Delegated User Management

Welcome to the clickable demo about delegated user management. You can get started with a brief introduction, or you can skip it and head straight into the actual demo.

What is a typical use case for using a delegated user management solution? 

Many organizations usually depend on interactions with third parties to conduct their business operations. 

Third parties may be suppliers, intermediaries like brokers or distributors, and even business customers.

They often consist of dynamic user populations, requiring efficient onboarding of their identities and centralized management of access.

With traditional IAM-solutions, there is often a two-dimensional problem to tackling this challenge. First, it requires a skilled administrator to initially setup the whole organization structure, user groups, and permissions.

Secondly, they often rely on a service desk that manages the actual influx and outflow of users.

This can become a technical and costly endeavour, and doesn't always result in the best user experience - especially when it comes to business users.

Enter our Delegated User Management solution. With it you get a user friendly application that is built explicitly for the business persona. It empowers third party organizations to self-manage and delegate user access. It allows the business to take active ownership and responsibility - where it belongs.

To showcase delegated user management we use the following personas. 

At the central organization there is always a power user: a technical super admin. We call him 'Isaac'.

At the third party organization level are the so-called end users. We call THEM 'William'.

There is never just one 'William'. There are many, and they typically struggle with questions about getting access to external applications.

In this setup, it is up to the technical super admin to deal with all the end users. This will become problematic and challenging when the number of end users continues to grow.

At a certain point, it becomes necessary to appoint a delegated manager for the third party organization. In this demo, we call her Jane. Delegated managers are more intimately familiar with the actual users and the access and identity needs they have

Delegated managers are entitled to determine who should have access to what.

There is usually not just one third party organization. Typically, there are many. Each with end users and their own delegated manager.

Again, when the numbers continue to increase, it might well be smart to appoint a third party organization manager at the central company. In this demo, we call him "George". 

George is mainly pre-occupied with questions about onboarding new organizations and their delegated managers.

Jane on the other hand wonders how she can manage end users like William. Her most important question is: "Do I need specific IT skills? Do I need to follow a technical training to do my work?"

The answer is of course: no. George, Jane, and William are all business personas. They are all empowered by our Delegated User Management solution, which offers a point-and-click UI that has been built with the business persona's needs explicitly in mind.

To complete the picture, in this demo we make use of a central organization called 'InsureGroup'. Isaac and George belong to this large fictional insurance company.

As third party organization, we use a partner company named 'Brown Brokers'. They sell InsureGroup insurance products. Jane and William belong to Brown Brokers.

And with THIS, we conclude the introduction. You can now proceed with selecting a persona.

It is best to start with the persona that presents the least complexity. We advise to start with end user "William", and work your way up through the personas to the administrator "Isaac".

With William, you'll see how business users are empowered in their day-to-day tasks with the Application Launch Pad. As part of the self-service capabilities, you'll also request access to a new application.

With Jane, you'll get a better understanding of how end users can be managed. You will also approve William's request for additional access.

With George, you'll learn more about an important concept: "groups". Groups determine where users belong. You will add a new partner company to the partner group.

With Isaac, you'll learn more about an important concept: "roles".  Roles determine what users are entitled to do. In addition, you'll see how the application can be branded and styled.

Hi there! My name is William and I work for Brown Brokers.

We see here the InsureGroup portal. From here I can access my account by clicking the 'Partners' button.

In order to log in, I start by entering my username.

Now that my username is set, I proceed with entering my password.

Good! Everything's set. Let's click the login button.

I'm now being redirected to my profile page.

I have landed on my Application Launch Pad. 

From here I can easily access all tools and apps I need on a daily basis. A simple click on one of those application tiles does the trick!

But, for now, let's first continue and view my profile data.

Here I can self-manage my personal and business relevant information.

If I wanted to, I can also update my profile picture and, if necessary, I can delete my account.

Let's continue to the "Requests" page.

If I need access to a new application or tool, I can request access to it myself. I don't have to call a service desk.

As you can see, I have already requested access before. My latest request got denied.

Let's request access again.

Application access is granted through so-called "Roles". 

First I have to select a role "TYPE".

There are three types of roles: persona roles, access roles, and self service roles.

Let's select the "ACCESS" role type.

