Organizations have always had identities that have a variety of roles within the corporate structure, but something that is increasingly causing frustration for security and risk management leaders is the need to manage and govern people that have multiple affiliations within the organization. This could mean a higher education institution that has faculty that also are alumni, or a financial institution where a banking executive is also a customer. While the person behind the identity is the same, they are affiliated with the organization in different ways, and can range from job title, team, seniority, department, location, organizational unit or otherwise. Typically, identities have a single affiliation to a single function within an organization, and have a single job title, team, department, etc. They are then assigned roles based on those attributes and contexts, but multi-affiliation indicates when an identity is affiliated to more than one function with an organization.
These additional affiliations are sometimes referred to as “secondments” and can refer to one individual that has multiple employments, like when someone is involved in working with multiple business units or having multiple profiles, like the aforementioned professor who is also an alumnus of the university where they teach. A couple other common examples include temporary move secondments, like when organizations assign workers to help out with projects in other departments to help pick up the supply in times of heavy demand, like the recently passed Amazon Prime Day, or the annual holiday shopping season. Depending on how organizations implement this model, they may require staff to have access to both their previous set of access, and these new responsibilities temporarily but simultaneously. Additionally, organizations that have franchisees or cooperatives may have identities that require employments or profiles in multiple franchises or cooperatives.
As organizations try to manage these types of identities who have multiple affiliations, there are a few challenges that they may face.
- One-dimensional data models are limiting and can mean that the data model for identity objects cannot support identities that have multiple profiles, or employments. Some solutions will only provide organizations with a single, linear line of management where one person has one affiliation with the organization and subsequent affiliations throw the solution off and result in creating additional identities that can be difficult to monitor and align. Thinking back to the collegiate example, if a professor employed by the university also is taking online courses, she would then need to have two separate identities that need to be managed by the team and assigning proper access. This creates confusion, and additional identities that need to be created and managed.
- Lack of contextual information can be crippling for organizations with identities that have multiple affiliations. A key criteria of identity governance is to know which users are granted permissions to do things and why. Within a multi-affiliation scenario, when there are changes to access rights within one of the affiliations it can be difficult to be sure about which of the identities needs to be changed and can similarly be challenging to manage if done manually. This all eventually leads to violating the principle of least privilege when inevitably people end up with more access they need in order to do their jobs or perform their tasks.
- Maintaining data from multiple Identity Sources can be challenging in joining employments, profiles, and identities that are created and come from various identity sources. Like, for instance, an organization that has data that is managed for employees in the HR system, but other identities for third parties managed in AD or elsewhere, and so on. It can be challenging to conjoin these access rights and maintain a single identity for all the identities that may have access rights stored in different identity sources.
These challenges coalesce around a need for a modern identity governance and administration (IGA) solution. Omada helps our customers address these challenges with our rich identity data model, making it easy to affiliate identities to multiple contexts in specific cases, such as having multiple employments or associations with the organization. Next, with context driven access, Omada customers can grant access either via assignment policy or have users request access under a specific context, such as where each employment is a context affiliated with that identity’s specific projects. Finally, through contextual ownership, the owners of employments can be used to provide flexibility in IGA processes such as the case where the owner of a respective employment can be used for approvals and reviews, which may be different to the identity’s actual Line Manager.
It is natural that many organizations struggle with managing the access and identities of people who have multiple affiliations with the organization, but Omada enables customers to manage these contexts and enact processes to effectively govern this type of access. For more information, check out our Product Brief on Business Alignment, within the broader framework for identity governance, Omada IdentityPROCESS+.