Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID defines functions as “businessIn today's IT landscape, security and risk management are pivotal. A fundamental aspect of this is understanding the concept of Functions within EmpowerID. These Functions act as a bridge, translating technical entitlements in IT systems into a language that resonates with the organization's everyday business operations. This comprehensive overview highlights the types of Functions in EmpowerID, the process of function mapping, and their critical role in risk management.

Functions in EmpowerID

Functions are defined as "business-defined activities that a person can perform within one or more applications.“ They are objects that organizations create to represent what users can do in their IT systems using the everyday business language of the organization. An example of a function within an organization could be the act of creating a purchase order within a much larger purchasing business process. In SAP the terminology for this right is notated by the TCode, ME21N. To represent the right in a more user- friendly way, an organization could create a function named “Create Purchase Order.”

...

Figure 1: Native System Entitlements VS Functions

Using functions as the building blocks of what users can do in technical systems, organizations then build their risk policies around those functions using their own business language for those functions and policies. Once functions are named, business process specialists and technical application specialists map those functions to their representative entitlements in their respective applications. Once the mapping is complete, the risk management engine can be enabled to run on a scheduled basis to return users with functions.

You have two types of functions in EmpowerID, global functions and local functions.

Global Functions

Global functions are objects that organizations create to represent the native system rights that delegated users can be granted to perform actions within one or more applications. Depending on the business language of the organization, examples of global functions could include “Create Purchase Orders” or “Create Groups.” Global functions are “system agnostic” as they could represent rights in more than one application. For example, “Create Group” is an act that users can do in numerous applications " A practical example is the transformation of "TCode ME21N" in SAP to a more intuitive "Create Purchase Order." This translation is essential for achieving a common understanding across various business units. The below image underscores the transition from technical terminologies to business-centric Functions, illustrating how Functions in EmpowerID simplify complex system entitlements.

...

Functions are utilized as foundational elements to define users' abilities within technical systems. Organizations create risk policies based on these functions, naming them in line with their business language. Functions are then linked with their respective entitlements in different applications by business process and technical application specialists. This enables the risk management engine to periodically review user privileges and functions.

Types of Functions in EmpowerID

There are two types of functions in EmpowerID: Global Functions and Local Functions.

Global Functions

Global Functions represent system-wide privileges applicable across multiple applications. They are 'system agnostic,' meaning their scope extends over various platforms like ServiceNow, AWS, SAP, Salesforce, and EmpowerID . This action can be represented in EmpowerID with a single “Create Group” global functionitself. An example of a Global Function could be "Create Group," which applies uniformly across these applications.

...

Figure Image 2: Global Function that represents an action that representing a user could perform in action applicable across multiple systems

...

Local Functions

Local Functions

...

Local functions are children of global functions and represent an action that users can do in the actual are more specific and denote actions within particular entities, systems, and locations scoped within an organization’s business structure. You add local functions to global functions to logically link the generic actions that users can do in applications to the actual entities, systems, and locations where they can do them.  In this model, “Create Groups in Austria” could be a local function belonging to the “Create Groups” global function or “Create Purchase Order in SAP Prod” could be a local function belonging to the “Create Purchase Orders” global function. As shown in Figure 3 below, you can add as many local functions to a global function as makes sense.

...

or locations. These functions are tied to Global Functions but provide a more granular level of detail. For instance, "Create Groups in Austria" or "Create Purchase Order in SAP Prod" are examples of Local Functions that fall under broader Global Functions.

...

Image 3: The correlation between local and global functions

Function Mapping

...

and Risk Management

The effective use of Functions in risk management hinges on the process of function mapping, which links Functions to precise rights and roles:

Global Function Mapping

At the global function this level, function mapping involves adding Function Mapping Rules to the function the Global Functions, which denote the associated global rights , global roles and local functions that logically represent what users with the function could do. For example, if you create a global function named “Create Azure Groups” that you want to use to see who can create groups in Azure, you should only add to the function those function mapping rules that relate to creating groups in Azure. We can see this in figure 4 below, which shows some of the function mapping rules for the “Create Azure Groups” global function in the EmpowerID Web interface.