Now I can select an "ACCESS" role from the list.

Let's select the "Car Insurance Apps" role.

This would give me access to a collection of applications and tools that are related to InsureGroup's car insurance product.

Okay! Everything's set. 

Let's click the "Request" button.

Good! My access request has been submitted successfully.

Now my manager at Brown Brokers, "Jane", can further handle my request.

This also concludes my part of the demo. Please select where you want to proceed next.

Hello! My name is Jane and I am delegated manager at Brown Brokers.

On the InsureGroup's portal, I navigate to the 'Partners' section to get to work.

From here I can access my account.

In order to log in, I enter both my username and my password.

After successful authentication, I am not redirected to my profile page. As delegated manager I will land on the "User Management" page.

Here I see all the users I can manage. Note that I am only entitled to see Brown Brokers partner company users.

Let's zoom in a bit on William.

A single click reveals William's group memberships and assigned roles.

William is a representative at Brown Brokers.

Let's zoom in a bit further by clicking the 3-dot button.

Now we select the 'profile' option.

On William's profile page, I can find his contact information, personal data, and business relevant details.

But I can do much more. As delegated manager, I can also manage the roles of a user.

Here we see all of William's current roles.

If I wanted to, I could change his current role within the Brown Brokers organization or I could assign a new role.

Let's update the end date.

Let's terminate William's access to the Office Apps at the 1st of January, 2026.

Excellent! William's access to the Office Apps has been updated successfully.

Let's look at William's group memberships next.

Currently, he belongs to 3 groups: car insurance product brokers, life insurance product brokers, and Brown Brokers partner company users.

Let's move William to a different group within the 'Partner' structure.

I will move William to the Western United States division of Brown Brokers.

I'm sure about the group update I just made, and I confirm.

Now, to store all the changes I've made, I'll click on the 'Save' button.

When the change is processed, we're sent back to the User Management page.

Good, we see here that William's account has been updated successfully. He belongs now to the Brown Brokers US West group.

To conclude we proceed to the Request Management page.

This page enables me to monitor and manage all role requests by my Brown Brokers colleagues.

At the top of the list, is William's access request to the Car Insurance Apps.

Let's process his request by clicking on the 3-dot button.

I can approve, deny, or delete the request.

Let's approve it.

As part of the approval process, I can set an end date.

Let's give William access to the Car Insurance Apps until the end of June, 2025

Excellent! Access request approved successfully.

And with this we conclude my part of the demo. Please select how you want to proceed next.

Hi there! My name is George and I manage InsureGroup's trusted partner network.

To access the partner management portal, I click the employees button.

When having entered my InsureGroup credentials, I am being automatically redirected to the Delegation Management solution.

As Partner Manager at the InsureGroup, I am able to see not only Brown Brokers users, but users from ALL other partner companies as well.

Typically I delegate the management responsibility to an 'Operation Manager' at the partner level, like Jane Fields for Brown Brokers.

Just like Delegated Manager "Jane", I too can manage users with typical operations like adding users, querying and viewing, updating, and deleting users.

But, as Partner Manager, I am entitled to do more. Let's take a look at the Group Management page.

As partner manager, I am empowered to setup and manage the whole partner network.

Currently we have 890 unique users belonging to the partner group.

If necessary, I can easily add more groups, if that helps me manage the partner network better. Maybe something on geo-location or on particular business verticals.

For now, let's zoom in a bit on the partner group.

A group can be a simple flat list, or it can contain nested elements, as we see here with Brown Brokers.

The Brown Brokers partner company is split into different regions, and then again split further into countries. 

This is just an example of how a nested group could look like. I can set it up however I see fit.

Now let's assume the InsureGroup's partner network is expanding.

I can easily add a new entry to this partner group with a click of a button.

Maybe the United Kingdom group needs a new nested element, based on "city".

So I enter a group code as well as the name: "Brown Brokers London".

That's all it takes to manage groups! It's easy!

Let's close the Group Management window and navigate to the User Management page.

Now that we have updated the "Partner" group, we proceed and appoint a Delegated Manager for the Brown Brokers London division.

Let's click on the 'New User' button.

I can either "add" a new user or "invite" a user.

The main difference between these two is that with an invitation, you effectively trigger an onboarding journey where the invitee activates the account himself and maybe submits some more information.

