Skip to main content

Managing Partner Delegations

If your organization has partners that access your system to manage their allocated IT resources, you can quickly set up your environment using the built-in partner roles and locations. This guide demonstrates the complete process using a fictitious partner named "Henrik Hardware" to create test partner admins and users for validation.

When correctly configured, partner admins can only see their own locations—not your IT infrastructure or other partners' resources. Partner admins can manage their partner users independently without your intervention.

Prerequisites

To manage partner delegations, you need appropriate permissions to:

  • Create and manage Locations in EmpowerID
  • Create and manage Person objects
  • Reset passwords for test users

Create Partner Locations

  1. On the navbar, expand Role Management and click Business Roles and Locations.

  2. Select the Actions tab and click Create Location. Create Location action button The Location Details form opens. Location Details form

  3. Fill in the following fields:

    • Name – Name of the partner location (recommend matching the partner organization name)
    • Display Name – Name users see in the EmpowerID UI
    • Description – Short characterization of the location
    • Is Assignable – Select to enable this option

  4. Under Parent ID, click the X to delete the EmpowerID System location.

  5. Click the Select a Location link to open the Location Selector. Select a Location link after clearing default parent

  6. Search for and select Partners. Partners location selected in Location Selector

  7. Select Organization - Security Container as the Location Type. Location Type set to Organization - Security Container

  8. Click Save to create the Location.

  9. Repeat steps 2-8 to create locations for each additional partner.

Create Test Partner Admins

  1. On the navbar, expand Identity Administration and click People.

  2. Click the Onboard Person action to initiate the Onboard Person workflow.

  3. Select Simple Mode as the Person Creation Mode and click Next. Simple Mode selected in Person Creation Mode

  4. Enter a First Name and Last Name for the partner admin.

  5. Enter Email and Personal Email addresses for the partner admin.

  6. Under Primary Business Role and Location, click the Select a Role and Location link.

  7. In the Business Role and Location (BRL) Selector:

    • From the Business Role pane, search for and select Partner Admin Partner Admin Business Role selected
    • Click Location to show the Location pane
    • Search for and select one of the partner locations you created earlier
    • Click Select Partner location selected in Location pane

  8. Click Next to proceed to the Additional Information section.

  9. Review the summary information and click Submit. Summary information for partner admin

  10. Repeat steps 2-9 to create additional test partner admins as needed.

  11. Reset the passwords for each test partner admin so they can log in.

Create Test Partner Users

  1. On the navbar, expand Identity Administration and click People.

  2. Click the Create Identity action. The Create Identity form opens. Create Identity form

  3. Fill in the following required fields:

    FieldDescriptionInstructions
    First NameFirst name of the userEnter the user's first name
    Last NameLast name of the userEnter the user's last name
    LoginEmpowerID login for the userEnter a unique login identifier
    Primary Role and LocationBusiness Role and Location for the user1. Click Select a Role and Location
    Partner Business Role selected 2. From the Business Role pane, search for and select Partner
    3. Click Location to show the Location pane
    4. Search for and select one of the partner locations you created
    Partner location selected
    5. Click Select

  4. Click Save.

  5. Repeat steps 2-4 to create additional test partner users as needed.

  6. Reset the passwords for each test partner user so they can log in.

Test Partner User Delegations

  1. Log out of the EmpowerID Web application.
  2. Log in as a partner user.
  3. If prompted to protect access to your identity, select None. MFA prompt with None option
  4. Click the Global Search dropdown at the top of the page. You should only see search options for People.
  5. Click in the Global Search field and press ENTER to search for people. You should only see people in the partner organization.
  6. Review the navbar. You should see the following navigation items:
Navigation ItemPurpose
DashboardsView personal home dashboard
Password ManagementAccess personal profile, manage identity workflow (delete MFA authenticator, enroll for Q&A password reset, manage account recovery contacts, change password, edit profile, register MFA authenticator)
My IdentityAccess the My Identity app
IAM ShopAccess the IAM Shop app
Business Requests and TasksAccess the My Tasks app
Identity AdministrationAccess the Resource Admin app

Test Partner Admin Delegations

  1. Log out of the EmpowerID Web application.
  2. Log in as a partner admin.
  3. If prompted to protect access to your identity, select None. MFA prompt with None option
  4. Verify you see the same navigation and search options as the partner user, with the addition that you can access the Find People page from the navbar.
  5. On the navbar, expand Identity Administration and click People. You should see access to the following actions: Partner admin available actions on Find People page
  6. Test creating, editing, and managing people within your partner location to verify administrative capabilities.

Results

After completing this setup:

  • Partner locations exist under the Partners Organization location
  • Partner admins can only view and manage resources within their partner locations
  • Partner admins cannot see your internal IT infrastructure or other partners' resources
  • Partner users have self-service capabilities within their partner context
  • Partner admins can manage their users independently
  • Access is properly scoped based on the Organization location hierarchy

Optional Exercises

To further validate the partner delegation model:

Exercise 1: Create Multiple Partners Repeat the steps above to create additional partner users and partner admins. Test results should be consistent—each partner admin can only see and manage their own partner location.

Exercise 2: Test Account Provisioning (Non-Production Environment)

  1. Create test OUs for the partner locations you created
  2. Map those locations to the appropriate OUs
  3. Create a Provisioning Policy that provisions an Active Directory user account in the appropriate OU for each person assigned to the Partner in Partners Business Role and Location
  4. Log in as a partner admin and search for user accounts—you should see one user account for each partner you created