Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

importhttps://docs.empowerid.com/docs.css

In previous versions of EmpowerID, users could not see resources within their own organizations without an RBAC assignment. For example, a user could not look up information about users within their office until they were granted the Viewer Access Level for each of those users. This is no longer the case as RBAC control over the visibility of resources has been replaced by three types of policies:

  • Visibility Restriction policies,
  • Column Visibility Filter policies, and
  • Data Visibility Filter policies.

Visibility Restriction policies most resemble RBAC and are easy to implement. EmpowerID recommends using these policies in most cases. 

Note

Visibility restriction policies do not affect the EmpowerIDAdmin user. 


Column Visibility Filters and Data Visibility Filters are SQL-based filters that you write against the EmpowerID Identity Warehouse to show and hide data at the column and attribute level. These offer flexibility and power, allowing you to show and hide data at the column and attribute level. However, as they are more difficult to implement, only use them when Visibility Restriction policies cannot cover your use case.

Each of these policy types are discussed in greater detail below. 


...


EmpowerID includes the following Data Filter Policies that you can use out of the box. 


Data Filter PolicyEmpowerID ComponentPurposeAssignee Type
Anonymous user cannot see anyonePersonAnonymous users cannot see anyone in EmpowerIDPerson
Sample filter for Account (see only accounts in or below my locations)AccountFilters the accounts that can be viewed in EmpowerID to include only those in the assignee's location or belowEmpty
Sample filter for Account (see only own accounts)AccountAssignees cannot view any accounts in EmpowerID beyond their ownEmpty
Sample filter for Business Roles (see only business roles in a list)OrgRoleFilters the business roles that can be viewed in EmpowerID to include only those specifiedEmpty
Sample filter for Computer (see only computers in or below my locations)ComputerFilters the computers that can be viewed in EmpowerID to include only those in the assignee's location or belowEmpty
Sample filter for Groups (see only groups in a list)GroupFilters the groups that can be viewed in EmpowerID to include only those specifiedEmpty
Sample filter for Groups (see only groups in a specific OU)GroupFilters the groups that can be viewed in EmpowerID to include only those in a specified OUEmpty
Sample filter for Groups (see only groups in or below my locations)GroupFilters the groups that can be viewed in EmpowerID to include only those in the assignee's location or belowEmpty
Sample filter for Groups (see only groups I belong to)GroupFilters the groups that can be viewed in EmpowerID to include only those to which the assignee belongsEmpty
Sample filter for Locations (see only locations below my locations)LocationFilters the locations that can be viewed in EmpowerID to include only those below the assignee's locationsEmpty
Sample filter for Management Role (see only management roles in a list)Management RoleFilters the management roles that can be viewed in EmpowerID to include only those specifiedEmpty
Sample filter for Management Role (see only management roles in a location)Management RoleFilters the management roles that can be viewed in EmpowerID to include only those in the location specifiedEmpty
Sample filter for Management Role (see only management roles in or below my locations)Management RoleFilters the management roles that can be viewed in EmpowerID to include only those in or below the assignee's locationsEmpty
Sample filter for Management Role Definition (see only management role definitions in a list)Management Role DefinitionFilters the management role definitions that can be viewed in EmpowerID to include only those specifiedEmpty
Sample filter for Person (see only self)PersonAssignees cannot view anyone in EmpowerID beyond their own personEmpty

Filter Precedence

Users can have more than one Visibility Filter policy and you can use combinations of both to create policies that are as granular as needed. For example, you can use the above-mentioned Data Filter policy to allow users to only see people in their location and then add to a subset of those same users a Column Filter policy that replaces the PersonID attribute with "N/A." Users with both policies can see the same number of people; the difference is users with just the Data Filter policy can see email addresses, while users with both policies cannot.

When assigning multiple Visibility Filter policies like these to users, EmpowerID uses the following rules to determine filter precedence:

  1. Filters assigned directly to a person have priority over any filter assignments that person receives via RBAC, such as belonging to a Management Role with different filter criteria. For example, if you have a global Visibility Filter that allows someone to view all fields in all HR records for every employee within an organization and assign that filter directly to a person who has a Management Role with a Visibility Filter that limits the number of fields that can be viewed in a given location, the global Visibility Filter takes precedence (because it was directly assigned to the person) and the person will be able to view all fields on all HR records in any location.
  2. Filters with the lowest priority value (such as a filter with a priority of 1) take precedence over similar filters with a higher priority value (such as a filter with a priority of 50). Thus, if you want filters to have an accumulative effect, that is, if you want all filters assigned to an actor to have the same level of precedence, those filters must all have the same priority value.

...