Delegated Management

If you have any questions or concerns about delegated management, please contact the eIAM platform team:
eIAM-Operations@bit.admin.ch.

eIAM offers a delegation of user administration to internal or external. In other IAM systems, this functionality is called delegated rights assignment, delegated user administration or delegated administration.

Goal of delegated management

The aim of delegated management is to decentralise the management of authorisation allocation and to direct the management to where the know-how about changes is available. Delegated management is divided into 3 main aspects, which can be managed and authorised individually.
  • Units
    • Structuring element on the basis of which the users to be authorised can be grouped
    • Element through which delegated management can be divided
  • User
    • Corresponds to the subject to be authorised in the Access Client
    • Can be prepared via delegated management (knowledge of subject and its need is already known)
    • Receives onboarding invitation
    • Can have different unit specific profiles
  • Authorisations
    • Allocated in the form of IDM-roles (e.g. DelegAdmin) and business roles
    • Can have attributes
    • Can be distinguished between
      • Use permissions (use roles a business application)
      • Management permissions (managing/assigning roles)
Note
Delegated management does not necessarily mean that management has to be completely decentralised. This only makes sense if a corresponding structure can be used on the client side (e.g. companies or cantons as clients).

Advantages of delegated management

  • Management of units, users and authorisations can be made more efficient and effective
    • Management is where the knowledge of change is
    • No unnecessary coordination and verification
    • Management is located where there is knowledge of changes
    • Decentralised management reduces the workload for the individual manager, as tasks are delegated to a larger circle of responsibility
    • Greater autonomy and flexibility of the decentralised administrative units (e.g. companies, cantons)
  • Pre-provisioning by means of Bulk-Onboarding of users with possible IDM roles Authorisation assignment
    • Faster onboarding of the user possible
    • No waiting time for end users
    • IDM DelegAdmin Role Assignment at Bulk-Onboarding
  • Decentralisation to the end user (third party, such as companies and cantons)
    • Changes (new entrants, withdrawals and mutations) are mapped more quickly because responsibility is delegated (no more notification procedure)
    • Eliminate form-based communication regarding mutations
  • Specific, cleanly restricted management of unit, users and authorisations
    • The authorisation management and the unit and user administration, can be assigned individually and specifically thanks to the DelegAdmin IDM roles (DelegatedManager_User, DelegatedManager_Subunit, DelegatedManager_Permission, DelegatedManager_DelegMgmt_Permission)
    • It is also possible to define the mobile phone number of the user in the Access client as a mandatory field (Strict-Onboarding)

Disadvantages of delegated management

  • Initial extra work for implementation of control mechanisms
  • Responsibility remains with the Office. -> Recommendation: Contractual arrangement between Office and third party (indemnification)
Important
The organisational aspect is the more important aspect of delegated management. The technical functionality is almost self-evident, but setting up the necessary organisational structures needs careful planning and preparation, regarding the initial provision of the UNIT and role structures. These structures must be analysed during the rollout and, based on the defined concept, either defined intially and/or, if necessary, adjusted accordingly.

Recommendation
We recommend starting a small project for the introduction of delegated management or treating it as a separate aspect in an ongoing project.

Suitability and Needs Assessment

Before starting with delegated management activities, it makes sense to verify the suitability and need for the position. In the following, some points are listed which speak for or against delegated management. Based on these criteria, the needs can be verified within the framework of a preliminary consultation between the service recipient (office) and the service provider (FOITT).

Suitable for delegated management

  • Decentralised management structure for users and authorisations
    • Users can be divided into different unit structures (e.g. companies, cantons, etc.)
    • The knowledge about changes (new entries, exits and mutations) is available in these decentralised administration structures
    • The knowledge about required authorisations is available in these decentralised administration structures
  • Decentralised technical responsibility for applications
    • The various functional responsibilities for applications and their data spaces are in decentralised administration structures (e.g. in specialised services)
    • The knowledge about required authorisations (role requirements) is in these decentralised administration structures
  • High need for verification for allocation of authorisations
    • Restrictive authorisation allocation with verification process
    • Specific user knowledge required for granting authorisations
  • Separation of duties between user registration and authorisation allocation
    • Users are administered by HR or third parties (e.g. companies, cantons)
    • Authorisations are assigned by those responsible for the subject
Unsuitable for delegated management
  • Quantity structure is too small for decentralised management
    • The quantity of either users to be managed or roles to be assigned is too small
    • Combination is crucial and must be assessed situationally. There is no absolute truth and clarity here
  • No decentralised authorisation structures
    • There is a lack of organisational (units) and/or functional (multiple applications and/or data rooms) authorisation structures
    • Combination is crucial and must be assessed situationally. There is no absolute truth and clarity here

How do I have the delegated management switched on?

To use eIAM's delegated user management, contact your account manager at FOITT.
  1. The eIAM client (access client) to which the application requiring delegated management is connected must be adapted once. The applications already connected there continue to work as before, even if they will not use delegated management.
  2. The BIT sets up a so-called master unit for the application that is to use delegated management.
  3. The FOITT arranges a training session with the client, in which the creation of units, delegated managers, etc. is taught and supports the conception of the unit structure and the concrete implementation (recording).
The FOITT calculates a cost ceiling of 10 days for these 3 work packages, which are billed according to actual expenditure.

For applications that already work with eIAM and want to use the delegated management subsequently, this is to be commissioned via Remedy.

For new integrations, the delegated management is ordered in the eIAM dossier, the 10 days are mapped in the service contract.

Delegated Management Insights (Video)
×
eIAM's delegated management was used as part of the Covid certificate. This video on the Covid certificate gives you an insight into eIAM's delegated management.