...
Some situations require multiple Person objects for the same human being or non-human identity. A typical case is where a Person has privileged access to IT systems. Privileged access is often granted by creating an additional personal privileged user account in the system for use by that person when performing admin activities. Using Active Directory as an example, this would mean that a Person would have two users in the same AD domain. If EmpowerID were to link these two Account objects to the same person, some undesired consequences would occur. 1) EmpowerID flows attributes between all accounts owned by the Person and the rules are per directory and not per attribute. This would mean that the title, email, and other attributes would be made the same. 2) All access assignments by policy in EmpowerID are summed up on a Person by Person basis are are not account specific. This means that is a Person is granted membership in a group directly or by one of their roles, that all user accounts they own in that directory would be added to the group.
...
Info |
---|
Key Takeaways:
|