User identity and access management are vital parts of information security. You need to make sure only authenticated and authorized users are able to access your system resources in a defined manner. User management could be a daunting task as your organization and product adoption grows. User access management should differentiate and manage access to an organization's employees, vendors, and customers.
Enterprise or corporate users could be the organization's employees, contractors, or vendors. Those are specialist users who have a special privilege to develop, test, and deploy the application. In addition to that, they require access to another corporate system to do their daily job—for example, an Enterprise Resource System (ERP), a payroll system, an HR system, a timesheet application, and so on. As your organization grows, the number of users can grow from hundreds to thousands.
The end users are the customers who use your applications and have minimal access to explore and utilize the desired feature of the application—for example, players of a gaming application, users of social media applications, or customers of an e-commerce website. The count of these users could be from hundreds to thousands to millions (or even more) as the popularity of your product or application grows. The other factor is that user count can grow exponentially, which can add challenges. You need to take special care of security when exposing the application to external-facing internet traffic to protect it from various threats.
Let's talk about corporate user management first. You need to have a centralized repository where you can enforce security policies such as strong password creation, password rotation, and multi-factor authentication (MFA) for better user management. The use of MFA provides another means of validating someone's identity, if a password may have already compromised. Popular MFA providers include Google Authenticator, Gemalto, YubiKey, RSA SecureID, Duo, and Microsoft Authenticator.
From a user-access prospective, role-based authentication (RBA) simplifies user management; you can create user groups as per the user's role and assign an appropriate access policy. As illustrated in the following diagram, you have three groups—admin, developer, and tester—with the corresponding access policy applied to the individual group. Here, admin can access any system, including production, while developer access is limited to the dev environment, and so the tester can only access the test environment:
As shown in the preceding diagram, when any new user joins the team, they get assigned to the appropriate group as per their role. In this way, each user has a defined set of standard access. The user group also helps to update access in case a new development environment gets introduced, and all developers need to have access to that.
Single Sign-On (SSO) is the standard process to reduce any security lapses and help to automate the system. SSO provides users with a login to the different corporate systems, with a single user ID and password. Federated Identity Management (FIM) allows users to access the system without a password with a pre-authenticated mechanism. Let's look at some more details.