EmpowerID defines functions as “businessuses the concept of "functions," which are "business-defined activities that a person can perform within one or more applications.“ They are objects that organizations create to represent what users can do in their " Functions represent user actions in IT systems using the organization's everyday business language of the organization. An example of a function within an organization could be the act of . For instance, creating a purchase order within in a much larger purchasing business process could be defined as a function. In SAP the terminology for , this right is notated by marked with the TCode, ME21N. To represent the right in a more , but in user-friendly way, an organization could create a function named “Create terms, it may be represented as "Create Purchase Order.”
...
...
Using functions as the building blocks of what users can do in technical systems, organizations then build their risk policies around those functions using their own business language for those functions and policies. Once functions are named, business process specialists and technical application specialists map those functions to their representative entitlements in their respective applications. Once the mapping is complete, the risk management engine can be enabled to run on a scheduled basis to return users with functions.
You have Functions are utilized as foundational elements to define users' abilities within technical systems. Organizations create risk policies based on these functions, naming them in line with their business language. Functions are then linked with their respective entitlements in different applications by business process and technical application specialists. This enables the risk management engine to periodically review user privileges and functions.
There are two types of functions in EmpowerID, global functions and local functions: Global Functions and Local Functions.
Global Functions
Global functions are objects that organizations create to represent the native system rights -wide privileges that delegated users can be granted to perform actions within one or more applications. Depending on the business language of the organization, examples of global functions could include “Create Purchase Orders” or “Create Groups.” Global functions are “system agnostic” as they could represent rights in more than one application. For example, “Create Group” is an act that users can do in numerous applications like assigned to users across multiple applications. Examples could be "Create Purchase Orders" or "Create Groups", depending on the company's operational terminology. These are "system agnostic", meaning they can denote rights across various applications, such as ServiceNow, AWS, SAP, Salesforce, and EmpowerID. This action For instance, a "Create Group" action in various applications can be represented in EmpowerID with by a single “Create Group” "Create Group" global function in EmpowerID.
...
Figure Image 2: Global Function that represents an action that representing a user could perform in action applicable across multiple systems
The first step in using Functions is to define what actions users can perform in determine the user actions within an organization’s applications and to create corresponding global functions to represent those actions. Once createdset, these global functions can be used to contain then accommodate local functions.
Local Functions
Local functions are children specific instances of global functions and represent an action that users can do in the actual , denoting actions within precise entities, systems, and locations scoped within as per an organization’s business structureframework. You add local Local functions are added to global functions to logically link the generic actions that users can do in applications to the actual entities, systems, and locations where they can do them. In this model, “Create Groups in Austria” could be a local function belonging to the “Create Groups” global function or “Create Purchase Order in SAP Prod” could be a local function belonging to the “Create Purchase Orders” global function. As shown in Figure 3 below, you can add as many local functions to a global function as makes sense.
...
, associating generic actions with the precise contexts in which they occur. For instance, "Create Groups in Austria" or "Create Purchase Order in SAP Prod" could be local functions under the respective global functions. A global function can have multiple local functions, as necessary.
...
Image 3: The correlation between local and global functions
Function Mapping
In and of Functions, in themselves, functions are nothing more than empty containers that represent actions that users could do within your IT environment. To have useare mere placeholders representing potential user actions within the IT infrastructure. To become operational, they must be mapped linked to specific precise rights and roles that EmpowerID inventories sourced from your connected applications. In EmpowerID, this is known termed as adding “function "function mapping rules” rules" to functions. Function mapping occurs first , which happens initially at the global function level and then at , followed by the local function level.
...
At the global function level, function mapping involves adding “rules” to the function, which are the global rights, global roles and local functions that logically represent what users with the function could do. For example, if If you create a "Create Azure Groups" global function named “Create Azure Groups” that you want to use to see to monitor who can create groups in Azure, you should add only add to the function those function mapping rules that relate to creating groups in Azure. We can see this in figure 4 below, which shows some of the function mapping rules for the “Create Azure Groups” global function in the EmpowerID Web interfacerelated to this specific action.
...
Figure Image 4: Function Mapping Rules at the global function level
From Figure Image 4, we can see that there are three function mapping rule typesthree types of function mapping rules are visible:
Global Rights Granting Function (Mapped) – Specifies Indicates the global rights, if any, related to associated with the function. In this example, the global rights would be those rights that give permitting someone the ability to create groups in Azure.
Global Roles Granting Function (Mapped) – Specifies Indicates the global roles, if any, related to associated with the function. In this exampleHere, the global roles would be those the Azure roles that give allowing someone the ability to create groups in Azure.
Local Functions – Specifies the local functions to be derived that will derive from the global function. All local functions should be related have a relationship to the parent global function. In this examplecase, a local function could might be “Create "Create Azure Groups in Austria.”"
Local Function Mapping
Local functions are created established by adding incorporating them to into global functions as function mapping rules. Returning to the “Create Azure Groups” global function as an exampleFor instance, using the "Create Azure Groups" global function, if you want wish to know identify who could potentially create form groups in an Azure tenant in Austria, you could add “Create incorporate "Create Azure Groups in Austria” to the function Austria" as a function mapping rule.
...
Figure Image 5: Representation of Local Functions as Function Mapping Rules
Once the After a local function is added linked to a global function as via a function mapping rule, you can then map associate the local function to the with specific local rights or roles specific to it. Local function mappings include encompass the following possibilities:
Local Rights Granting Function (Mapped) – Specifies This outlines the local rights, if any, related linked to the function. Local rights that can be mapped to associated with local functions are dependent depend on the global rights mapped linked to the parent global definitionfunction. A Any right that is not initially mapped first in the parent global function cannot be selected chosen for the local function.
Local Roles Granting Function (Mapped) – Specifies This details the local roles, if any, related connected to the function. Local roles that can be mapped connected to local functions are dependent rely on the global roles mapped linked to the parent global definitionfunction. A role that is not initially mapped first in the parent global function cannot be selected for the local function.
Assignees Granting Local Function (Mapped) – Allows This enables you to specify designate one or more EmpowerID actor types associated with the function. Actor types can includecomprise:
Business Role and Location – All people belonging to the Business Role and Location will be flagged as having the function
Group – All people belonging to the group will be flagged as having the function
Management Role – All people belonging to the Management Role will be flagged as having the function
Management Role Definition – All people belonging to the Management Roles derived from the definition will be flagged as having the function
Person – The specified person will be flagged as having the function
Query-Based Collection – All people belonging to the Query-Based Collection will be flagged as having the function
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...