...
Home / Identity Administration / Current: Overview of Identity Administration
Overview of Identity Administration
Identity Administration is the ability for designated individuals to perform user, group, shared folder, SharePoint, computerand computer and other object management tasks in a controlled manner using the Web interface and workflows of EmpowerID. Which objectsa objects a person may see and what management tasks they may perform against those objects is controlled by EmpowerID's real-time RBAC / ABAC hybrid security model. EmpowerID allows controlled Identity Administration through a single interface and security model without requiring delegation of native permissions in the various systems in which the objects they are managing reside. Key to developing an effective Identity Administration strategy involves uncovering the different types of "Personas" in your environment, classifying each by the objects they can see and the actions they can perform against them.
Users using the EmpowerID workflows or API may perform secure management of objects that exist in external systems as wellas well as EmpowerID. Examples of external objects are Azure AD User Accounts, SAP Roles, File Shares, SharePoint sites, etc. Usersmay Users may also manage objects that only exist in EmpowerID: people, management roles, Business Roles, etc. In both cases, a real-timeauthorization time authorization engine leveraging RBAC and ABAC security controls who may manage which objects and which actions or tasks theymay they may perform against those objects. The system also handles logging, automatic approval routing, and workflow task generationin generation in the event a user tries an action they are not authorized to perform.
The bottom tier of the 3-tiered EmpowerID RBAC model are the Access Levels which are EmpowerID’s EmpowerID's Technical Roles. AccessLevels Access Levels define which actions , known as operation, (operations), and which native system permissions , known as (rights), the recipient of theAccess the Access Level would be authorized to perform for any resources for which they have that Access Level. Access Levels can bedirectly be directly assigned to people but most often are assigned to RBAC Actors in one of the higher tiers (i.e. Business Roles andLocationsand Locations, Management Roles, etc.)
Operations are “protected protected bits of code� code that are executed to perform these tasks in EmpowerID workflows or via its API. Operationscan Operations can also be arbitrary, not performing any action, just serving as a placeholder for applications to query and determine access.
Rights are representations of actual permissions used in an external system which can be granted in EmpowerID via AccessLevel Access Level assignments. The EmpowerID enforcement engine will “push� pushes these permissions out into the external system on schedulefor schedule for any user to which they have been granted. Examples of rights include NTFS permissions for shared folders and mailboxacls mailbox ACLs in Microsoft Exchange.
Related Topics| Info | ||||||
|---|---|---|---|---|---|---|
| ||||||
|