Enterprises allow users to access to their computer systems for many reasons. In a typical scenario, a business will create a user account for an employee, which allows the employee to log into the business's computer system. Creating a user account generally involves issuing an identity for the user that is recognizable by the computer system. The login process authenticates the user (i.e., verifies the identity of the user) and allows the authenticated user to access resources and services in the system, in accordance with an appropriate authorization level.
In other scenarios, an enterprise may wish to allow users from external enterprises to access its computer system. For example, a business may allow customers to access some portion of its computer system to access specific resources and services (e.g., to place orders or to obtain support). In small enough volume, individual accounts with limited authorization may be reasonably created and maintained for such external users.
However, a large enterprise may desire to provide access to a large number of diverse and continuously changing external users. For example, a manufacturing company may allow some external access to its computer system by employees of its vendors and customers (e.g., for invoicing and order placement purposes). In this scenario, the external users can change continuously as employees for the external companies come and go. Managing this access by granting and maintaining individual accounts to a substantial number of external users can seriously tax the enterprise's information technology department.