A pivotal concept in the automation of the initial assignment and ongoing maintenance of a person's Business Roles and Locations in EmpowerID is RBAC Mapping. EmpowerID provides the capability to catalog role and location hierarchies from external systems, including but not limited to HR systems, SaaS applications, Active Directory (AD), or LDAP directories. These external systems may already have established role and location structures, as commonly found in HR systems, or they can be structured using connector logic based on user attributes such as job title, department, and country.
These externally derived "external roles" and "external locations," along with the corresponding assignment of user accounts to these roles and locations, are systematically inventoried within the EmpowerID data model. The data model diagram below provides a visual representation of this concept:
...
In this diagram, you can observe how EmpowerID seamlessly integrates and manages the external role and location structures, making them part of the EmpowerID data model. This integration serves as the foundation for automated processes that assign and maintain Business Roles and Locations for individuals based on their attributes and associations within external systems. EmpowerID's RBAC Mapping empowers organizations to streamline identity and access management by leveraging existing organizational structures and data sources.
Automated Assignment of Business Roles and Locations
EmpowerID facilitates the automatic assignment of Business Roles and Business Locations based on organizational data that comes obtained from an authoritative sourcesources. This automation is accomplished achieved through the use of two server Jobs jobs that run in within the worker role container or server.
Role and Location Compiler
This is a Job The Role and Location Compiler, hosted by the EmpowerID Worker Role Windows service that runs , operates on a schedule of scheduled basis, typically every 5 minutes and . It determines the Business Roles and Locations that should to be assigned to an EmpowerID Person based on information coming from an external system like by leveraging data from external systems, such as an HR system. Only The Compiler considers only account stores where the "Allow Role and Location Recalculation is set to Enabled will be considered. If " is enabled. In cases where multiple account stores are being monitored, those with a higher "Role and Location Re-Eval Order" value are given take precedence. The following account store information is used by this jobThis job relies on the following data sources:
Accounts related linked to an EmpowerID Person
External Roles
External Locations
Associations between accounts, external roles, and external locations in within an Account Store and , taking into account whether the association is marked as "Primary" (only one association can be designated as "Primary" for a given account per Account Store)Mappings
Additionally, the Role and Location Compiler uses mappings managed in the EmpowerID Role and Location Mapper
...
, including mappings between external roles and EmpowerID Roles
...
and mappings between external locations and EmpowerID Locations
...
. As it processes an account recordrecords, it will place a deposits transaction record records into a queue table called known as the “Role "Role and Location Compiler Inbox” to Inbox," where they await processing by the Role and Location Processor job.
Role and Location Processor
This is a Job The Role and Location Processor, another job hosted by the EmpowerID Worker Role Windows service that , runs every 1 minute and makes . It executes Business Role and Location changes as determined dictated by the Role and Location Compiler. The This processor performs the following several critical actions:
Changes Modifies a Personperson's primary Business Role and Location (only affects people relevant for individuals whose primary role roles and location locations were not explicitly assigned)
Assigns secondary roles and locations to a Personperson
Removes secondary roles and locations from a Personperson
Handles Addresses ambiguous assignments by reassigning people individuals whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path." This occurs only occurs when a Personperson's primary Business Role and Location was were previously determined by the Role and Location Compiler and set by the processor but can no longer be ascertained determined due to insufficient or inconclusive information.
By separating segregating these functions into two distinct jobs, you can have the option to disable the processor temporarily, allowing you to view review suggested changes in the Recompiler inbox before processing them.
Only Similar to the Role and Location Compiler, the Role and Location Processor considers only account stores where the "Allow Role and Location Recalculation is set to Enabled will be considered.If " is enabled. In cases where multiple account stores are being monitoredunder observation, those with a higher "Role and Location Re-Eval Order" value are given take precedence.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|