Overview
Enabling the administration of specific user groups is a common requirement for both customer identity and access management (CIAM) and workforce IAM use cases. It allows partners, brands, subsidiaries, and business units to manage themselves autonomously and administer their own identity information.
Another common use case is allowing Help Desk or Support staff to perform tasks such as updating a password or authentication credentials without providing full administrative rights over a group of users.
ForgeRock Identity Cloud offers several capabilities for enabling the administration of specific user groups. These include:
NOTE: The most complete separation of users in Identity Cloud is through the use of realms. ForgeRock provides a helpful guide to planning for data object modeling, which includes information on how you might organize user communities.
Organization model
What is it?
With an organization model, you can arrange and manage users in a hierarchical tree structure. This allows you to give users fine-grained administrative privileges based on their location in that tree. For example, an administrator of one organization might have full access to the users within that organization, but no access to the users in an organization in an adjacent branch in the tree.
You can use an organization model to configure and enforce fine-grained authorization control to partner organizations, brands and business units. A unique set of user experiences and branding can be applied depending on which organizational tier a user belongs to.
Example organization model for different business units and brands
How is it achieved in Identity Cloud?
ForgeRock’s organization model capability provides a unique and simple way to create separate administrative hierarchies.
You create and manage organizations through the Identity Cloud admin UI. Organizations can be configured in both Alpha and Bravo realms.
Example organizations configured for Alpha and Bravo realms
An organization object (defined in the Identity Cloud managed object schema) has an owner and can have multiple administrators and members. These relationship properties enable the following hierarchical organization model:
- An organization owner can add administrators to their organizations and create sub-organizations.
- Organization administrators manage user identities within organizations and sub-organizations and can delegate administration to individual users through roles and assignments.
- Organization members are users who belong to an organization.
For further information on creating an organization model with Identity Cloud, see:
- Organizations
- Structure identities using organizations
- Model an Organization Structure (training video)
- Organization roles and permissions (training video)
- Implement the organization (demo)(training video)
- Use case: Configure organizations in ForgeRock Identity Cloud
Business benefits
With ForgeRock’s organization model, enterprises can model and organize their identities to support business structures, such as B2B2C (business to business to consumer) and multi-brand experiences. More than just delegated administration, organizations allow for the establishment of tiers of identities, each with owners, admins, and members.
The organization model enables enterprises to easily create new organizations, assign administrative rights, and create user journeys unique to an organization, without requiring complex custom configuration which comes at a cost for professional services and a loss in time to value.
Delegated administration
What is it?
With delegated administration, fine-grained administrative access is given to specific users, based on privileges assigned to a role. For example, you could use delegated administration to allow Help Desk users to reset passwords of other user accounts, but not delete user accounts or change system configuration.
How is it achieved in Identity Cloud?
Identity Cloud uses privileges to delegate specific administrative capabilities to non-administrative users, without exposing administration functions to those users.
For example, if a Help Desk user has been granted a privilege that lets them see a list of users and user information, for the purposes of resetting passwords, they can access this list directly through the Identity Cloud end-user interface without requiring access to the Identity Cloud admin UI.
Identity Cloud end-user UI for a Help Desk user, showing a list of users
NOTE: Delegated administration is only available to Alpha realm users.
To enable delegated administration, you will need to set up internal roles with specific privileges. Internal role permissions can include view, create, update and delete actions, and attribute permissions, as well as optional conditional filters and time constraints.
You configure internal roles in the Identity Cloud admin UI using a simple wizard.
Screens from the Internal role Permissions wizard
Once created, you can then assign internal roles to users or organizations within the Alpha realm, granting them the authority to act as delegated administrators. These authorized users will be able to execute actions on the specified custom set of attributes associated with their respective roles.
For further information on setting up delegated admin in Identity Cloud, see
- Alpha and Bravo realms - Delegated administration
- Create an internal role
- Delegated administration
- Authentication and roles
Business benefits
Delegated administration not only reduces the risk of accidental or intentional abuse of power but also allows organizations to split the work between different teams.
By delegating tasks to other departments or teams such as a Help Desk function, the central IT department can focus on strategic initiatives, innovation, and technology planning rather than routine administrative tasks.
The flexibility of ForgeRock’s object model means that organizations can delegate administration tasks that allow for tailored, fine-grained role management. Different teams or departments can have the necessary permissions and controls aligned with their specific requirements.