This document introduces best practices for managing users, identity attributes and entitlements in a typical consumer-facing Extranet web portal:
- The focus is on organizations who wish to manage a portal that will be accessed by large numbers of "customers."
- The term customers is used in a generic sense. They could be literally customers in the sense of e-commerce, or new patients in a healthcare context, students or applicants in the context of an educational institution, citizens in the context of e-government, etc.
- There are really two deployment patterns in this context:
- One where there is a pre-existing relationship between the organization and consumers. For example, in a typical banking deployment, customers must have a bank account and probably had to visit a bank branch to open one, before web portal access makes sense.
- One where there is no pre-existing relationship between the organization and consumers. For example, college applicants or new store customers likely have no prior relationship with the organization hosting the portal.
- The relationship between the organization and its users is often weak. A customer may never return to the eCommerce web site. A patient may not get ill and visit the hospital again. An applicant may abandon a college application.
- The number of users may be quite large -- reaching into the millions.
- The amount of data about each user is often limited, both because users do not wish to volunteer much information and because there are regulatory reasons to avoid capturing much information.
- The variety and complexity of security entitlements assigned to users is very limited. Few if any roles, probably just a single user object in a single directory, one user cannot access another's profile, etc. There are almost certainly no e-mail folders, home directories, etc.
- The variety of complexity of change processes is likely very limited -- on-boarding, deactivation, password changes, password resets, perhaps profile attribute updates, perhaps out-of-band validation of attributes such as e-mail address or mobile phone number.
Best Practices for Captured Information in an Extranet Web Portal
The objective of this document is to present best-practices for what information to capture about users in a typical Extranet web portal and business practices for managing this information.
Organizations that are able to adopt best practices processes will benefit both from optimized change management and from reduced total cost associated with automating their processes on an identity and access management (IAM) platform.
Please note that this document is designed to help organizations design the system by which users are added to, managed in and removed from their Extranet (B2C) portal. The scope of this document does not extend to runtime authentication or authorization of users into applications -- that falls under access control rather than identity and access management.