Versions Compared

Old Version 15

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version 16

changes.mady.by.user Patrick Parker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some situations require multiple Person objects for the same human being or non-human identity. A typical case is where a Person has privileged access in an Account Store. Privileged access is often granted by creating an additional personal privileged Account in the Account Store for use by that person when performing admin activities. Using Active Directory as an example, this would mean that a Person would have two Accounts in the same AD domain (Account Store). If EmpowerID were to link these two Account objects to the same person, some undesired consequences would occur. 1) EmpowerID flows attributes between all Accounts owned by the Person and the rules are per Account Store and not per attribute. This would mean that the title, email, and other attributes would be made the same. 2) All access assignments by policy in EmpowerID are summed up on a Person by Person basis and are not account-specific. This means that when a Person is granted membership in a group directly or by one of their roles, that all of the user accounts they own in that Account Store would be added to the group. In addition to the relationship where a Person owns an Account, EmpowerID also allows managing which Person is responsible for a technical account or other resource object. This person designated in this relationship with a resource is known as the responsible person. Illustrated below, we can see these various types of Account relationships in practice.

Image Added

https://youtu.be/1hp3ru6LnBs

Info

Key Takeaways:

  1. Person is the user object for the EmpowerID application.

  2. Not all Accounts require a Person object.

  3. EmpowerID provides complete delegated administration of non-human technical Accounts

  4. Person objects should be created for all active HR records.

  5. Having two Accounts in the same Account Store requires the creation of more than one Person object unless they will be managed as technical Account objects and do not require functionality available for Person object management.

  6. EmpowerID will merge the attributes for two Accounts in the same Account Store belonging to the same Person.

  7. EmpowerID will merge the group memberships for two Accounts in the same Account Store belonging to the same Person.

  8. The Core Identity is an optional object that relates multiple Person objects owned by the same human being or thing.

  9. Authentication to EmpowerID can be done by using a Person object username and password or through a trusted IdP such as Azure using an external Account owned by a Person. In all cases, authentication is as the Person object.

...