...
Access Levels — Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that when assigned to users give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment.
Account Store —
Authorization Object - A group that represents a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application. A group that represents a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application.
Authorization Package/Business Function — Management Roles are used to represent Authorization Packages (AKA Business Functions) in EmpowerID. An Authorization Package is a business-designed bundle of access required to complete a Business Function or for participation in a team or working group. Authorization packages bundle access across multiple systems and present a single non-technical assignable unit of access. The Management Role allows this flexibility and enables the business owners to create friendly non-technical descriptions and manage the governance cycle of these packages.
Business Role —
Company — People belong to companies via their Business Role and Location assignments.
Core Identity — Single entity per human or IoT. A core identity can be the owner of multiple person objects.
...
EmpowerID RBAC Actor Types — Objects representing collections of people to which policies can be assigned. These include: Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role and Location.
Accounts — Accounts are users that are inventoried from external systems and may or may not have a single person assigned as the owner. Accounts such as service identities can be managed but do not always require a person object for management. Often a person object will be created anyway to leverage the ease of assigning RBAC policies for group membership and other access. Accounts in social media systems or web applications are linked to a person to facilitate single sign-on between systems.
...
Person —
...
A Person is an object in EmpowerID that represents a
...
...
human being. A Person typically owns multiple user accounts in external systems such as Active Directory, Azure AD, Facebook, SAP, etc.
Business Role and Location —
Group —
Management Role — Management Roles are user-defined containers holding collections of Access Levels that have been packaged together into responsibility or job-based bundles to allow for the quick and easy bulk assignment of access to resources from across multiple systems. They are like groups in EmpowerID that are not limited to granting access to only the resources in a single system. Management Roles have a single level hierarchy, inheriting access from their Management Role Definition.
...
Query-Based Collections — Query-based Collections, also known as Set Groups, are logical bundles of Sets (queries made against the EmpowerID Identity Warehouse that result in collections of people or resources) grouped together with a friendly name for resource management. Set Groups offer advantages over groups and roles in that they can contain any type of resources, are continuously evaluated to ensure they contain the appropriate resources, and can be used as actors as well as be the recipients of EmpowerID policies for provisioning, deprovisioning, attribute assignment, password policies, etc.
EmpowerID Operations — Each EmpowerID Operation is a protected code object that when executed within an EmpowerID workflow allows a resource within EmpowerID or a custom application to be accessed in a way that is consistent with the operation and the type of resource being accessed. Some examples include adding users to groups, creating mailboxes, updating user attributes or even viewing certain objects such as EmpowerID pages and reports
...
.
Location —
OrgRole — An OrgRole is an object in EmpowerID that represents a person's Business Role. Business Roles are always assigned to people in conjunction with an Organizational Location.
OrgZone — An OrgZone is an Organizational Location / Business Context always assigned in conjunction with a Business Role. For resources that are not Person objects, Locations are used to organize them into hierarchies for management of inherited access policies.
Personas — A person's core identity can be linked to multiple sub-person objects which are the professional identities (i.e. have the business information attached).
Polyarchical RBAC — Business Roles and Locations are both hierarchical trees. People are assigned to one or more Business Roles each for a specific Location/Context. This polyarchy dramatically reduces the number of roles and eliminates role bloat.
Risk Management — Risk management is the process of managing risks associated with an organization’s IT resources. It involves identifying, assessing, and treating risks to those resources in a manner that best reflects the organization’s risk tolerance. EmpowerID Risk management has the following components:
Global Function — Business specific activity usually in the form of Verb Noun; e.g., Create Purchase Order. Defines the business activity, risk level and mitigating controls.
Local Function — Local verson of function used in risk policies. Localized means that it can specify the where for the function; e.g., Create Purchase Orders in Widgets subcompany.
Global Risk — Policies that define functions that are critical/sensitive or those where two combination of functions produce a toxic combination or SOD violation.
Local Risk — Local version of a global risk. Local risks are scoped to a specific instance of an application
Risk Owner — Risk owners are business users reponsible for risks and have the ability to approval, mitigate or remediate violations.
Rules — Rules are the functions added to local risk policies.
Mitigating Controls — Checks and balances assigned to global risks that can be linked to violations if the risk owner decides that the violation should be allowed (mitigated). For example, “Bob” checks the record of purchase orders monthly to mitigate risk that he might engage in unethical behavior.
Violation — A violation occurs when the rules that comprise a local risk is broken. Violations only occur for local risks. EmpowerID distils all violations down to the person violating the rule, regardless of how they received the violating functions. For example, if numerous people belong to a role that has the function, EmpowerID will flag each person in the role as a violator to give you a full picture of the magnitude of the risk. Risk owners can view the exact assignment point that caused the person to be in violation.