What is Tiered Delegated Administration?

What is Tiered Delegated Administration?

One of the unique features of Ubisecure Identity Server is the mechanism for delegating application role management to the external customers, business or private, of an organisation in a controlled fashion. It is called the tiered delegated administration model. This blog post tries to explain the shortcomings of the pure LDAP directory based solutions when serving many applications to multiple external organisations, a typical use case when providing customer-facing services.

LDAP data structure

User management solutions in the past have been built on the LDAP (a subset of the X.500 standard) data structure. X.500 was designed as a global directory service to hold hundreds of millions of entries (e.g. user, organisations, roles) in a structure of a tree of entries.

In a LDAP directory, a user object is stored directly to an organisation unit and the user with admin rights to the organisation then can manage the appropriate roles for all users of the organisation.

Afterwards, all new users are always created as members of at least one organisation, having typically one or more roles. This means that while there can be organisations without any users, every user must be anchored to at least one organisation.  The roles define what the user is allowed to do within the context of each organisation.

This works well enough for well-defined roles within a single internal organisation unit such as HR or even multiple independent organisations, but application role and user management becomes complicated if there are federated users from external organisation domains such as customers and partners.

Let’s use an example. Application has a Member role. If a user would need to have access to this application, the user account would be added to the Member role (group or a nested group). As the access to the application is managed internally by the administrators, the administrators such as help desk staff can be allowed to manage all the users of the service and all the available application roles.

When extending the use of the service to external users of organisation, the need to selectively delegate the application role management to the customer organisation (instead of managing these internally thus creating cost, compliance issues and possible security holes), the ability to link the user roles to corresponding customer account information and enable third parties to act on behalf of the customer arise.

Tiered Delegated Administration model

Ubisecure’s user management data model builds on the standard LDAP data structure (as used by e.g. Microsoft AD) but introduces two vital extensions: Virtual Organisations and Mandates.

Virtual organisations function similarly to organisations but users are associated only through role memberships. These virtual organisations enable identity modelling where user’s association to multiple Non-Person Entities (NPE) or other temporary groups can be expressed. NPEs can be organisations, IoT devices or other kind of services.

As an example, when doing administration work for a client, I could be added to a virtual organisation (NPE) created specifically for that project, so my access would be automatically terminated after the project finishes. In some verticals such as finance, where a lot of work is outsourced to consulting agencies and dozens if not hundreds of projects are run in parallel, cleaning up the access privileges can be a major headache without this kind of functionality.

As control of access among loosely coupled parties requires more than just Web SSO protocols such as SAML 2.0 or OAuth 2.0, another critical feature of Ubisecure Identity Server, acting as a centralised authorisation server, are mandates which are like power of attorneys.

Mandates enable the access control between loosely coupled parties in C2C, C2B, B2C and B2B use cases and include associations to one or many application roles which are to be delegated. Utilising a person or organisation Mandate, a user or an organisation can authorise another user, or organisation, to act on their behalf in one or more roles.

Delegating user management to customer organisation

Let’s use an example. DiLaurio Inc. is a financial services company providing services to its customers.  When a customer, for example Kiska Group, has an active contract in the CRM which entitles the use of the services, they are given organisation mandate to manage their own users’ access rights using a self-service portal. As long as the given mandate is still active, the customer organisation is able to self-service manage the provided services to their users.

The lifecycle of these given mandates is typically linked to corresponding customer account and contracts in one or many CRM systems the service provider has in their business units. Once the customer contract ends, the corresponding mandate is removed and delegated application roles allowing access for all users is removed automatically. Users may have access to other services via other contracts.

Customers of DiLaurio Inc., could even delegate the use of provided services to 3rd parties. For example, Kiska Group could outsource certain tasks to a third-party company Snagari Consulting who can act on behalf of Kiska Group.


Ubisecure Identity Server and its advanced user management data model with mandates allows fine-grained delegated access control of external entities such as customers and partners. The benefits for an organisation using Ubisecure Identity Server:

  • Outsourced / delegated identity and authorisation (mandate) management increases accuracy of customer data and reduces cost through self-services
  • Closing of access privileges automatically decreases security risk of forgotten accounts and reduces administration burden
  • Flexible modelling of your own business ecosystem

Compared to the traditional LDAP data model where parts of the management of the users, organisations and its roles cannot be delegated outside the organisation domain in a controlled fashion, the virtual organisation and mandate mechanism Ubisecure Identity Server has, enable selected parts of the application role management to be delegated outside the organisation domain, to 3rd parties and use of services be tied to the customer lifecycle.

If your organisation would like to implement one of the most advanced Customer IAM solutions on the market, contact us now.