Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that, when assigned to users, give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment.

...

Management Roles are used to represent Authorization Packages (AKA Business Functions) in EmpowerID. An Authorization Package is a business-designed bundle of access required to complete a Business Function or for participation in a team or working group. Authorization packages bundle access across multiple systems and present a single non-technical assignable unit of access. The Management Role allows this flexibility and enables the business owners to create friendly, non-technical descriptions and manage the governance cycle of these packages.

...

Birthright access is a term used to define a Person’s initial access to IT systems based upon on their role in the organization. It is the access they automatically receive by policy without generating any requests for access. EmpowerID divides this access into two types: Provisioning Policies, which define the new objects that should be automatically created for a Person, and then access assignments which are the policies that will add the Person’s user accounts to groups, application roles, or permissions.

Business Role

A Business Role is a user-defined hierarchical container for grouping EmpowerID Person objects that can be used to delegate access to resources based on a particular job function.

Company

People belong to companies via their Business Role Roles and Location Locations assignments.

Compliant Access Delivery

Compliant access delivery refers to the provision of secure and controlled access to information or resources in accordance with relevant laws, regulations, and policies. This type of access ensures that sensitive information is protected and that access to it is granted only to authorized individuals who have a legitimate need for it. The goal of compliant access delivery is to balance the need for information access with the need to protect against security risks, such as unauthorized access, theft, or misuse of information.

Core Identity

Single entity per human or IoT. A core identity can be the owner of multiple person objects.

...

Accounts – Accounts are users that are inventoried from external systems and may or may not have a single person assigned as the owner. Accounts such as service identities can be managed but do not always require a Person object for management. Often a person object will be created anyway to leverage the ease of assigning RBAC policies for group membership and other access. Accounts in social media systems or web applications are linked to a person to facilitate single sign-on between systems.

...

Business Role and Location – In EmpowerID, a Business Role is a user-defined hierarchical container for a grouping of EmpowerID Person objects that can be used for delegating access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization.

...

Management Role – Management Roles are user-defined containers holding collections of Access Levels that have been packaged together into responsibility or job-based bundles to allow for the quick and easy bulk assignment of access to resources from across multiple systems. They are like groups in EmpowerID that are not limited to granting access to only the resources in a single system. Management Roles have a single-level hierarchy, inheriting access from their Management Role Definition.

Query-Based Collections – Query-based Collections, also known as Set Groups, are logical bundles of Sets (queries made against the EmpowerID Identity Warehouse that result in collections of people or resources) grouped together with a friendly name for resource management. Set Groups offer advantages over groups and roles in that they can contain any type of resources, are continuously evaluated to ensure they contain the appropriate resources, and can be used as actors as well as be the recipients of EmpowerID policies for provisioning, deprovisioning, attribute assignment, password policies, etc.

Jobs

EmpowerID functionality is broken down into a large number of granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory), or they are REST Web Services used in workflow processes.

Location

An EmpowerID Location is a container for holding resources.

Operations 

Each EmpowerID Operation is a protected code object that, when executed within an EmpowerID workflow, allows a resource within EmpowerID or a custom application to be accessed in a way that is consistent with the operation and the type of resource being accessed. Some examples include adding users to groups, creating mailboxes, updating user attributes, and viewing certain objects such as EmpowerID pages and reports.

...

A Person is an object in EmpowerID that represents a human being. A Person typically owns multiple user accounts in external systems such as Active Directory, Azure AD, Facebook, SAP, etc. The EmpowerID Person is the base identity in the EmpowerID RBAC model, without which a user cannot access any resources or perform any tasks.

...

A person's core identity can be linked to multiple sub-person objects, which are the professional identities (i.e., have the business information attached).

...

Business Roles and Locations are both hierarchical trees. People are assigned to one or more Business Roles each for a specific Location/Context. This polyarchy dramatically reduces the number of roles and eliminates role bloat.

...

Resources are the lowest level secured base objects in EmpowerID for which management tasks can be performed. All objects of any type that are managed by EmpowerID in a secure fashion have a resource entry in the EmpowerID Identity Warehouse.

...

Resource systems define the specific system within which a resource resides and . They can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, custom applications, and even the EmpowerID system itself.

Risk Management

Risk management is the process of managing risks associated with an organization’s IT resources. It involves identifying, assessing, and treating risks to those resources in a manner that best reflects the organization’s risk tolerance. EmpowerID Risk management has the following components:

...

Business-specific activity, usually in the form of Verb Noun; , e.g., Create Purchase Order. Defines the business activity, risk level, and mitigating controls.

...

Local version of a function used in risk policies. Localized means that it can specify the where “where” for the function; e.g., Create Purchase Orders in Widgets sub-company.

...