Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Dhiraj Kumar (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!Doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<p>In EmpowerID, you delegate access to resources through the assignment of <a href=\"#\" id=\"tooltip\" data-bs-toggle=\"tooltip\" data-bs-placement=\"top\" \r\ntitle=\"Access Levels are composed of one or more 'EmpowerID Operations' and/or 'native system rights' that are specific to a particular resource type like user accounts or mailboxes\">Access \r\nLevels</a> to an EmpowerID actor. When you do so, you give that actor the ability to execute the operations and rights of the Access Level against those resources.</p>\r\n<p>Generally this is accomplished through assigning Access Levels to 'container' actor \r\nobjects like Management Roles or Business Roles and Locations, and then either assigning users to those roles via some policy or making them eligible for them via the IT Shop.</p>\r\n\r\n<p>The number of resources affected by Access Level assignments is determined by the scope of the assignment. Assignment scope in EmpowerID includes the following:</p>\r\n<script src=\"https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js\" integrity=\"sha384-IQsoLXl5PILFhosVNubq5LC7Qb9DXgDA9i+tQ8Zj3iwWAwPtgFTxbJ8NT4GN1R8p\" crossorigin=\"anonymous\"></script>\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.min.js\" integrity=\"sha384-cVKIPhGWiC2Al4u+LWgxfKTRIcfu0JTxR+EQDz/bgldoEyl4H0zUF0QKbrJ0EcQF\" crossorigin=\"anonymous\"></script>\r\n","javascript":"var exampleTriggerEl = document.getElementById('tooltip')\r\nvar tooltip = bootstrap.Tooltip.getOrCreateInstance(exampleTriggerEl) // Returns a Bootstrap tooltip instance","css":".tooltip-inner\r\n{\r\n max-width:300px !important;\r\n}"}

Direct

Direct assignments scope access to a single resource of a specific resource type, giving the actor receiving the assignment the ability to perform the operations and rights of the Access Level against that resource. An example would be assigning the Help Desk Access Level for the user account owned by "Ruth" to an EmpowerID Person named "Bob." In this example, user account is the resource type, the user account owned by Ruth is the resource, and the EmpowerID Person Bob is the actor. With this type of Access Level assignment, Bob can perform Help Desk operations against Ruth's user account, but not another.

By Location

By-Location assignments scope access to all resources of a specific resource type in a designated location, giving the actor receiving the assignment the ability to perform the operations and rights of the Access Level against those particular resources. An example would be assigning the Help Desk Access Level for all user accounts in Toronto to the Toronto Help Desk group. In this example, user account is the resource type, the user accounts in Toronto are the resources, and the Toronto Help Desk group is the actor. With this type of Access Level assignment, all members of the group can perform Help Desk operations against all the user accounts in Toronto (as well as in any locations for which Toronto is the parent), but not in any other locations.

Relative

Relative assignments scope access to all resources of a specific type that belong to the same location as the actor receiving the assignment. An example would be assigning the Help Desk Access Level for all user accounts in Bob's location to Bob. In this example, user account is the resource type, the user accounts in Bob's location are the resources, and the EmpowerID Person Bob is the actor. With this type of Access Level assignment, Bob can perform Help Desk operations against all the user accounts in his location (as well as in any locations for which his location is the parent), but not in any other locations.

Design Considerations

When designing a delegation model, it is important to consider the projection and enforcement process that EmpowerID uses to manage the security of your resources. As mentioned above, these delegations can be done by selecting one or more EmpowerID actor types and granting them access directly, by location, or via a role assignment. The access type chosen in the delegation will impact the number of domain local groups created later for the Access Levels that get enforced. Here are few things to consider when deciding your course of action:

  • As a best practice, you should use roles whenever possible. Roles are more generic and can group a large number of delegations to protected resources, creating only one EmpowerID Access Level Group in each domain for all members of the role as opposed to the creation of a domain local group (EmpowerID Access Level Group) that occurs for each direct assignment. In addition, using roles provides an extra layer of abstraction between the actor and the delegation, making management easier, and reporting and auditing more clear.

  • Location delegations are also a good choice and they will also result in a single group per domain; however, you can potentially have more groups than you would by using Management Roles.

  • The least recommended method for delegating access to resources is using direct assignments. Direct assignments should only be used to cover the delegation "exceptions" that cannot be met by using roles or location delegations. The reason this approach should be used sparingly is that it can become cumbersome if you are managing a large number of Access Levels because each direct assignment results in the creation of a separate domain local group for enforcement to the external system.

