Share the Load: Your Partners Can Help with External User Management

The busier people get in their personal lives, the more convenient it becomes to offload tasks like cooking, shopping, or cleaning. Similarly, the bigger an organization becomes, the more likely they are to offload the likes of cleaning services, legal obligations, and accountancy administration to third-party organizations. In today’s digital landscape, the growth of the extended enterprise—and the challenges it poses to IT—means businesses are also looking to offload the management of vendor, contractor, and partner users.

IT teams are being overwhelmed by helpdesk tickets generated by employees—both internal and external—needing credentials support. Between 20% to 50% of all helpdesk calls are for password resets and the average cost for a single password reset is $70. These full-service password requests aren’t just costly, they also distract IT teams from the impactful and strategic work they could be doing.

The burden on IT also comes from their responsibility to manage user access to enterprise applications. Someone needs to be responsible for managing user access—and the options are for IT to either take on the onerous task completely, or offload it to business partners or outside third-parties. In either case, organizations that work together need to decide how users will be managed over the course of their partnership.

In our previous posts in the Secure Access series, we talked about connecting to partner identity sources, providing secure and selective access management, automating user privileges, and validating compliance. This post will answer one final question: How do you offload user management to others?

Delegating control to partners

Organizations can delegate management of third-party users , relieving IT’s workload, by using one of the following approaches.

Self-service password reset

Providing self-service features enables vendor and partner users to manage minor account-related issues themselves. For example, empower end users to reset their own passwords when they forget it or unlock their account when they get locked out. This reduces the number of IT helpdesk calls that users have to make and enables IT to focus on tasks that add value to the organization.

Self-service end-user security

Enrolling in MFA, resetting MFA factors, and implementing tools like UserInsight can empower end users to stay secure and self-service their own accounts. UserInsight, for instance, sends an email to the user and enables them to validate authentication, only notifying IT if something suspicious is going on.

Delegated administration

Enterprises can also implement admin roles that offload certain areas of partner and vendor access management. For example, they can implement a helpdesk admin role that allows admins to simply reset passwords and reset account lockouts, which can be outsourced to contractors. These types of admin roles are scoped down to ensure they can only perform specific tasks.

Hub and spoke model

A hub and spoke model is when an organization has a central IdP (hub) that is controlled wholly by the IT team and also has multiple other IdPs (spokes) which are connected to the central hub. The spokes only see and manage their own users and applications. This enables organizations to offer their third party partners control over their users.

It’s time to streamline how we work

Just as it’s commonplace these days for people to offload the tasks they don’t have time for in their personal lives, organizations can do the same when managing user access. From self-service features to out-of-the-box admin roles, it’s simple and straightforward to keep users happy and enable IT to do what they do best—and that’s a win-win situation.

For more information about how to secure access for partner users download our whitepaper, read about how Okta eases admin life, and watch our webinar on the extended enterprise.