In EmpowerID, a Business Role is a user-defined hierarchical container for a grouping of EmpowerID Person objects that can be used for delegating to delegate access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization, allowing for polyarchical RBAC resource assignments. This is implemented in EmpowerID via tree interfaces (with inheritance) that allow for the intersection of Business Roles with Locations to support the following:
Static assignments of people — – You can directly assign individuals to a Business Role and Location combination based on their job function and location that allows that person them to have access to the resources granted to the Business Role and Location. For example, if you have a "Sales Manager" Business Role and for the a "London" location that has been assigned all the resources that a Sales Manager in London needs, you can then assign the "Sales Manager-London" Business Role and Location to a specific EmpowerID Person. This will give that person access to all the resources you assigned to the Business Role and Location.
RBAC mapping — – Business Role and Location mappings allow existing physical directory locations and roles to be mapped to logical EmpowerID Locations for an easy resource management strategy that hides the complexity of the back-end directory structure from business users. For example, if you have multiple AD or LDAP directory containers for London, those containers can be visually mapped to a single, virtual EmpowerID "London" location. Once the mapping occurs, the resources in the physical directory containers "belong" to the corresponding EmpowerID Location. Then when you assign people to a Business Role and Location, they receive access to the resources in that location in the manner defined by the Access Level assignments granted to the Business Role and Location.
SetGroup mapping — – SetGroups that contain collections of EmpowerID Person objects can be mapped to Business Roles and Locations to allow the people in that SetGroup to receive the Access Level assignments granted to the Business Role and Location. For example, if you have users in your organization with a Job Title of "Help Desk Technicians" and a City of "New York," you can use a SetGroup to dynamically contain users with those attributes and then map the SetGroup to a corresponding EmpowerID Business Role and Location (such as "Help Desk Technicians" Business Role in the New York “New York” location).
Locations
In order to To assign resources to users, those resources must be located somewhere. In EmpowerID, the "somewhere" is an object known as the "EmpowerID Location." An EmpowerID Location is a container used to group resources for scoping access to those resources. This occurs through the use of two types of Location trees: The "External Locations" tree and the "EmpowerID Locations" tree. The External Locations tree is a representation of represents the location of resources in the actual resource systems to which EmpowerID is connected. EmpowerID maintains a dynamic link with these resource system locations, reflecting any changes that occur in the structure of an actual external location in this tree. The EmpowerID Locations tree is a user-defined logical representation of the an enterprise's organizational and geographical structure of an enterprise that can be mapped to actual resource locations in the External Locations tree.
When EmpowerID connects to a resource system, it copies the structure of that resource system into the External Locations tree, maintaining a dynamic link through it to the actual locations of the resources in the resource system. Once the External Locations tree is populated, you can create EmpowerID Locations, map them to the External Locations and then use those EmpowerID Locations for assigning the resources in your resource systems to the users in your organization.
Direct Static Assignment — – Resources can be manually assigned to one or more EmpowerID Locations.
Implicit Assignment — – Resources automatically belong to their resource system as well as to and their actual "location" in that system. For example, Active Directory objects belong to their OUs, and SharePoint objects belong to their site in the site tree.
RBAC Mapping — – EmpowerID "logical" Locations can be created that map to one or more "physical" resource system locations. Once a mapping occurs, resources will automatically belong to any EmpowerID Location that is mapped to the actual resource system location of those resources.
Relative Location Assignment — – Resources automatically belong to "relative" assignments that can be used with relative Access Levels.
...
Logical Locations
Logical locations are those locations in EmpowerID that represent the an enterprise’s organizational and geographical structure of an enterprise in a way that mirrors its operational model. Logical locations are optional, user-defined tools that can be used to create intuitive, business-friendly nodes on a hierarchical locations tree that offers delegated users the ability to interact more easily interact with system resources. These logical locations map to the physical locations of your resource systems and always reflect the resources inclusive to that location. When mapping occurs, all the resources or objects located in the directory are assigned to their corresponding logical location and can be used when delegating user rights. If a resource is removed from the external location, then it is removed from the corresponding logical location; if a resource is added to the external location, then it is added to the corresponding logical location.
...
The All IT Systems location is a default EmpowerID location below, which reside resides locations for all the IT systems that EmpowerID protects, including the EmpowerID system itself. Within this location, EmpowerID creates and dynamically maintains the locations that represent the various resource systems, such as Active Directory, Microsoft Exchange, and Microsoft SharePoint, to which EmpowerID connects and manages via the inventory process. Resources inventoried from the managed resource system automatically exist in their corresponding EmpowerID location and their . Their EmpowerID location updates if it changes in the external system . Because because these locations map to actual resources, the internal structure of these locations should not be reorganized or modified.
...
Due to the dynamic nature of these locations, the All IT Systems locations are hidden from the role and location selectors that are used to assign Business Roles and locations to Person objects and are not intended to be used for those purposes. An exception to this is when it is desirous to utilize the actual structure of the Active Directory as a business location rather than recreating it in a logical representation. In this case, it is necessary to map your directory.
These locations are maintained automatically via inventory. They move when moved in the external system and are deleted when deleted in the external system.
These locations are not mapped to external locations with the RBAC Mapper as they automatically map one-to-one to an actual external location.
Resources are not assigned to these locations as the resources belonging to these locations reflect what exists in the external location.
Resource Systems Locations
These are special locations in EmpowerID that represent the structure of the various resource systems to which EmpowerID is connected. These locations are contained under the All IT Systems node of the EmpowerID Locations tree.
Tip |
---|
EmpowerID provides a number of several ways by which resources can belong to a location:
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
...
Related
Map EmpowerID Locations to External Locations
Create Business Role and Location Combinations
Assign Access Levels to Business Role and Location Combinations
Assign Management Roles to Business Roles Role and Location Combinations
Map Groups to Business Role and Location Combinations
Add People to Business Role and Location Combinations
View Members of Business Role and Location CombinationsManage Members of