Versions Compared

Old Version 9

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 10

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In EmpowerID, a Business Role is a user-defined hierarchical container for grouping EmpowerID Person objects that can be used to delegate access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization.

Keys to Business Roles and Locations

🗝 Business Roles are the top tier in the EmpowerID 3-tiered RBAC model.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>About Business Roles</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/AboutBusinessRoles.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
🗝 EmpowerID’s unique approach to Business Roles solves RBAC's fundamental weakness, known as the “role explosion” problem. Organizations often end up with large numbers of roles to accommodate people performing the same job function within an organization but in different geographies or areas of the company. To accommodate the slight differences between “organizational locations” for a position, they are forced to create and manage many very similar Business Roles. This role duplication is known as “role explosion.” Often organizations with an inflexible RBAC system will end up managing thousands of roles and be forced to build roles for each simple access case. 
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont overflow-hidden\">\r\n <h3>The Role Explosion Problem</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/PolyarchicalRBAC.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
🗝 To solve the role explosion challenge, EmpowerID provides a unique two-trees or “polyarchical” RBAC approach. The top tier or Business Role tier describes a user’s position in the organization in combination with a hierarchical Organizational Location representing where within the organization or in which context the user performs their Business Role. This position is visualized as two trees with people assigned to one or more Business Roles combined with an Organizational Location. A person’s Business Roles bundles up direct technical entitlements and, more commonly, Task or Activity-Based roles.
🗝 Combining Business Roles and Locations in Delegations
  • In EmpowerID, access is never assigned to just a business role or a business location.  All organizational assignments must have both a role and a location assignment.
  • Leveraging inheritance you can essentially create a one-sided assignment by specifying a granular target on one of the trees and a broadly inherited assignment on the other tree.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont overflow-hidden\">\r\n <h3>EmpowerID's Solution to Role Explosion</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/BusinessRoleAndLocationStructure.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 22px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
🗝 Business Roles vs. Other RBAC Actors
  • The Business Role and Location structure should be used for common assignments that apply to a large group of people that have a basic organizational commonality such as a business unit, department, job function, or geographic relationship
  • Business role and locations should be used when there is an opportunity to leverage inheritance either on the business role or business location hierarchies to provide common assignments.
  • Direct assignment of Management Roles to individuals is recommended when the assignments are less organizational and more request-based, team-based, project-based or apply to a more narrow set of people within an organizational or job-related grouping.
  • Direct management role or group assignment is also preferred if assignments need to be based on a dynamic attribute or another aspect of a person’s identity.  These assignments can be applied using EmpowerID’s Dynamic Hierarchy Assignment Policies.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont overflow-hidden\">\r\n <h3>Business Roles Vs Other RBAC Actors</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/BusinessRoleAndLocationStructure.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 22px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Benefits of Business Roles and Locations:
  • Business Roles and Locations provide a familiar and commonly accepted grouping mechanism that non-technical users of the system can recognize and easily navigate.  The structure can be mapped to the organizational structure of the business.
  • Provides an anchor point for mapping external roles and locations from connected systems so that the master person identities can be provisioned into a business structure
  • Business Roles and Locations can be architected to leverage powerful and complex inheritance relationships to allow you to anchor common access and policy assignments very efficiently at varying inheritance levels.  Inheritance eliminates the need to create unnecessary duplicate assignments.
  • Provides a structure for rolling up multiple and varied assignments to a common anchor point allowing the administrator to accumulate widely varying types of assignments and policies to an easily recognized business structure.
Design Strategies and Considerations
When designing your business role and location structure there are a few key questions that you should ask yourself:
  • Will the system be used by non-technical, business-oriented employees or only by centralized, technical, IT staff?
  • What is the architecture of the target back-end resource systems that EmpowerID needs to automatically provision to or provide access to?
  • What entitlements (accounts, mailboxes, home folders) will need to be automatically provisioned?
  • What other access assignments will need to be automatically provisioned?
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Business Role Design Strategies</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/BusinessRoleDesignStrategies.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 60%80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 20px;\r\n\toverflow: hidden40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
General Tips and Advice
  • Don’t try to boil the ocean!  Start out by identifying the critical assignment points and mappings to your back-end systems and establish a base architecture that will support the direction you want to go.  Then configure the base structure and begin assigning the global assignments and entitlements.  You can always get more granular and grow the configuration as you become more comfortable with the system and with your understanding of the patterns within your organization.
  • Not all job titles represent unique technology assignments.  Look for areas that you can consolidate job roles and location structures.  If a secretary, janitor, receptionist, and file clerk do not need to have special access outside of the department they are in then consider rolling all of these job titles into a single role called “Employee”.  Create unique roles only for job functions that have distinct access requirements or entitlements.
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article class=\"overflow-hidden\">\r\n <div class=\"cont overflow-hidden\">\r\n <h3>General Tips and Advice</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/BusinessRoleGeneralTips.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth: 80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n\toverflow: hidden;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
 Info
Related Docs Topics:
Business Roles and Locations 
 Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<head>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-KyZXEAg3QhqLMpG8r+8fhAXLRk2vvoC2f3B09zVXn8CA5QIVfZOJ3BCsw2P0p/We\" crossorigin=\"anonymous\">\r\n</head>\r\n<nav aria-label=\"...\" class=\"overflow-hidden\">\r\n <ul class=\"pagination justify-content-center overflow-hidden\">\r\n <li class=\"page-item\">\r\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/EIDIGACore/pages/2387741439/Sources+of+Business+Roles+and+Organizational+Locations\" target=\"_top\"> &laquo; &nbsp;&nbsp;Previous</a>\r\n </li>\r\n <li class=\"page-item active\" aria-current=\"page\">\r\n <span class=\"page-link\">Current</span>\r\n </li>\r\n <li class=\"page-item\">\r\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/EIDIGACore/pages/2387741531/External+Roles+and+Locations\" target=\"_top\"> Next&nbsp;&nbsp; &raquo;</a>\r\n </li>\r\n </ul>\r\n</nav>","javascript":"","css":""}