...
Access Levels also define Compliant Access within EmpowerID as bundles of low-level permissions knows as operations. User actions in EmpowerID’s web interfaces or APIs undergo real-time access checks to determine if they may perform the intended operation against the resource in the given context. These actions can range from requesting membership of an SAP Role in the IT Shop to assigning user accounts to Azure RBAC roles in a Microsoft Azure tenant. These same low-level checks govern the management of the EmpowerID RBAC model itself, with RBAC management activities represented as operations.
Users using the EmpowerID workflows or API may perform secure management of objects that exist in external systems as well as EmpowerID. Examples of external objects are Azure AD User Accounts, SAP Roles, File Shares, SharePoint sites, etc. Users may also manage objects that only exist in EmpowerID: people, management roles, Business Roles, etc. In both cases, a real-time authorization engine leveraging RBAC and ABAC security controls who may manage which objects and which actions or tasks they may perform against those objects. The system also handles logging, automatic approval routing, and workflow task generation in the event a user tries an action they are not authorized to perform.
...
| View file | ||
|---|---|---|
|
Access Levels are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows).
| View file | ||
|---|---|---|
|
Operations are “protected bits of code” that are executed to perform these tasks in EmpowerID workflows or via its API. Operations can also be arbitrary not performing any action just serving as a placeholder for applications to query and determine access.
Rights are representations of actual permissions used in an external system which can be granted in EmpowerID via Access Level assignments. The EmpowerID enforcement engine will “push” these permissions out into the external system on schedule for any user to which they have been granted. Examples of rights include NTFS permissions for shared folders and mailbox acls in Microsoft Exchange.
...
| View file | ||
|---|---|---|
|
The Persona Worksheet will help uncover all the unique combinations of operations and rights for various managed object types (aka Resource Types). These combinations may already exist in the shipping Access Levels management roles defined for each type of resource. If not, new Access Levels can be created or existing Access Levels modified.
...