Management of external accounts

In an organization there are different types of accounts that need to be managed in different ways depending on their purpose and use.

This page describes the management of external accounts that require access to internal resources. These accounts are often referred to as short-term workers, contractors, partners or GIG workers.

Book meeting

Lifecyclemanagement

Movies

Different types of accounts

Workforce Identity (IAM)
Workforce Identity refers to accounts used by people who need to access resources within the organization.

These are divided into:

Internal (permanent employees)
- Refers to permanent employment within the organization.
- Management of these accounts is often automated through provisioning and synchronization from HR systems to streamline the process.
External (short-term workers, contractors, partners or GIG workers.)
- Refers to temporary accounts for people who need access to the organization's internal resources.
- A challenge many organizations have is where these accounts should be located.

Customer Identity (CIAM)

Customer Identity refers to accounts for external customers or citizens.

They have no need to access internal systems.
These users may use external authentication solutions, such as social accounts such as Google, Microsoft or Facebook, for login.
To read more about CIAM

Lifecycle management of external accounts

Login for external accounts

Once an external account has been created, the user must be able to authenticate to access the organization's resources. Our products support a variety of login methods, allowing you to customize authentication to your organization's needs and security requirements.

BankID, Freja, Foreign eID: User-friendly and secure solutions for authentication.

One-Time Password generated via apps such as Microsoft Authenticator, Google Authenticator or similar.

Username + OTP

SMS and email (SMTP) for easy OTP delivery.
YubiKey and other hardware-based security keys.
Certificates for advanced security in specific environments.
Passkey, FIDO, smart cards for modern and secure authentication solutions.
Federation to use existing authentication solution in the organization, or use authentication solution in the external user's organization

Alternative methods

E-ID

Manage/change external account

This process, also known as mover or crossboarding, involves making changes and updates to existing external accounts. For example, it could involve adding information, updating contact details, or changing permissions for an account. Our products offer multiple ways to handle these needs depending on the scenario and division of responsibilities.

Methods for managing and modifying external accounts

Allow the user to update certain parts of their account information themselves through a user-friendly portal.
Examples of what the user can change:

Update contact information, such as email address or mobile number.
Request access to specific resources or applications.

Give responsible people in your organization the right to manage external accounts for which they are responsible.
Example scenario:

Account managers can change account information, assign new roles, or update permissions.
A line employee can manage accounts associated with their department or project.
Externally responsible accounts can manage accounts for their subordinates or teams.

Certification:

Annual confirmation process where account managers verify that the external accounts they are responsible for are still current and accurate.

2. Delegated administration

Automate the process to ensure account information is up-to-date and accounts are managed efficiently.
Examples of automated solutions:

Synchronization with external systems to automatically update account data.
Automated notifications to account managers when an account is close to being deactivated, providing the opportunity to extend the validity period.

3. Automation

1. Self-registration

Let external users sign in with their own accounts from their organization via federation. Updated credentials or account information is sent in the federation ticket and the receiving organization updates account data accordingly.

Summary
Efficiently manage and modify external accounts through a combination of self-administration, delegated administration, and automation. This ensures that account information is always up-to-date and that external accounts are managed in a secure and structured manner.

4. Federation

Create external account

The process of creating external accounts, also known as onboarding or joining, can vary depending on the needs and technical capabilities of the organization. Ideally, the process should be automated, but some form of manual handling is often required.
It is important that the responsible person in the organization who manages external accounts, such as a consultant or summer worker, can verify that the person is who they claim to be. Our products offer several solutions to meet these needs depending on the scenario.

Methods for creating external accounts

Use self-registration to allow external users to create their own accounts using a verification method, such as e-ID.
Example scenario:

A prospective consultant receives a link to a registration page.
The consultant authenticates with e-ID to confirm their identity.
The consultant fills in and verifies their email address and mobile number.
An email is sent with login details, or the consultant can directly access a portal with their applications.
A notification is sent to the person responsible in the organization that the account has been created.
Possibility of an approval process before the account is activated.

Let internal administrators handle the creation of external accounts through a delegated process.
Example scenario:

An employee, for example from the finance department, requests that a consultant account be created.
The finance person completes the consultant registration page.
An optional approval process can be implemented, where one or more people review and approve the creation of the account.

2. Delegated administration

If external accounts already exist in a data source, such as Entra, Google, or a text file, our products can automatically import and create accounts in the system the organization uses.

3. Automation

1. Self-registration

Allow external users to log in with their own accounts from their organization via federation.
Example scenario:

A partner organization establishes a federation with your organization.
The partner's users log in with their existing account credentials and gain access to specific resources.
Other
Set a default length for how long external accounts should be active before they are deactivated.
Notify the administrator if an account is about to expire, and allow for the option to extend.

4. Federation

Permission control for external accounts

After authentication, the user needs the right permissions to work in the assigned systems.

Our products offer support for:

Assign systems and applications: Specify which resources the user should have access to.
Application rights management: Define the user’s level of access within each application.
Self-administration for access requests: Let the user request access to resources, which may require approval from an account manager.
Role-based access: Assign a role that automatically grants the user access to predefined resources and permissions.

Terminate, deactivate, and extend external accounts

When an external account is no longer needed – for example, when a consulting assignment has ended – the account should be deactivated or deleted. In some cases, the account may need to be extended if the collaboration continues.

Support for deactivation and extension

Set end date upon creation: A deactivation date can be defined right from the account creation.
Notifications to account owners: The account owner is informed of the status and can deactivate or extend the account if necessary.

For example, when 30 days remain before the account is deactivated, an automatic notification is sent to the person responsible, who can choose to extend the account.

Account extension

If a master data system is connected, its rules can control the account lifecycle, including deactivation and deletion.

Integration with customer data source

Automated deactivation processes

Upon deactivation, all permissions may be automatically removed from the account.
The account may be moved to a dedicated inactive account location for secure management and archiving.

Inactive account management

Mer att tänka på

Register
Just as with employees, who are often initially registered in an HR system and then automatically provisioned to different systems, external accounts also need a register where they are first placed. Unlike internal accounts, however, it is unusual for this to happen in the organization's HR system.
To choose a register for external accounts, priority should be given to a solution that is both cost-effective and where the organization has relevant expertise.

Examples of registers:

LDAP: If the organization already works with LDAP, ADLDS may be a natural choice.

SQL: If SQL is an established solution internally, it may be appropriate to choose.

Cloud services: For organizations with experience with services such as Entra or Google, these options are preferred.

Our products can be integrated with all of these technologies, making it possible to choose the one that best suits your needs and skills.

Account owners and notifications
Each account created is linked to a responsible owner.
Notifications can be automated to notify the owner when an account is being deactivated. The owner can easily extend the validity of the account if necessary.

Certification
Automated certification processes where the account owner receives an annual reminder via email to confirm that the account should still be active and belong to them.