...
Some situations require multiple Person objects for the same human being or non-human identity. A typical case is where a Person has privileged access in an Account Store. Privileged access is often granted by creating an additional personal privileged Account in the Account Store for use by that person when performing admin activities. Using Active Directory as an example, this would mean that a Person would have two Accounts in the same AD domain (Account Store). If EmpowerID were to link these two Account objects to the same person, some undesired consequences would occur. 1) EmpowerID flows attributes between all Accounts owned by the Person and the rules are per Account Store and not per attribute. This would mean that the title, email, and other attributes would be made the same. 2) All access assignments by policy in EmpowerID are summed up on a Person by Person basis and are not account-specific. This means that when a Person is granted membership in a group directly or by one of their roles, that all of the user accounts they own in that Account Store would be added to the group. In addition to the relationship where a Person owns an Account, EmpowerID also allows managing which Person is responsible for a technical account or other resource object. This person designated in this relationship with a resource is known as the responsible person. Illustrated below, we can see these various types of Account relationships in practice.
Info |
---|
Key Takeaways:
|
...