Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
If your organization has partners that need to access your system to manage the IT resources you have allocated to them (such as onboarding employees, adding people to groups, creating new user accounts, etc.), you can create special EmpowerID locations, known as

In the context of multi-partner enterprises, EmpowerID offers a sophisticated delegation model to manage IT resources effectively. This model involves creating distinct "Organization" locations

,

for

those partners and assign to the people within those locations one or more of the "Partner" Management Roles EmpowerID provides out of the box. Combining these locations and Management Roles with a Business Role and Location assignment, allows you to give partners the ability to fully manage their domain without exposing to them your IT infrastructure. In this way, you can have multiple partners conducting business within your enterprise without those partners having an awareness of one another or of the resources internal to your organization. We discuss in further detail below how each of these aspects of the partner relationship work together.

Partner Management Roles

As mentioned above, EmpowerID provides "Partner" Management Roles out of the box. These roles are the Partner Admin Management Role and the Partner User Management Role. Each is configured with Access Levels for a subset of resources commensurate with the role. The Partner Admin Management Role give assignees administrative capabilities over aspects of their domain, with the Partner User Management Role gives assignees the ability to perform basic actions, such as searching for people, requesting access to resources and initiating several workflows.

Info

Partner Admins have both Management Roles. Additionally, all partners receive the Self-Service User Management Role.

Partner Admin Management Role

This Management Role gives assignees of the role the ability to manage the people and resources in their partner locations.

Assignment Type: Person Relative Resource

Resource TypeAccess LevelAssignment DescriptionFor Resources BelowPersonAll Access (EmpowerID Admin)Assignment to any Person as All Access (EmpowerID Admin) that matches this criteria: People in organizations I belong to.EmpowerIDAdmininstrator
PeopleInMyOrganizationUser AccountAll Access (EmpowerID Admin)Assignment to any User Account as All Access (EmpowerID Admin) that matches this criteria: Accounts in organizations I belong to.EmpowerIDAdmininstrator
AccountsInMyOrganizationGroup (Security)All Access (EmpowerID Admin)Assignment to any Group(Security) as All Access (EmpowerID Admin) that matches this criteria: Security Groups in organizations I belong to.EmpowerIDAdmininstrator
SecurityGroupsInMyOrganizationGroup (Distribution)All Access (EmpowerID Admin)Assignment to any Group(Distribution) as All Access (EmpowerID Admin) that matches this criteria: Distribution Groups in organizations I belong to.EmpowerIDAdmininstrator
DistributionGroupsInMyOrganizationGroup (Generic)All Access (EmpowerID Admin)Assignment to any Group(Generic) as All Access (EmpowerID Admin) that matches this criteria: Generic Groups in organizations I belong to.EmpowerIDAdmininstrator
GenericGroupsInMyOrganization