...

and roles. This mapping is essential to define what users can do with these functions. The screenshot below provides an example of function mapping for a “Create Azure Groups” Global Function.

...

Image 4: Function Mapping Rules at the global function levelGlobal Function Level

From Figure 4the screenshot, we can see that there are three types of function mapping rule typesrules are visible:

  • Global Rights Granting Function (Mapped)Specifies Indicates the global rights, if any, related to associated with the function. In this example, the global rights would be those rights that give permitting someone the ability to create groups in Azure.

  • Global Roles Granting Function (Mapped)Specifies Indicates the global roles, if any, related to associated with the function. In this exampleHere, the global roles would be those the Azure roles that give , allowing someone the ability to create groups in Azure.

  • Local Functions – Specifies the local functions to be derived that will derive from the global function. All local functions should be related have a relationship to the parent global function. In this examplecase, a local function could might be “Create "Create Azure Groups in Austria."

Local Function Mapping

Local functions are created by adding them to global functions as function mapping rules. Returning to the “Create Azure Groups” global function as an example, if you want to know who could potentially create groups in an Azure tenant in Austria, you could add “Create Azure Groups in Austria” to the function as a function mapping rule.

...

Function mapping is about incorporating these functions into the global framework and associating them with specific local rights or roles. This allows for a detailed view of user capabilities within a particular context.

...

Image 5: Representation of Local Functions as Function Mapping Rules

Once the After a local function is added linked to a global function as via a function mapping rule, you can then map associate the local function to the with specific local rights or roles specific to it. Local function mappings include encompass the following possibilities:

  • Local Rights Granting Function (Mapped) – Specifies : This outlines the local rights, if any, related linked to the function. Local rights that can be mapped to associated with local functions are dependent depend on the global rights mapped linked to the parent global definitionfunction. A Any right that is not initially mapped first in the parent global function cannot be selected chosen for the local function.

  • Local Roles Granting Function (Mapped) – Specifies : This details the local roles, if any, related connected to the function. Local roles that can be mapped connected to local functions are dependent rely on the global roles mapped linked to the parent global definitionfunction. A role that is not initially mapped first in the parent global function cannot be selected for the local function.

  • Assignees Granting Local Function (Mapped) – Allows : This enables you to specify designate one or more EmpowerID actor types associated with the function. Actor types can includecomprise:

    • Business Role and Location : All people belonging to the Business Role and Location will be flagged as having the function

    • Group : All people belonging to the group will be flagged as having the function

    • Management Role : All people belonging to the Management Role will be flagged as having the function

    • Management Role Definition : All people belonging to the Management Roles derived from the definition will be flagged as having the function

    • Person : The specified person will be flagged as having the function

    • Query-Based Collection : All people belonging to the Query-Based Collection will be flagged as having the function

Risk Management and Functions

Each Function in EmpowerID is assigned a risk level, reflecting the potential impact of the associated activities:

  • Low: Risk score = 0

  • Medium: Risk score = 30

  • High: Risk score = 60

  • Critical: Risk score = 80

  • Very Critical: Risk score = 100

The EmpowerID Risk engine calculates the overall risk associated with each user based on the functions they are assigned to, whether directly or through an assignment to roles or groups with functions. The total risk score for each user is computed based on these risk scores.

Conclusion

Functions in EmpowerID are crucial in aligning business operations with IT security and risk management. By converting technical system entitlements into business-oriented Functions and assigning appropriate risk levels, EmpowerID enables organizations to effectively monitor and mitigate IT system risks. This structured approach ensures that user activities are in sync with the organization's risk tolerance, enhancing overall risk management strategies and maintaining robust control over IT environments.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Macrosuite divider macro
dividerWidth100
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSize30
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconbootstrap/BarChartSteps

Create Global Functions

Map Global Functions

...