With "add" user, I can create an active account directly. No additional actions by the user required.

Let's select the "add user" option for now.

When adding a user, I usually start with adding some profile information and a password.

Let's skip that for now, and jump to the 'groups' tab.

Here we define to which groups the user belongs.

First I choose a 'group'.

Let's select the group we just updated. The 'Partner' group.

Now I can select the group membership.

Let's drill down to the newly added "Brown Brokers London" group.

We see here that the group we just added ourselves, is already listed and available for use.

To give this user the entitlements and responsibilities of a Delegated Manager, we have to assign an appropriate role as well.

First we select a role "type". This will narrow down the list of actual role options I can select later on.

There are 3 types of roles: Access roles, Persona roles, and Self Service roles.

"Access" roles define to which external applications and resources a user gets access.

"Persona" roles define the entitlements a user gets within the Delegation Management solution itself.

"Self service" roles define which profile self-management capabilities are provided to the user.

Let's select the "Persona" role type.

I can now select a Persona role from the list.

Within InsureGroup, we recognize two personas: "regular" users, or "representatives"; and "Delegated Managers".

In our demo, "William" is a representative and "Jane" is a Delegated Manager.

Let's select the Delegated Manager role.

Perfect! This is all it takes to manage groups and appoint a delegated manager. It's all just a few clicks away.

This also concludes my part of the demo. Please select how you want to proceed.

Hello, I'm Isaac and I am the technical administrator at the InsureGroup company.

Let's click the "Employees" button, and log in to the Delegation Management solution.

As you can see on the left hand side of the screen, as administrator I have access to more features and capabilities than George and Jane. 

I can, for example, update the look and feel of the Delegation Management solution.

I can update the texts and translations in the application. I can organize both the platform and profile menu structures, and I can change the general styling.

Here, I can configure logos and the main colour scheme.

Let's change the "brand colour" to orange.

Done! The brand colour has changed from purple to orange.

Now, with the other personas we have already looked more closely at the management of users (with Jane) and the management of groups (with George).

Let's zoom in a bit on "Role" management now.

There are 3 types of roles: Access, Persona, and Self Service.

Access roles determine to which applications users have access.

Persona roles define what users can do within the Delegation Management application itself. Self Service roles determine the self-management capabilities of users.

Let's see if we can find out why Jane, as Delegated Manager, could manage users but not groups.

Please select the "Persona" tab.

Besides the "Admin" persona role, we also see the Delegated Manager, the Partner Manager, the Product Line Manager, and the Representative persona roles.

In our demo scenario, Isaac has the Admin role and George has the Partner Manager role.

Jane has the Delegated Manager role and William, together with 879 other users, has the Representative role.

Each persona is configured with different rights and entitlements.

Let's zoom in on the Delegated Manager persona role.

With feature toggles, I can enable or disable specific capabilities.

A simple click removes the Delegated Manager's ability to perform mass updates.

A similar configuration experience applies to "Platform access".

We see here why Jane, as Delegated Manager, only has access to "User Management", and nothing else.

If I wanted to, I can give all Delegated Manager personas the power to manage roles.

A simple feature toggle adds the Self Service role management capability.

On this "Platform Access" tab, we define what the persona can do within the Delegation Management application itself.

On the "Entitlements" tab, we can configure WHICH actions the persona can perform, on WHOM.

We see here that the Delegated Manager persona is entitled to operate within a particular "SCOPE".

In this case, the scope includes every user that has a group membership in common.

As concrete example, imagine the case of Jane. Jane is member of group "Brown Brokers". As Delegated Manager persona, she is therefore entitled to manage all other users that are ALSO member of the Brown Brokers group.

Besides a scope we also set capabilities. Under "CAPABILITIES" we specify WHAT can be done within the defined scope.

Let's click the 3-dot button to take a closer look at this.

We see that currently most capabilities are already enabled.

Again, with a simple feature toggle, we can add or revoke entitlements in a fine-grained manner.

Easy! Account deletion capability removed.

Without going into further detail, it is still good to mention that a similar fine-grained entitlement configuration applies on both attribute and role level.

And with this, we come to the end of my part of the demo. Please select how you want to proceed.