In EmpowerID, a Business Role is a user-defined hierarchical container for a grouping of EmpowerID Person objects that can be used to delegate access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization, allowing for polyarchical RBAC resource assignments. This is implemented in EmpowerID via tree interfaces (with inheritance) that allow for the intersection of Business Roles with Locations to support the following:
Static assignments of people – You can directly assign individuals to a Business Role and Location combination based on their job function and location that allows them to access the resources granted to the Business Role and Location. For example, if you have a "Sales Manager" Business Role and for the a "London" location that has been assigned all the resources that a Sales Manager in London needs, you can then assign the "Sales Manager-London" Business Role and Location to a specific EmpowerID Person. This will give that person access to all the resources you assigned to the Business Role and Location.
RBAC mapping – Business Role and Location mappings allow existing physical directory locations and roles to be mapped to logical EmpowerID Locations for an easy resource management strategy that hides the complexity of the back-end directory structure from business users. For example, if you have multiple AD or LDAP directory containers for London, those containers can be visually mapped to a single, virtual EmpowerID "London" location. Once the mapping occurs, the resources in the physical directory containers "belong" to the corresponding EmpowerID Location. Then when you assign people to a Business Role and Location, they receive access to the resources in that location in the manner defined by the Access Level assignments granted to the Business Role and Location.
SetGroup mapping – SetGroups that contain collections of EmpowerID Person objects can be mapped to Business Roles and Locations to allow the people in that SetGroup to receive the Access Level assignments granted to the Business Role and Location. For example, if you have users in your organization with a Job Title of "Help Desk Technicians" and a City of "New York," you can use a SetGroup to contain users with those attributes dynamically and then map the SetGroup to a corresponding EmpowerID Business Role and Location (such as "Help Desk Technicians" Business Role in the New York “New York” location).
Locations
To assign resources to users, those resources must be located somewhere. In EmpowerID, the "somewhere" is an object known as the "EmpowerID Location." An EmpowerID Location is a container used to group resources for scoping access to those resources. This occurs through the use of two types of Location trees: The "External Locations" tree and the "EmpowerID Locations" tree. The External Locations tree represents the location of resources in the actual resource systems to which EmpowerID is connected. EmpowerID maintains a dynamic link with these resource system locations, reflecting any changes in the structure of an external location in this tree. The EmpowerID Locations tree is a user-defined logical representation of an enterprise's organizational and geographical structure that can be mapped to actual resource locations in the External Locations tree.
...