Assignment Type: Direct

Resource TypeAccess LevelResourceAssignment DescriptionPages and ReportsViewerEdit Group PageDirect assignment to the Edit Group page as ViewerPages and ReportsViewerView Person PageDirect assignment to the View Person Page as ViewerPages and ReportsViewerView Account PageDirect assignment to the View Account page as ViewerPages and ReportsViewerView Group PageDirect assignment to the View Group page as ViewerWorkflowInitiatorTemporaryGroupMembershipDirect assignment to the TemporaryGroupMembership workflow as InitiatorPages and ReportsViewerCreate Person SimpleDirect assignment to the Create Person Simple page as ViewerPages and ReportsViewerPerson OnboardingDirect assignment to the Person Onboarding page as ViewerWorkflowInitiatorUpdatePersonAssetsDirect assignment to the UpdatePersonAssets workflow as InitiatorWorkflowInitiatorUpdateAssignmentsDirect assignment to the UpdateAssignments workflow as InitiatorControl (User Interface)ViewerGlobal Person Search BoxDirect assignment to Global Person Search Box as ViewerPages and ReportsViewerReset Password PageDirect assignment to the Reset Password page as ViewerControl (User Interface)ViewerShopping CartDirect assignment to the Shopping Cart as ViewerPages and ReportsViewerEdit Person PageDirect assignment to the Edit Person page as ViewerPages and ReportsViewerEdit Account PageDirect assignment to the Edit Account page as ViewerPages and ReportsViewerFind Group PageDirect assignment to the Find Group page as ViewerWorkflowInitiatorUpdateResourceLocationsDirect assignment to the UpdateResourceLocations workflow as InitiatorWorkflowInitiatorUpdatePersonBusinessRolesDirect assignment to the UpdatePersonBusinessRoles workflow as InitiatorWorkflowInitiatorUpdatePersonRelationshipsDirect assignment to the UpdatePersonRelationships workflow as InitiatorWorkflowInitiatorUpdateGroupAccountMembershipDirect assignment to the UpdateGroupAccountMembership workflow as InitiatorWorkflowInitiatorPersonPhotoApprovalDirect assignment to the PersonPhotoApproval workflow as InitiatorWorkflowInitiatorUpdateResourceTagsDirect assignment to the UpdateResourceTags workflow as InitiatorWorkflowInitiatorCreatePersonDirect assignment to the CreatePerson workflow as InitiatorControl (User Interface)ViewerGroup Resource Type Drop-down ItemDirect assignment to the Group Resource Type drop-down item as ViewerWorkflowInitiatorDeleteMultiplePeopleWFDirect assignment to the DeleteMultiplePeopleWF workflow as InitiatorWorkflowInitiatorDisableMultiplePeopleWfDirect assignment to the DisableMultiplePeopleWf workflow as InitiatorWorkflowInitiatorEditPersonPhotoApprovalDirect assignment to the EditPersonPhotoApproval workflow as InitiatorPages and ReportsViewerSSO Applications PageDirect assignment to the SSO Applications page as ViewerPages and ReportsViewerFind Group PageDirect assignment to the Find Group page as ViewerWorkflowInitiatorUpdatePersonGroupMembershipDirect assignment to the UpdatePersonGroupMembership workflow as InitiatorPages and ReportsViewerFind User Account PageDirect assignment to the Find User Account page as ViewerWorkflowInitiatorChangePrimaryOrgRoleOrgZoneDirect assignment to the ChangePrimaryORgRoleOrgZone workflow as InitiatorWorkflowInitiatorHelpdeskPasswordResetDirect assignment to the HelpdeskPasswordReset workflow as InitiatorWorkflowInitiatorHelpdeskAccountUnlockDirect assignment to the HelpdeskAccountUnlock workflow as InitiatorWorkflowInitiatorResourceManagerEditGroupDirect assignment to the ResourceManagerEditGroup workflow as InitiatorWorkflowInitiatorPersonEditNonResourceManagerDirect assignment to the PersonEditNonResourceManager workflow as InitiatorControl (User Interface)ViewerAccount Resource Type Drop-down ItemDirect assignment to the Account Resource Type drop-down item as ViewerControl (User Interface)ViewerPerson Resource Type Drop-down ItemDirect assignment to the Person Resource Type drop-down item as Viewer

Partner User Management Role

This Management Role gives assignees of the role access to the resources in their partner locations.

Assignment Type: Direct

Resource Type

Access Level

Resource

Assignment Description

Workflow

Initiator

UnclaimBusinessProcessTask

Direct assignment to the UnclaimBusinessProcessTask as Initiator

Workflow

Initiator

AddBusinessProcessTaskComment

Direct assignment to the AddBusinessProcessTaskComment as Initiator

Pages and Reports

Viewer

View Self Page

Direct assignment to the View Self Page as Viewer

Pages and Reports

Viewer

Request Center Tasks To Do

Direct assignment to Request Center Tasks To Do as Viewer

Pages and Reports

Viewer

Request Center Tasks Done

Direct assignment to Request Center Tasks Done as Viewer

Pages and Reports

Viewer

Request Center Requests My Open

Direct assignment to Request Center Requests My Open as Viewer

Pages and Reports

Viewer

Request Center Requests My Complete

Direct assignment to Request Center Requests My Complete as Viewer

Workflow

Initiator

TerminateWorkflow

Direct assignment to the TerminateWorkflow workflow as Initiator

Pages and Reports

Viewer

SSO Applications Page

Direct assignment to the SSO Applications page as Viewer

Workflow

Initiator

PersonPhotoApproval

Direct assignment to the PersonPhotoApproval workflow as Initiator

Pages and Reports

Viewer

Edit Self Page

Direct assignment to the Edit Self page as Viewer

Workflow

Initiator

RequestDecisions

Direct assignment to the RequestDecisions workflow as Initiator

Workflow

Initiator

SetBusinessProcessTaskDelegate

Direct assignment to the SetBusinessProcessTaskDelegate workflow as Initiator

Workflow

Initiator

RemoveBusinessProcessTaskDelegate

Direct assignment to the RemoveBusinessProcessTaskDelegate workflow as Initiator

Workflow

Initiator

ClaimBusinessProcessTask

Direct assignment to the ClaimBusinessProcessTask workflow as Initiator

Workflow

Initiator

PersonEditNonResourceManager

Direct assignment to the PersonEditResourceManager workflow as Initiator

Control (User Interface)

Viewer

Person Resource Type Drop-down Item

Direct assignment to the Person Resource Type Drop-down Item as Viewer

Organization Locations

Organization locations are special location types that differ from other EmpowerID locations in that the relative "In My Organizations" Access Levels, such as the "People In My Organizations" Access Level granted to the Partner Admin Management Role, have no effect if assigned to people in other location types.

