Delegated Administration - Authorization Challenges for B2B Companies

Gal Helemski
May 2, 2019

According to recent figures published by Forrester, B2B e-Commerce sales in America will reach approximately 11 trillion dollars by 2023, up from an estimated $9 trillion today. Interestingly, the 2018 breakdown of spend is distributed:  “Employees on suppliers’ websites, $954 billion, 7.9% CAGR;SaaS e-procurement systems, outside of a network, $834 billion, 37.7% CAGR;E-procurement of services, outside of a network, $185 billion, 15.6% CAGR…..”

From an IAM perspective, this means more people within and outside the organization requiring access and authorizations to online apps and resources. Access Delegation becomes a painful challenge when determining who can access what, and when that access is valid for use.

An efficient supply chain, in which B2B companies can grant access to other businesses without being able to see who their authorized users are, is essential for modern enterprises. Fulfilling this need requires a fully featured Authorization solution working in the background.

Consider the following case: a global pharmaceutical manufacturer wants to allow its partners and/or resellers (drug stores, etc.) to be able to view and order the manufacturer's products. Specifically, the company wants a solution that will provide delegated administration controls to the drug stores in order to:

  • Enable the manufacturer to give controlled access to its assets (allow its partners/resellers to view and order products)

  • Enable the manufacturer to create and manage the entities in its supply chain (i.e. its partners/resellers)

  • Enable its partners/resellers to determine what their employees can do (order all products, view all products but order none, etc.)

    Read on:  The Problem with RBAC

How Policy-Based Access Control Can Help

Policy-Based Access Control (PBAC) is a natural solution to this problem. PBAC supports creating policy statements to build a fine-grained Authorization solution that’s right for any business, especially an enterprise. PBAC is designed to determine at run-time who can access what and under which circumstances. PBAC is unique because it works in natural language, meaning its policies can be created and modified without writing a line of code.

In our case, PBAC, when implemented with a user-friendly interface, supports:

  • Allowing partners/resellers controlled access to assets (products)

  • The manufacturer managing its partners/resellers

  • Allowing partners/resellers to manage their employees

  • Auditing, investigating, and analyzing all data related to authorization

    Read the Whitepaper:  5 Myths About Policy-Based Access Control

A PBAC solution gives the manufacturer complete control over access to its assets and it also lets the manufacturer define and manage its customers and their delegated access rights to the products. This means the manufacturer could allow one pharmacy to order one set of products and another pharmacy another. And, if needed, the manufacturer could change policies instantly, for example, authorizing a preferred partner to have access to a new product before other partners.

To give a few examples of what PBAC supports in the day-to-day world: the manufacturer can decide that no reseller is able to order products with a certain prescription security code (maybe a highly restricted, still-in-testing product), or that only certain partners can order from this restricted code if they meet specific criteria, such as certification requirements. The manufacturer is able to define roles, such as physician, pharmacist and pharmacy chemist, and limit orders only to pharmacists. These roles are set in place by the manufacturer’s Authorization policies, and not editable by anyone outside of the partner/reseller.

While the manufacturer is in charge of defining its partners/resellers and setting policies for them, the latter are in charge of defining and managing their employees. The manufacturer doesn’t want to be responsible for managing and storing the identities of whomever the pharmacies employ or what position they hold: the access policies the manufacturer set are enough because they limit which type of user does the ordering. The manufacturer can even allow a partner to set some policies, as long as they don’t override the manufacturer's rules. That partner would receive a different interface than the others in order to support their additional functionality.

The entire set of rules and entities that govern authorization for the partners and their employees can be defined using an easy to use user interface that controls which entities could be managed by whom. That way, a pharmacy owner can create new records for new pharmacists but cannot create new job types. Note that all of the specifics discussed here can be configured according to business needs.

The solution also supports auditing, investigating, and analyzing data. In addition to basic features such as keeping records of every action taken using the application (creating a policy, creating a new reseller, deleting an employee, etc.), the platform supports checking the permissions of an individual employee and performing data analysis to ensure that the desired Authorization policies are actually being implemented.

Download the Whitepaper: PBAC vs RBAC: The Truth

Seeing The Policy Management Platform In Action

Gal Helemski, PlainID’s Chief Innovation and Product Offer, recently gave a Webinar on the subject in which she discussed how PlainID solved this use case of a global pharmaceutical manufacturer that wanted to allow its partners/resellers (drug stores, etc.) the ability to view and order their products by using its PlainID Policy Management Platform. The platform enables a business to create a multi-level authorization solution that:

  • Allows the business full control over what its partners/resellers can access

  • Enables the business to manage its partners/resellers

  • Enables partners/resellers to manage themselves, especially in areas that are irrelevant to the main business

  • Enables auditing, investigating, and analyzing all data

To learn more, please watch the Webinar: Delegating Administrative Rights for B2B, or schedule a demo.

Most Popular Posts