The most important type of entitlement managed by EmpowerID is group membership. Applications Most applications and directories use groups or collections of users by any other name (application roles, profiles, etc.) user collections as the primary mechanism to grant means of granting permissions to accounts. Since its inception, EmpowerID has provided deep robust group management and self-service capabilities since its first release. One key design decision was to normalize . To achieve this, EmpowerID normalizes any collection of users in an external Account Store into the same set of tables and components for groups and their members. EmpowerID does not segregate groups for various by system types or group types of groups into different tables and components. This allows EmpowerID to provide a single set of functionality or components, allowing it to offer a consistent set of functionalities for all currently connected system types and any future system typesones. All user interfaces, workflows, and APIs are designed to work for all groups in all systems' groups.
EmpowerID inventories all groups from connected Account Stores into the Group table on a 10-minute interval by default. New groups are detected and as well as any deleted groups. Inventory also retrieves the membership of each group and stores this information in the GroupAccount table. Any membership changes discovered are also logged in the GroupAccountHistory table for reporting purposes. For systems supporting the nesting of groups, EmpowerID stores this information on the GroupMemberGroup table.
Some systems, such as Microsoft Azure AD and Teams, support the assignment of Accounts as Owners of the group within the Account Store. EmpowerID inventories this information and records changes in the GroupOwnerAccount and GroupOwnerAccountHistory tables, respectively.
...
In addition to reporting on this information and tracking changes, EmpowerID includes a full set of workflows allowing delegated admins and end-users to manage members, owners, and request access. These are a single set of workflows and user interfaces that work for EmpowerID not only provides reporting and change-tracking capabilities but also offers workflows for managing group membership and access requests. These workflows are designed to work with all Account Store connectors that have implemented support group membership functionality. As mentioned previously, the workflows operate against , providing a unified user experience. EmpowerID's workflows operate on the Group and GroupAccount component API objects , and make live changes are made based on the connector implementation of the Account Store Identity entry for that Security Boundary Type. The same connector code is called live from used for both interactive workflows and in background processes and jobs that enforce calculated policy-based access.
...
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
...