InfoTechnically speaking, the RBAC compiler has a special calculation for each person's Organizations, which is all the OrgZones in or below an OrgZone marked as type Organization

partners, assigning specific Management Roles, and leveraging Business Role and Location assignments. This system ensures partners can manage their domain independently without accessing or being aware of each other's resources or internal organizational infrastructure.

EmpowerID allows organizations to effectively manage partner interactions within their IT infrastructure. This is achieved through the creation of specialized EmpowerID locations known as "Organization" locations, which, in conjunction with specific Management and Business Roles, enable partners to manage their allocated IT resources independently.

Partner Management Roles

EmpowerID provides two key Management Roles for partners:

  1. Partner Admin Management Role: This role grants administrative capabilities, allowing the assignee to manage people and resources within their partner locations.

  2. Partner User Management Role: This role is focused on basic actions like searching for people, requesting resources, and initiating workflows.

Both roles are designed with specific Access Levels to suit the partner's needs, ensuring they can manage their domain effectively without access to the internal resources of the hosting organization.

Info

For information on the specific access associated with each of these roles, please see Partner Access Details

Organization Locations

Organization locations in EmpowerID are unique in their functionality. They are set apart from other locations due to their specific Access Levels, such as "People In My Organizations," which are effective only within the assigned Organization locations. The RBAC compiler in EmpowerID plays a crucial role here, determining the relative access based on the Organization tree hierarchy.

When people are assigned to an Organization location via a Business Role and Location assignment, the RBAC compiler determines their relative access and limits them as actors to those resources in their Organization location and any Organization locations below theirs in the Organization tree. They cannot act on resources above their location (see the below image and discussion). This limitation, however, does not apply to people as resources. As resources, people belong to all Organization locations in the tree, including the parent. This allows people in top-level Organization locations to act on those below them.

Visually, this can be represented as follows:

Image RemovedImage Added

In the image, the triangle represents the partner organization in

it's

its entirety. Within the organization, there is a top-level parent Organization location and a person belonging to that location with the "User Admin" Business Role (depicted by the figure outlined in green). As this person belongs to the root location, the RBAC compilation of "People in her Organizations" includes the people in the root as well as all the people in the locations below the root. Thus,

she

they can manage all users in the partner organization (represented by the green arrows).

In addition to the User Admin at the root or top-level Organization location, there is a person with the User Admin Business Role (depicted by the figure outlined in blue) at a sub

Organization

-organization location. As this person belongs to a location below the parent, the RBAC compilation of "People in

his

their Organizations" includes only those people in

his

the person’s sub

Organization

-organization location and below. Thus,

he

the person can manage all users in those locations

,

but not any of those in the locations above

his

their organization (represented by the blue arrow). And because

he

the user admin is also a resource,

he

that person can be managed by the User Admin at the parent location. This structure allows partner organizations to have sub-

Organization

organization locations with their own self-contained management capabilities that can be altered as needed by those in the top-level Organization.

Info

EmpowerID includes a default Organization location under which all partner Organizations should be created. This Organization location is the Partner Organization location. We demonstrate this in the Managing Partner Delegations topic.

Partner Business Roles

As mentioned in the above discussion, managing the access of your partners involves another component, the Business Role. In the EmpowerID RBAC model, Business Roles and locations intersect to provide scope in access assignments. All people must have a Business Role and all resources must belong to a location. In partner delegations, the EmpowerID RBAC compiler uses partner Business Role and Location assignments to determine the relative access to resources the people in those Business Roles and Locations have.

By default, EmpowerID includes two partner Business Role and Location combinations: Partner Admin in Partners and Partner in Partners. These Business Roles and Locations are assigned to the Partner Admin and Partner User Management Roles, respectively. This means that any person assigned to those Business Role and Locations receive the Access Levels granted to those Management Roles. We demonstrate how this works in the Managing Partner Delegations topic.

classtopicTOCnone
Div
stylefloat:left; position:fixed; padding: 5px;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel
4
minLevel
div

In this article

Table of Contents
maxLevel2
style
2
style
font-size: 1rem; margin-bottom: -45px; margin-left: 40px;text-transform: uppercase;
none
printablefalse

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue