Versions Compared

Old Version 12

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version 13

changes.mady.by.user Patrick Parker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some situations require multiple Person objects for the same human being or non-human identity. A typical case is where a Person has privileged access to IT systems. Privileged access is often granted by creating an additional personal privileged user account in the system for use by that person when performing admin activities. Using Active Directory as an example, this would mean that a Person would have two users in the same AD domain. If EmpowerID were to link these two Account objects to the same person, some undesired consequences would occur. 1) EmpowerID flows attributes between all accounts owned by the Person and the rules are per directory and not per attribute. This would mean that the title, email, and other attributes would be made the same. 2) All access assignments by policy in EmpowerID are summed up on a Person by Person basis are are not account specific. This means that is a Person is granted membership in a group directly or by one of their roles, that all user accounts they own in that directory would be added to the group.

...

Info

Key Takeaways:

  1. Person is the user account for the EmpowerID application.

  2. Not all accounts require a Person object.

  3. EmpowerID provides complete delegated administration of non-human technical accounts

  4. Person objects should be created for all active HR records.

  5. Having two user accounts in the same directory requires the creation of more than one Person object unless they will be managed as technical account objects and not require functionality available for Person object management.

  6. EmpowerID will merge the attributes for two accounts in the same directory belonging to the same Person.

  7. EmpowerID will merge the group memberships for two accounts in the same directory belonging to the same Person.

  8. The Core Identity is an optional object that relates multiple Person objects owned by the same human being or thing.

  9. Users can authenticate to EmpowerID using their Person object username and password or through a trusted IdP such as Azure. In all cases, they are authenticating as the Person object.