The goal for self-service access requests in EmpowerID is to deliver compliant access and reduce the need for end-users to request additional access beyond what is granted by their roles. Access requested by a person that is not granted by that person’s roles should be considered an exception and go through a controlled yet easy-to-use approval process before being granted. Exceptions represent an additional risk and create extra work to be processed and approved, as well as audited during compliance recertifications. EmpowerID’s best practice approach to exceptions management ensures that exceptions are always based on proper justification, traceable and auditable, manageable, and temporary whenever possible. To help organizations achieve the best possible outcome delivering compliant access, EmpowerID includes the following components:

  • IT Shop

  • Eligibility

  • Approvals and Approval Routing

IT Shop

The "IT Shop" is a microservice from which users can search for and request access to IT resources your organization makes available to them. To do so, users navigate to the IT Shop, where they can see their current resources and shop for more. Depending on their job function, users may also request resources for other users. To shop for a role or other resource, they simply select the resource type and search for the specific resource item belonging to that type. Once they have found the desired item, they request access, which opens a drawer. From the drawer, users can optionally place time constraints on the request and add it to their carts or simply close the drawer to discontinue. Once a resource is added to a user’s cart, it stays there until the user either checks out (submits the cart) or removes it. By keeping resources in the cart, users can navigate away from the IT Shop as needed without losing the contents of their carts. When ready to submit their requests, users review the items in their cart and when ready submit them to the Identity and Access Management platform (EmpowerID). If they decide they don’t want to request an item that is in their cart, they can simply remove it.

Figure 1 below shows the main flow that occurs for users shopping for roles in the IT Shop, as well as the IT Shop user interface.

...

 

Eligibility Policies

EmpowerID offers a powerful policy engine to control which users may see and request which resources in the IT Shop. These policies are known as “Eligibility.” Eligibility policies may apply to users by attribute query, role, group, or other criteria, making it easy to target who receives which policies and have the assignment automated and maintained throughout their lifecycle.

Eligibility policies can be defined as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these are only the ones that would make sense for them to request. An example could be eligibility policies with rules that filter resources available for Field Sales employees and developers. The catalog of requestable roles and resources available to each of those employees should be different to ensure that unwarranted access requests and unnecessary approval tasks are not generated. Additionally, inclusion and exclusion rules help organizations provide employees a more pleasant user shopping experience as they are shielded from viewing the organization's entire catalog of IT resources.

Inclusion rules include the following:

  • Eligible – Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the access being requested.

  • Pre-Approved – Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled. 

  • Suggested – The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules. 

 

...

Figure 2: Eligibility Policy applied to a person

 

Approvals and Approval Routing

EmpowerID includes a powerful approval routing engine and friendly end-user interfaces for task tracking and decisions. As discussed above, Eligibility policies are considered when calculating whether a user’s request requires approval and if so, how many approval steps are required and to whom should the approval tasks be assigned. Determination of the approval process is dynamic and considers the roles of the requestor, the sensitivity of the items being requested, and an organization’s risk and Segregation of Duties (SoD) policies. Based on these factors, approval for a requested item may not be required or it could require multiple levels of approval and an additional SoD approval by a risk owner.

Approvers are notified via configurable and localized email notifications with reminder emails configured based on flexible policies. All decisions at each step in the process are logged and traceable up to and including the final fulfillment of access.

Info

Related Docs Topics:

Self Service

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<head>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-KyZXEAg3QhqLMpG8r+8fhAXLRk2vvoC2f3B09zVXn8CA5QIVfZOJ3BCsw2P0p/We\" crossorigin=\"anonymous\">\r\n</head>\r\n<nav aria-label=\"...\">\r\n <ul class=\"pagination justify-content-center\">\r\n <li class=\"page-item disabled\">\r\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/EIDIGACore/pages/2387742539/Web+Security+Settings\" target=\"_top\"> &laquo; &nbsp;&nbsp;Previous</a>\r\n </li>\r\n <li class=\"page-item active\" aria-current=\"page\">\r\n <span class=\"page-link\">Current</span>\r\n </li>\r\n <li class=\"page-item\">\r\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/EIDIGACoreacessselfservice/pages/2387742577/Eligibility2459172913/Overview+of+the+IT+Shop\" target=\"_top\"> Next&nbsp;&nbsp; &raquo;</a>\r\n </li>\r\n </ul>\r\n</nav>","javascript":"","css":""}
 Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue