EmpowerID has the power to act as a virtual directory or information hub Query-Based Collections in EmpowerID offer a powerful way to unify connected account stores includingsuch as Active Directory,
...
LDAP directories,
...
SQL or Oracle databases
...
, and external systems
...
EmpowerID provides like HR systems. By providing live access to this data using from these sources, Query-Based Collections , formerly (also known as Set Groups. Sets are ) enable you to create dynamic groupings of people or resources based on SQL-based or code-based queries that result in collections of people or resources, while Set Groups (Query-Based Collections) are logical bundles of Sets grouped together with a friendly name for resource management.You can use Query-Based Collections of EmpowerID person objects as an RBAC Actor type (like Groups or Management Roles) to assign any type of access, policies for provisioning, attribute assignment, password policies, etc. Think of Query-Based Collections , known as “Sets.” SQL-Based Sets are created within the EmpowerID user interface and can be used to create collections based on information in the Identity Warehouse. Code-Based Sets, however, require development staff to create them in Workflow Studio and publish them to the Enterprise Workflow Server. These Sets can be used in connected account stores and external systems to return collections of people and resources, such as Shared Folders, Workflows, and EmpowerID Protected Controls.
Query-Based Collections can be used as an RBAC Actor type, similar to groups or Management Roles, to assign various types of access, provisioning policies, attribute assignments, password policies, and more. Essentially, Query-Based Collections serve as a type of RBAC-protected resource for which , allowing you can to delegate creation and management permissions .
Sets
SQL-Based Sets are SQL queries that you can base on any information in the Identity Warehouse. Like code-based Sets, you can use SQL-based Sets to create collections of People or any other type of resource. SQL-based Sets are created within the EmpowerID user interface.
Code-Based Sets have greater reach than their SQL counterparts because you can also use them in connected account stores and external systems to return collections of people and of resources, such as
Shared Folders,
Workflows, and
EmpowerID Protected Controls.
As their name implies, code-based Sets use code for their query mechanism. Thus, to add a code-based Set to EmpowerID, development staff must first created it in Workflow Studio and publish it to the Enterprise Workflow Server.
An example of a code-based Set is one that returns
a list of customers from an external database with
a unique identifier, such as a Customer ID, that matches the identifier to EmpowerID Person objects with
a specific status, such as "gold-level customers,"
for the purpose of granting resources based on that status.
Set Groups
Set Groups for enhanced access control and resource management.
Some key benefits of using Query-Based Collections in EmpowerID include:
Dynamic groupings: Query-Based Collections enable you to create dynamic groups of people or resources based on specific criteria, ensuring that your collections stay up-to-date as your organization evolves.
Efficient resource management: By bundling Sets into Query-Based Collections, you can manage resources more efficiently and maintain a clear overview of your resource assignments.
Flexible access control: Query-Based Collections allow you to grant various types of access and permissions to different Actor types, providing flexible and granular control over your resources.
Delegated permissions: You can delegate the creation and management of Query-Based Collections to specific users or groups, empowering them to maintain collections relevant to their job functions.
By leveraging the power of Query-Based Collections in EmpowerID, you can create a unified, dynamic, and efficient access control system that adapts to your organization's needs and simplifies resource management.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
Create SQL Sets
SQL Sets are SQL queries that return a collection of resource objects from the EmpowerID Identity Warehouse, such as all people who have been hired in the last week. You can add these Sets to Query-Based Collections (SetGroups) and use them to make dynamic RBAC delegation assignments. [Read More]
Create Code-Based Sets
Code-based Sets are queries that can result in collections of people or collections of other resource types protected by EmpowerID. Each code-based Set requires a Set Runtime, which is a custom implementation of the EmpowerID API that allows C# code to be used to return a collection of EmpowerID object types. You create code-based Sets in Workflow Studio. [Read More]
Create Query-Based Collections
Query Based Collections (SetGroups) are logical groupings of Sets bundled together with a friendly name for resource management, such as "Engineers in BaselHelpdesk Technicians" or "High Security SharePoint Documents." Membership within a Set Group Query-Based Collection is dynamic. Each compilation of the Set Compiler Job adds and removes objects from each Set Group, Query-Based Collection based on the query results of the Sets.
For example, if you have an "All Engineers in Basel" Set Group and hire a new engineer in the Basel location named "Dominic," at the next compilation of the Set Compiler Job, Dominic is added to that Set Group. If, however, Dominic later relocates to Sydney, his Person object is removed from the Set Group at the next compilation of the Set Compiler Job after his relocation.
Set Groups are both an EmpowerID Actor type and a resource type, depending on the objects they contain. You can map them to Business Roles and Locations for dynamic assignments of people, or to EmpowerID Locations for dynamic assignments of resources.
Set Groups that contain collections of EmpowerID Person objects, such as the "Engineers in Basel" Set Group, are EmpowerID actors capable of receiving Resource Role assignments like any other EmpowerID actor type.
Set Groups that return resources other than people, such as the SharePoint documents in the "High Security SharePoint Documents" Set Group, cannot be the recipients of resources. As collections of non-actors, this type of Set Group is always the object of Resource Role assignments.
Using these two Set Groups as an example, to allow all engineers in Basil to see all SharePoint documents marked as high security, make a Resource Role assignment against the "High Security SharePoint Documents" Set Group, and grant the Viewer Resource Role for that Set Group to the "Engineers in Basel" Set Group. Then, when an engineer in Basel logs into EmpowerID, she can see each SharePoint document classified as a high security object.
Insert excerpt
Assign Access Levels to Query-Based Collections
Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type that, when assigned to users, grants those users the ability to access IT resources in the manner specified by the Access Level. When you assign Access Levels to Query-Based Collections, each member of the Query-Based Collection will receive those Access Levels and be able to perform the tasks associated with them. For example, if you assign the Member Access Level for a generic group to a Query-Based Collection, each person in the collection will be granted group membership. [Read More]
Assign Query-Based Collections to Roles
Assigning Query-Based Collections to EmpowerID Roles gives everyone in the Query-Based Collection (QBC) access to any resources defined for those roles. [Read More]
Evaluate Query-Based Collections
Evaluating a Query Based Collection executes the query in each of the Sets belonging to the Collection. These evaluations are dynamic, adding and removing objects from the Collection as determined by the Sets. For example, if you have a Query-Based Collection with a Set that returns all people hired within the last week, the people in the Collection vary from week to week. [Read More]