EmpowerID uses the concept of "functions," which are In today's IT landscape, security and risk management are pivotal. A fundamental aspect of this is understanding the concept of Functions within EmpowerID. These Functions act as a bridge, translating technical entitlements in IT systems into a language that resonates with the organization's everyday business operations. This comprehensive overview highlights the types of Functions in EmpowerID, the process of function mapping, and their critical role in risk management.
Functions in EmpowerID
Functions are defined as "business-defined activities that a person can perform within one or more applications." Functions represent user actions in IT systems using the organization's everyday business language. For instance, creating a purchase order in a business process could be defined as a function. In SAP, this right is marked with the TCode, ME21N, but in user-friendly terms, it may be represented as "Create Purchase Order.”
...
A practical example is the transformation of "TCode ME21N" in SAP to a more intuitive "Create Purchase Order." This translation is essential for achieving a common understanding across various business units. The below image underscores the transition from technical terminologies to business-centric Functions, illustrating how Functions in EmpowerID simplify complex system entitlements.
...
Functions are utilized as foundational elements to define users' abilities within technical systems. Organizations create risk policies based on these functions, naming them in line with their business language. Functions are then linked with their respective entitlements in different applications by business process and technical application specialists. This enables the risk management engine to periodically review user privileges and functions.
Types of Functions in EmpowerID
There are two types of functions in EmpowerID: Global Functions and Local Functions.
Global Functions
Global functions Functions represent the system-wide privileges that can be assigned to users applicable across multiple applications. Examples could be "Create Purchase Orders" or "Create Groups", depending on the company's operational terminology. These are "system agnostic", meaning they can denote rights across various applications, such as They are 'system agnostic,' meaning their scope extends over various platforms like ServiceNow, AWS, SAP, Salesforce, and EmpowerID . For instance, a itself. An example of a Global Function could be "Create Group" action in various applications can be represented by a single "Create Group" global function in EmpowerID," which applies uniformly across these applications.
...
Image 2: Global Function representing a user action applicable across multiple systems
...
Local Functions
Local Functions
...
Local functions are specific instances of global functions, denoting more specific and denote actions within precise particular entities, systems, and locations as per an organization’s business framework. Local or locations. These functions are added to global functions, associating generic actions with the precise contexts in which they occurtied to Global Functions but provide a more granular level of detail. For instance, "Create Groups in Austria" or "Create Purchase Order in SAP Prod" could be local functions under the respective global functions. A global function can have multiple local functions, as necessaryare examples of Local Functions that fall under broader Global Functions.
...
Image 3: The correlation between local and global functions
Function Mapping and Risk Management
The effective use of Functions , in themselves, are mere placeholders representing potential user actions within the IT infrastructure. To become operational, they must be linked in risk management hinges on the process of function mapping, which links Functions to precise rights and roles sourced from your connected applications. In EmpowerID, this is termed as adding "function mapping rules" to functions, which happens initially at the global function level, followed by the local function level.:
Global Function Mapping
At the global function this level, function mapping involves adding “rules” to the functionFunction Mapping Rules to Global Functions, which are denote the associated global rights , global roles and local functions that logically represent what users with the function could do. If you create a "Create Azure Groups" global function to monitor who can create groups in Azure, you should add only those function mapping rules related to this specific action.
...
and roles. This mapping is essential to define what users can do with these functions. The screenshot below provides an example of function mapping for a “Create Azure Groups” Global Function.
...
Image 4: Function Mapping Rules at the global function level
...
Global Function Level
We see that there are three types of function mapping rules are visible:
Global Rights Granting Function (Mapped) – : Indicates the global rights, if any, associated with the function. In this example, the global rights would be those permitting someone to create groups in Azure.
Global Roles Granting Function (Mapped) – : Indicates the global roles, if any, associated with the function. Here, the global roles would be the Azure roles, allowing someone to create groups in Azure.
Local Functions – : Specifies the local functions that will derive from the global function. All local functions should have a relationship to the parent global function. In this case, a local function might be "Create Azure Groups in Austria."
Local Function Mapping
Local functions are established by incorporating them into global functions as function mapping rules. For instance, using the "Create Azure Groups" global function, if you wish to identify who could potentially form groups in an Azure tenant in Austria, you could incorporate "Create Azure Groups in Austria" as a function mapping ruleFunction mapping is about incorporating these functions into the global framework and associating them with specific local rights or roles. This allows for a detailed view of user capabilities within a particular context.
...
Image 5: Representation of Local Functions as Function Mapping Rules
...
Local Rights Granting Function (Mapped) – : This outlines the local rights, if any, linked to the function. Local rights that can be associated with local functions depend on the global rights linked to the parent global function. Any right not initially mapped in the parent global function cannot be chosen for the local function.
Local Roles Granting Function (Mapped) – : This details the local roles, if any, connected to the function. Local roles that can be connected to local functions rely on the global roles linked to the parent global function. A role that is not initially mapped in the parent global function cannot be selected for the local function.
Assignees Granting Local Function (Mapped) – : This enables you to designate one or more EmpowerID actor types associated with the function. Actor types can comprise:
Business Role and Location – : All people belonging to the Business Role and Location will be flagged as having the function
Group – : All people belonging to the group will be flagged as having the function
Management Role – : All people belonging to the Management Role will be flagged as having the function
Management Role Definition – : All people belonging to the Management Roles derived from the definition will be flagged as having the function
Person – : The specified person will be flagged as having the function
Query-Based Collection – : All people belonging to the Query-Based Collection will be flagged as having the function
Risk Management and Functions
Each Function in EmpowerID is assigned a risk level, reflecting the potential impact of the associated activities:
Low: Risk score = 0
Medium: Risk score = 30
High: Risk score = 60
Critical: Risk score = 80
Very Critical: Risk score = 100
The EmpowerID Risk engine calculates the overall risk associated with each user based on the functions they are assigned to, whether directly or through an assignment to roles or groups with functions. The total risk score for each user is computed based on these risk scores.
Conclusion
Functions in EmpowerID are crucial in aligning business operations with IT security and risk management. By converting technical system entitlements into business-oriented Functions and assigning appropriate risk levels, EmpowerID enables organizations to effectively monitor and mitigate IT system risks. This structured approach ensures that user activities are in sync with the organization's risk tolerance, enhancing overall risk management strategies and maintaining robust control over IT environments.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Macrosuite divider macro | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|