Versions Compared

Old Version 4

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version 5

changes.mady.by.user Patrick Parker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

View file
name43db687a.wav

Business Roles vs. Other RBAC Actors

  • The Business Role and Location structure should be used for common assignments that apply to a large group of people that have a basic organizational commonality such as a business unit, department, job function, or geographic relationship

  • Business role and locations should be used when there is an opportunity to leverage inheritance either on the business role or business location hierarchies to provide common assignments.

  • Direct assignment of Management Roles to individuals are recommended when the assignments are less organizational and more request-based, team-based, project-based or apply to a more narrow set of people within an organizational or job-related grouping.

  • Direct management role or group assignment is also preferred if assignments need to be based on a dynamic attribute or another aspect of a person’s identity.  These assignments can be applied using EmpowerID’s Dynamic Hierarchy Assignment Policies.

View file
name43db687a.wav

Combining Business Roles and Locations in Delegations

  • In EmpowerID, access is never assigned to just a business role or a business location.  All organizational assignments must have both a role and a location assignment.

  • Leveraging inheritance you can essentially create a one-sided assignment by specifying a granular target on one of the trees and a broadly inherited assignment on the other tree.

Design Strategies and Considerations

  • When designing your business role and location structure there are a few key questions that you should ask yourself

    • Will the system be used by non-technical, business-oriented employees or only by centralized, technical, IT staff?

    • What is the architecture of the target back-end resource systems that EmpowerID need to automatically provision to or provide access to

    • What entitlements (accounts, mailboxes, home folders) will need to be automatically provisioned?

    • What other access assignments will need to be automatically provisioned?

View file
name27b40999.wav

General Tips and Advice

  • Don’t try to boil the ocean!  Start out by identifying the critical assignment points and mappings to your back-end systems and establish a base architecture that will support the direction you want to go.  Then configure the base structure and begin assigning the global assignments and entitlements.  You can always get more granular and grow the configuration as you become more comfortable with the system and with your understanding of the patterns within your organization.

  • Not all job titles represent unique technology assignments.  Look for areas that you can consolidate job roles and location structures.  If a secretary, janitor, receptionist, and file clerk do not need to have special access outside of the department they are in then consider rolling all of these job titles into a single role called “Employee”.  Create unique roles only for job functions that have distinct access requirements or entitlements.

View file
namef5d3ebae.wav

Best Practice Design for RBAC Levels

...

Info

Related Docs Topics:

Business Roles and Locations