Versions Compared

Old Version 11

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version 12

changes.mady.by.user Patrick Parker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some situations require multiple Person objects for the same human being or non-human identity. A typical case is where a Person has privileged access to IT systems. Privileged access is often granted by creating an additional personal privileged user account in the system for use by that person when performing admin activities. Using Active Directory as an example, this would mean that a Person would have two users in the same AD domain. If EmpowerID were to link these two Account objects to the same person, some undesired consequences would occur. 1) EmpowerID flows attributes between all accounts owned by the Person and the rules are per directory and not per attribute.

These include cases where the human

Compliant Access Delivery synthesizes multiple Identity and Access Management (IAM) technologies with a business modeling approach to automate and maintain each user with their appropriate Access to IT systems while continuously minimizing risk.

  • Core Identity – single entity per human or IoT​

  • Person — core identity can be the owner of other person objects ​

  • OrgRoIe — Business Role always assigned in conjunction with an Organizational Location ​

  • OrgZone — Organizational Location / Business Context always assigned in conjunction with a Business Role ​

  • Polyarchical RBAC — Business Roles and Locations are both hierarchical trees. People are assigned to one or more Business Roles each for a specific Location/Context. This polyarchy dramatically reduces the number of roles and eliminates role bloat ​

  • Company — people belong to companies via their Business Role and Location assignments ​

  • Personas — person core identity can be linked to multiple sub-person objects which are the ​professional identities — i.e. have the business ​information attached​

...

AccountStore – represents a directory or user store​

...

ProtectedApplicationResource – represents an application​

...

Account – user or HR record in an external directory/application​

...

Group – group or application role in an external directory/application​

...

This would mean that the title, email, and other attributes would be made the same. 2) All access assignments by policy in EmpowerID are summed up on a Person by Person basis are are not account specific. This means that is a Person is granted membership in a group directly or by one of their roles, that all user accounts they own in that directory would be added to the group.

...