Notifications
Clear all
Topic starter
06/06/2026 1:34 am
TL;DR: As B2B SaaS platforms add self-service identity administration, they are shifting more access, role, and tenant control out of engineering workflows and into tenant-aware portals, according to Descope. That changes governance from custom build-and-maintain work to strict scoping, role enforcement, and delegated admin oversight.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should security teams govern delegated administration in multi-tenant SaaS?
A: Security teams should scope delegated administration by tenant first, then by role and action.
Q: Why do tenant-aware portals change IAM governance?
A: Tenant-aware portals move routine identity tasks from engineering into customer- or partner-facing administrative workflows.
Q: What do teams get wrong about self-service identity administration?
A: Teams often focus on interface design and overlook the security model behind it.
Practitioner guidance
- Map tenant boundaries before enabling self-service Define which tenant identities can view and change users, roles, applications, and access keys, then test for cross-tenant access leakage with negative-path checks.
- Validate widget actions against backend authorization Confirm that every visible widget still performs server-side authorization for the correct role and tenant, even when navigation or branding changes are made.
- Add delegated admin to access reviews Include partner and customer administrative accounts in the same access review cadence as internal privileged users, with explicit review of tenant scope and allowed functions.
What's in the full announcement
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Configuration choices for Descope Widgets, including user management, role management, access keys, and application access
- Navigation, branding, and flow-selection options for building a tenant-aware admin experience
- Use-case walkthroughs for B2B SaaS customer administration and partner delegated administration
- How the portal can be enabled or disabled from the console without rebuilding internal tooling
👉 Read Descope's update on its tenant-aware Admin Portal for self-service identity management →
Tenant-aware admin portals: what it means for IAM teams?
Explore further
06/06/2026 2:45 am
Delegated administration is now an identity governance problem, not just a product feature. The article shows that B2B platforms are moving routine identity tasks into tenant-controlled portals because customers expect self-service. That changes the governance burden from internal engineering teams to the portal design itself. Practitioners should treat delegated admin as privileged access with tenant boundaries, not as a convenience layer.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do tenant admin portals affect access reviews and offboarding?
A: They make access reviews more important because administrative rights are now distributed closer to the customer or partner edge. Reviews need to confirm tenant scope, role scope, and whether access still matches the business relationship. Offboarding must revoke portal access alongside the underlying admin entitlements.
👉 Read our full editorial: Tenant-aware admin portals are reshaping delegated identity governance
