By delegating, the IT department transfers some of the responsibility of operating the IAM solution to other business units. The IT department continues to have overall responsibility and control of the solution, while enabling different parts of the business to shape it to their needs.
New Era’s IAM solution, Able+, enables organisations to delegate easily, effectively, and transparently. It achieves this with three key types of tools.
Able+ has the concept of “places”, which can be thought of as distinct but related IAM systems within the organisation’s Able+ solution. Places can be managed independently of each other but can also share data and configuration. They can also be organised hierarchically, so that child places can inherit data and configuration from their parent place.
The screenshot below shows the user selecting between child places of a university. Places are powerful tools for defining and managing the organisational architecture within the solution, and delegating authority.
In Able+ authority can be delegated using “permission sets”. They allow highly granular permissions to be granted to users, groups, and roles within the context of a place. For example, the IT team associated with a business unit could be given special privileges for managing the users and resources associated with the unit.
Any number of permission sets can be defined, and they are fully bespoke. Permission sets enable the central IT department to delegate without surrendering visibility or control. The screenshot below shows the permission set assigned to administrators of child places within this organisation.
Finally, Able+ offers a rich suite of self-service functionality that enables delegation to end users for some tasks. It includes the ability for users to manage their own data; workflows for service request and approval; group memberships, and user recertification. Self service enables administrators to allow users to take control of aspects of their identity and access management, intuitively and securely. The screenshot below shows part of the service discovery and access request workflow.
Organisations can be challenged by managing the tension between the two goals of centralisation and meeting the varied needs of users within large organisations. Often this tension can be resolved by delegating control to business units and their users. Able+ can help organisations delegate their IAM appropriately and so achieve both goals without compromising.