Does your organization look like the following: A complex, layered enterprise with many different business units (BUs). Inside these BUs are different departments. Inside of some of these departments exist different brands or products that need to be discreetly managed so as to present unique digital experiences for customers?

If so, you are part of a growing cadre of organizations managing multi-brand experiences.

Traditional approaches to Identity and Access Management (IAM) tend to break down when faced with these types of advanced multi-brand identity hierarchies. Here’s why that is and what you can do to prepare your organization for next-level success.

Managing Identity in a Multi-Brand Environment

The term “multi-brand experience” fits neatly at the intersection of IAM and customer success.

On the IAM side, the challenge here is getting the right users (internal workforce users and end-user customers) access to the right digital properties or assets needed to do their job or to complete their purchases, and in a timely manner.

Take internal users. If too much access is given- for example you grant users in Brand 4 access to resources in Brand 1 – you can unnecessarily and unwittingly expose part of the business to employees who do not need those resources to do their job. Worse yet, you can potentially open up a greater footprint of your business to hackers or malicious insiders.

On the customer success side, knowing a user is a consumer of Brand 5 leads to all sorts of interesting possibilities of going deeper on that interaction and user experience. You can, for example, present a highly personalized shopping experience on that particular brand or introduce a loyalty program impacting users of a particular brand. You can even strategically micro-target products and services that that consumer may be interested in. Or do both, why choose? The key here, though, is all about having that elegant, frictionless experience that all starts with identity.

‘Customers’ can also be internal workforce users requiring access to new applications and services. Being responsive to their needs in a timely fashion is critical for maintaing a productive and satisfied workforce.

Why Delegated Administration Has Failed to Address the Multi-Brand Challenge

The traditional way organizations attempt to handle multi-brand experiences is through the use of groups.

The logic goes like this. When you onboard internal users the admin assigns them to one or more groups…ex. one user gets assigned to human resources, another to marketing, and another to finance.

Groups can cover the gambit including location, projects, specialties, geography, so, for example, one user can be a member of the ‘Cleveland Plant’ and another employee a member of the ‘Manchester Office.’ Almost everyone is a member of multiple groups. Various admins (through delegated administration) then manage access to the groups which allows or dis-allows the members of those groups access to various resources.

But then things get complicated. Companies grow, reorg, and go through all manner of changes over time which throws the whole task of managing by groups and delegated admin into total chaos. Groups are suddenly left admin-less. From personal experience, I have talked with customers who are managing up to 30,000 groups within their organization! Of course, this is a chimera. Nobody can actually manage 30,000 groups or do it well in any kind of fashion. What you end up with is the illusion of control without having any capability to drive the business forward using this powerful tool. It’s a total mess.

The B2B2C business model (business-to-business-to customer) has moved to the fore. This means multi-brand requirements now extend to business partners or vendors – intermediaries – who have contact with the ultimate end-user customers. Being able to control access to applications and services down through this model, through the partner right on down to the end customer is imperative, and cannot be done effectively with groups and delegated admin.

Addressing the Multi-Brand Challenge with Organizational Model

A better way of managing the complex hierarchical identity requirements, including B2B2C, is through the use of an Organizational Model.

An organizational model is first and foremost a data model. It is a structure that mirrors the actual organization itself (hence the term ‘organizational model’). Rather than dive right into the typical IAM minutia of what groups, roles, and entitlements an individual user should be assigned to (all very important by the way) an Organization model starts at the business level. By mirroring the way your business looks and operates identity can more effectively and strategically be used to help the organization meet its business objections.

An Organizational model starts out with a single organization, the top tier of the hierarchy. Then other organizational units (locations, brands, sub-groups, business units) can be flexibly built, assigned, re-assigned across the organization as circumstances change. An almost infinite number of sub-organizations can be defined. Administrators are then assigned to each organizational unit, with the admins above having total visibility and control of other admins and members in the sub-orgs.

How does Organizational model differ from delegated administration? Here are a few differences (a non-exhaustive list):

• Utilization of non-technical admins – Typically administrators need to have some IT and identity chops, or at least need to be part of the IT org. But with Organization model, admins are presented with a simple portal to support access requests within their particular organization. This makes it very convenient to assign to a department owner who needs to make quick access decisions for their direct reports. This makes it possible to assign admin rights for onboarding users within a vendor, partner, or supplier.
• Supports full inheritance and visibility – Changes made to the top level org, such as new access policies or authentication requirements can automatically get pushed down to the sub-orgs below without requiring admin intervention. This ensures no group gets left behind, including B2B2C partners and vendors, when security decisions get made at the top. All access decisions are logged for visibility and assistance in passing audits and meeting compliance requirements.
• Greater span of control – Who better knows the access needs of users than the application owner, business owner, or department head? Organizations put control into the hands of these users, while at the same time keeping IT in the driver’s seat. It can also speed decision making and empower users.
• Better enforcement of Least Privileges – Rather than broad access rights being sprayed across the organization, members of each group are confined to just what is in their particular organizational area. In complex organizations with many BUs, this means lowering the surface area of a potential attack.
• Better support of a B2B2C model – In the past, extending access to partners and your partner’s customers was usually a one-off operation, with the necessary application sitting unmanaged within a department. With organizations, these projects are folded into the overall identity framework, are fully supported, and are secured within the same identity stack as the other users and applications.

ForgeRock Delivers on the Multi-Brand Experience

Increasingly, through acquisition and mergers, business restructuring, or even by legal and regulatory requirements, organizations are finding it necessary to manage different parts of their businesses like free-standing entities. ForgeRock Organization supports your business by making your IAM mirror your organization, supporting complex B2B2C multi-brand initiatives, and covering both customers and internal workforce users from a single IAM platform. For more information, check out how we do this with ForgeRock Organizations.

*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Jeff Carpenter. Read the original post at: https://www.forgerock.com/blog/multi-brand-new-requirement-expansive-digital-enterprise