Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In EmpowerID, the concept of an Organization

...

refers to a

...

top-level parent location

...

within the Business Location structure, which can represent a business unit,

...

geographical region, or

...

functional grouping within a company's organizational hierarchy. Organizations serve as logical aggregation points

...

in a location hierarchy

...

, connecting lower-level locations together in a

...

unified sub-tree.

...

Objects assigned to

...

these lower-level child locations are considered to

...

be part of the higher-level organization, allowing for efficient management through organization-based delegation.

...

These organization locations are

...

designated as "Organization – Security Container" location types during location configuration.

Here are a few examples of organization nodes

...

within a business location structure. In these examples, we can see how organization locations within EmpowerID can represent various aspects of a business, such as business units, geographic regions, and long-running enterprise projects.

Organization Example 1: Business Units

...

Image Added

In this

...

scenario, the Finance Division and

...

Sales Division

...

are configured as organization locations

...

representing business units.

...

Each of these

...

higher-level business units

...

includes department locations under them, which

...

are considered part of the organization.

...

Furthermore, any objects assigned to these child locations, such as people, groups, or accounts,

...

are

...

also

...

considered to belong to the organization.

Organization Example 2: Geographic Regions

...

Image Added

In this

...

case, Europe and North America

...

are configured as

...

organization locations

...

representing geographic regions.

...

Each of these

...

higher-level regions

...

includes country and city locations

...

beneath them, which

...

are considered part of the organization.

...

Additionally, any objects assigned to these child locations, such as people, groups, or accounts,

...

are

...

also

...

considered to belong to the regional organization.

Organization Example 3

...

: Long-Running Enterprise Projects

Image Added

In this example, the Messaging Migration and Infrastructure Upgrade projects

...

are configured as

...

organization locations

...

representing long-running enterprise projects.

...

Each of these projects

...

includes project teams

...

beneath them, which

...

are considered part of the project organization.

...

Moreover, any objects assigned to these child locations, such as people, groups, or accounts,

...

are

...

also

...

considered to belong to the organization.

How can Organizations be used for Delegation?

...

Organizations in EmpowerID can be utilized for delegation, allowing permissions or visibility for objects within a

...

person's organization.

...

For example, “People in Organizations I belong to” and “Security Groups in Organizations I Belong to” will include all people and security groups assigned to locations below the organization location common to where the person is located.   In order to determine what organization(s) a person belongs to, the EmpowerID RBAC engine will find the location that a person is assigned to and begin evaluating the location tree up from that point until it finds a location that is designated as an organization type of location.  The following

...

illustrates this process:

...

Image Added
  1. A person is assigned to a specific location (e.g., the Health location).

  2. The RBAC engine moves up the location tree to

...

  1. determine if the parent location (e.g., Internal Sales

...

  1. ) is an organization.

...

  1. If the

...

  1. parent location is not an organization,

...

  1. the RBAC engine continues moving up

...

  1. the tree until it finds a location designated as an organization type (e.g., Sales Division).

  2. Once the RBAC engine identifies an organization, it determines that the person belongs to

...

  1. that organization and

...

  1. assigns the appropriate delegation to the objects in all locations below the

...

  1. organization location.

...

However, caution should be

...

taken when configuring delegations by organization

...

  1. A person is assigned to the Health location.

  2. The RBAC engine moves up the tree to see if the Internal Sales location is an organization.

  3. Since the Internal Sales location is not an organization, it continues up to the next level to see if the Sales Division is an organization.

  4. Since the Sales Division was not configured correctly and is not an organization, it continues up to the next level to see if the Delegation Scopes location is an organization.

  5. Since the Delegation Scopes location is not an organization, it continues up to the next level to see if the RB Organization location is an organization.

  6. Since the BR Organization is an organization type location, and is the first organization location that was encountered, the RBAC engine determines that the person belongs to the RB Organization and then assigns the appropriate delegation to the objects in all locations below the RB Organization location which grants permissions to many more objects than the administrator intended.

Tip

To correct this situation, all the administrator needs to do is to edit the configuration of the Sales Division location and change the type to “Organization – Security Container” and the next time that the RBAC engine evaluates the organization assignment, it will properly evaluate the organization of the person to the Sales Division.

...

, as incorrect configurations can lead to unintended delegations. If the RBAC engine cannot find an organization location, it will continue moving up the tree until it encounters an organization, potentially granting more permissions than intended.

To fix such issues, administrators should ensure that the correct location is configured as an "Organization – Security Container." Once this configuration is updated, the RBAC engine will properly evaluate the person's organization assignment during its next evaluation.

Macrosuite divider macro
dividerWidth100
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSizemedium
fontSizemedium
textRelated Content
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconfont-awesome/BookReader

About Business Roles and Locations

Create Business Roles

Create Locations

Map EmpowerID Locations to External Locations

Create Business Role and Location Combinations

Assign Access Levels to Business Role and Location Combinations

Assign Management Roles to Business Role and Location Combinations

Map Groups to Business Role and Location Combinations

Add People to Business Role and Location Combinations

View Members of Business Role and Location Combinations

Remove People from Business Role and Location Combinations

Delete Business Roles

Delete Locations