Versions Compared

Version Old Version 1 New Version 2
Changes made by

Phillip Hanegan

Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As we discussed previously, one One of EmpowerID’s primary use cases functions is to present an accurate picture of the security within each IT system in across an organization's on-premise and Cloud landscapepremises and cloud-based IT systems. In addition to viewing and auditing this informationthese systems, EmpowerID is used for provides Entitlement Management . Entitlement Management is defined as ”Cataloging capabilities—defined as “cataloging and managing all the accesses an account may have. This is , as part of the business process used to provision access.1”¹

To perform support these capabilities, EmpowerID periodically inventories “Protected Resources”1 “protected resources”¹ from the systems a customer desires you want to manage. The process of synchronizing accounts and supporting data to the Identity Warehouse of an IAM system is often referred to as “Reconciliation” but is more commonly referred to as “inventory” in EmpowerID terminology.Protected Resources are defined as “A system, a process, a service, an Within EmpowerID, this inventory process is often called “inventory,” although it may be known in other IAM systems as “reconciliation.”

What Are Protected Resources?

Protected resources are defined as “a system, process, service, information object, or even a physical location that is subject to access control as defined by the resource owner of the resource and by other stakeholders, such as a business process owner or Risk risk manager.” EmpowerID is capable of inventorying and managing can inventory and manage a wide variety of different types of protected resources. To configure which systems you wish to inventory and manage, on what schedule, and keep track of in which system a protected resource existsprotected resources, including:

  • Accounts

  • Groups

  • Computers

  • Azure subscriptions

  • SharePoint Online site collections

  • Many other resource types

Resource Systems and Resource System Types

To specify which systems you want to inventory, the schedule for inventorying them, and where each protected resource resides, EmpowerID maintains a ResourceSystems table named “ResourceSystems”. The Resource System Type is the definition of the connector for inventorying data from an external system. This differs from Security Boundary Types, which contains the connector definition for Create, Update, Delete, and the attribute schema of the native objects directly managed in an external system.EmpowerID itself contains protected resources . Each table entry represents a system containing protected resources you want EmpowerID to manage. Every registered system receives a unique ResourceSystemID and ResourceSystemGUID.

Additionally, EmpowerID itself has protected resources (for its pages, roles, APIs, etc.), which are assigned treated as being in the EmpowerID “EmpowerID Resource System.”

Resource System

...

Type vs. Security Boundary Type

  • Resource System Type: Defines the connector used to inventory data from an external system.

  • Security Boundary Type: Defines the connector used for Create, Update, Delete operations, as well as the attribute schema for the native objects that are managed directly in the external system.

Resource Records

When EmpowerID inventories protected resources, each resource is inserted into the Resource table with a unique ResourceID and ResourceGUID. The ResourceGUID is most often the actual unique identifier of the object in its external system if available in GUID format. From now on, we’ll refer to protected resources simply as resources matches the external system's unique identifier (GUID) wherever possible.

From here on, “protected resources” will simply be called “resources” to align with EmpowerID component terminology. Also, It is important to note is that each resource record is assigned in EmpowerID has a ResourceTypeID, which defines specifying the resource type of resource or object. EmpowerID maintains a ResourceType record to define the types for each type of protected resources resource it can manage and secure. The Resource Type of a resource becomes important later when discussing the inventory of permissions for resources and managing who has what level of access to view and manage these resources using EmpowerID. One question some of you might be asking yourself is, “how does EmpowerID store any useful data about such a wide variety of different types of resources ResourceTypeID becomes especially relevant when determining or modifying who can view or manage each resource.

Storing Resource Data

You might wonder how EmpowerID stores meaningful information about such diverse resource types in a single Resource table. ” The answer is that it doesn’tIt does not store all data in one place. As we mentioned in a previous module, the Identity Warehouse contains has over 1,200 tables. A table exists for each resource type to hold valuable information about For each ResourceType, a dedicated table holds detailed information specific to that type of resource. Entries Each record in these specialized tables will always have a pointer points back to the ResourceID and ResourceGUID of their resource record. Having a unique in the Resource table.

By maintaining a separate table per resource type allows , EmpowerID offers a richer user experience when viewing you view and manage the information about these resources and managing themassociated with different types of resources.

...

1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).

...