Businesses today engage with a variety of partners to offer and consume products and services. As a business, you are under pressure to be technologically agile, decrease costs and focus on driving revenue. And partners (e.g., customers, suppliers and consultants) demand better experiences throughout the entire business relationship. Businesses are also looking to centralize and simplify access to products and services, reducing the risk of sharing data with the wrong audiences, lowering maintenance costs and offering great experiences to partners that engage and interact with your products and services.
CIAM for B2B is the offering from SAP Customer Data Cloud for businesses to manage their relationship with other businesses in a transparent way. It takes the capabilities of fine-grained authorization based on smart policies, and combines them with authentication and identity management, to provide you with a clear view of your partners, their members, and your relationships, easily managed in an intuitive, visual UI.
CIAM for B2B offers:
- Onboarding of partners to all digital properties through a governance process that will enable the business to be in compliance across all connected applications
- End-to-end partner lifecycle management (as opposed to complex, on-prem and cloud point-to-point integrations), allowing IT teams to focus on improvement and opportunity rather than maintenance.
- Centralized Policy Based Access Control (PBAC) solution with a governance process to secure applications and resources and help prevent data leaks and unauthorized access across the entire digital ecosystem.
- Provide self-service delegation of the partner organisation and partner user management with identity, profile and preference management.
The solution leverages the Identity Management capabilities of Customer Data Cloud, such as authentication and profile update flows, a rich user database and pre-built integrations with downstream apps, and includes the following:
- Partner organization management – The ability to create, edit, update or delete partner organisations direct or support self-service or provisioned partners (for example, from the sales automation system).
- Self-Registration and Provisioning onboarding – Supporting the self-registration of new Partners which then follow a configurable approval process before being activated.
- Partner Admin and User onboarding – Business Admins will be able to create and manage Partner Admins as well as Partner Users, while Partner Admins will be able to initiative invitational flows for other Partner Admins and Partner Users.
- Delegated administration for Partner Admins includes performing the following for partner users: provisioning, activation, role assignment, password reset, revocation
Policy-Based Access Management
- The ability to manage coarse-grained, fine-grained access to assets such as applications, site pages, and user actions
- Dynamic attribute-based authorization decision-making
- Full policy life cycle management
- Run-time authorization
- Pre-built flows for inviting new and existing users to access the organization's assets
- Assign members to organizations, departments and roles for coarse and fine-grained access management
- Easy access management for quick onboarding and offboarding of employees and third-party org members
- Use any of the Customer Data Cloud access points in an access management scenario
RBAC (Role-Based Access Control): Traditional authorization method, whereby access to an asset was based only on assigned user roles. Implementing RBAC is relatively simple, but maintaining it over time becomes cumbersome as the system grows and permissions get more fine-grained. This type of access control is used when implementing Active Directory / LDAP
ABAC (Attribute Based Access Control): ABAC is a model for fine-grained authorization where the access is defined according to the attributes of the user, the attributes of the resource and the attributes of the environment. Implementation is more labor-intensive, but once complete, maintaining it is relatively simple and efficient.
PBAC (Policy Based Access Control): PBAC is the harmonization and standardization of the ABAC and RBAC models. PBAC enables easily understanding and expressing the underlying business logic of access decisions. PBAC dramatically reduces the amount of rules to govern, approve & manage, and enables an efficient and scalable access control process. PBAC supports both coarse-grained as well as fine-grained authorization.
|Admin / IT Admin||An administrator working in your organization, with the authority to configure your site settings and business flows in Customer Data Cloud. A Customer Data Cloud Console user.|
|Organization||A partner organization with some degree of involvement with your business. An "organization" object in Customer Data Cloud, identified by an orgID.|
Administrator at the partner organization, also referred to as the “Delegated Admin”.
|Organization Member||Non-IT user at the partner organization who logs in to access one or more of your applications. Expressed as an "identity" or site account in Customer Data Cloud|
|Role||An organizational role that is assigned to organization members (e.g. buyer, manager). One member can have several roles, and one role can belong to several members.|
|Department||The department to which an organization member belongs (e.g. procurement, IT, HR)|
An application where the Customer Data Cloud access control capabilities have been implemented for both authentication and authorization of users. It is on the application that policies (PBAC) translate into affirmation or denial of user actions and access.
|Asset||Assets of the application, whose access rights are handled by policies|
|Access Policies||Fine-grained definitions of access rights of organization members to assets.|
Example Use Cases
Organization Use Cases
- Manual creation: An IT admin creates an organization .
- Self registration: An organization member enters the partner organization portal and submits a request to add their organization. After the organization is approved, they become the first member of that organization.
|Client||Server||Customer Data Cloud||CIAM for B2B||Application|
Usually a browser or app, on desktop or mobile device
Manages the website or endpoints used by the client
Provides user-facing authentication, profile management, and consent flows
Decision engine based on definitions of roles, attributes, departments and authorization policies
An application, IOT device or API gateway that needs to know a user's access permissions
Frequently Asked Questions
No, we do not. It complicates implementation without giving enough benefit.
Yes, with different roles, departments etc.
No, the relationship attributes are fixed.
The solution is not a workforce IAM solution so no need to map hierarchies. Hierarchical approval can be achieved using department and job function.