...
Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that, when assigned to users, give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment.
Account Store
EmpowerID manages, inventories, manages, and protects resources in within what is called known as resource systems. Account Stores represent a special type of resource system managed by EmpowerID. What makes account stores different from other types of resource systems is their function as directories that contain containing user account objects and can perform their own authentication, such as Active Directory.
Approval Flow Policies
Approval Flow Policies are essential for automating the approval process in EmpowerID. They manage necessary approval steps when users submit "Business Requests" with resource items, ensuring access is granted only after approval. These policies guide the creation of Approval Flow policies tailored to an organization's needs, directing requests to the requestor's manager for approval. The policies also allow for configuring approval steps, decisions, and item-level actions.
Approval Flow Step
An Approval Flow Step is a sequential stage in the Approval Flow policies that requires approval before progressing. It defines the number of approvals needed for fulfillment and can be configured for "step-level" fulfillment. Each step can have its own approval flow, and can be set for Item Level approval.
Approver Resolver Rules
Approver Resolver Rules specify to whom an Approval Flow Step needs to route for approval in the event a default approver does not exist. These rules can be routed to various actors in EmpowerID, including the Initiator Manager, Target Person Manager, Resource Owner, RBAC Approver, Static Approver, and Fallback Approver.
Authorization Object
A group that represents a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents representing a group or role in a target application.
Authorization Package/Business Function
Management Roles are used to represent Authorization Packages (AKA Business Functions) in EmpowerID. An Authorization Package is a business-designed bundle of access required to complete a Business Function or for participation participate in a team or working group. Authorization packages bundle access across multiple systems and present a single non-technical assignable access unit of access. The Management Role allows this flexibility and enables the business owners to create friendly, non-technical descriptions and manage the governance cycle of these packages.
...
Birthright access is a term used to define a Person’s initial access to IT systems based on their role in the organization. It is the access they automatically receive by policy without generating any requests for access. EmpowerID divides this access into two types: Provisioning Policies, which define the new objects that should be automatically created for a Person, and then access assignments which are the policies that will add the Person’s user accounts to groups, application roles , or permissions.
Business Role
A Business Role is a user-defined hierarchical container for grouping EmpowerID Person objects that can be used to delegate access to resources based on a particular job function.
Business Requests
Business Requests are requests submitted by users for access to resources in the IAM Shop. These requests are directed to managers or delegated individuals for approval, rejection, or delegation. The EmpowerID system allows for streamlined and efficient approval processes, providing details about the request and enabling actions such as approval, rejection, or delegation.
Business Request Flow Event Inbox
The BusinessRequestFlowEventInbox is a table used to record events triggered by the Mover Detection Engine. It stores entries related to the Mover's event, including details such as TimeGenerated, Table_Name, PersonID, Department, Previous_Department, and more. The table is utilized to track and manage the Mover events and subsequently trigger workflows and notifications as required.
Business Request Expiration
Business Request Expiration refers to the time limit for a Business Request to be fulfilled or expired. It is crucial for managing user access within an organization, ensuring timely decisions on access requests. The expiration period is typically defined based on the organization's policies and compliance requirements. Once a Business Request expires, it may need to be reinitiated or reviewed to maintain effective access management.
Business Request JSON Inbox Processor
The Business Request JSON Inbox Processor is a job in EmpowerID responsible for identifying expired business requests and updating their status to "Expired." This ensures that these requests no longer appear for approval, preventing further actions on invalid requests. The processor checks for specific conditions, including the request's status and expiration dates, to determine if a request is expired.
Company
People belong to companies via their Business Roles Role and Locations Location assignments.
Compliant Access Delivery
Compliant access delivery refers to the provision of providing secure and controlled access to information or resources in accordance with per relevant laws, regulations, and policies. This type of access ensures that sensitive information is protected and that access to it is granted only to authorized individuals who have with a legitimate need for it. The goal of compliant access delivery is to balance the need for information access with the need to protect against security risks, such as unauthorized access, theft, or misuse of information.
...
▪ Query-Based Collections – Query-based Collections, also known as Set Groups, are logical bundles of Sets (queries made against the EmpowerID Identity Warehouse that result in collections of people or resources) grouped together with a friendly name for resource management. Set Groups offer advantages over groups and roles in that they can contain any type of resources, are continuously evaluated to ensure they contain the appropriate resources , and can be used as actors as well as be the and recipients of EmpowerID policies for provisioning, deprovisioning, attribute assignment, password policies, etc.
IAM Shop
The IAM Shop is a centralized and user-friendly application designed to manage users' access to roles, groups, applications, licenses, and other resources within an organization. It provides an intuitive shopping cart system for users to request and activate resources, with features such as risk management controls and access to workflows. Users must be assigned relevant Management Roles to access the IAM Shop and shop for eligible resources.
Jobs
EmpowerID functionality is broken down into a large number of many granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) , or they are REST Web Services used in workflow processes.
...
An EmpowerID Location is a container for holding resources.
Notification Policies
Notification Policies refer to the configuration of the quantity and variety of notifications sent by EmpowerID to Business Request participants. These policies can be managed at the organizational level, allowing the enablement or disablement of specific notifications. Additionally, users can be granted the ability to configure their own preferences for a more personalized experience.
Operations
Each EmpowerID Operation is a protected code object that, when executed within an EmpowerID workflow, allows a resource within EmpowerID or a custom application to be accessed in a way that is consistent with the operation and the type of resource being accessed. Some examples include adding users to groups, creating mailboxes, updating user attributes, and viewing certain objects such as EmpowerID pages and reports.
...
An OrgZone is an Organizational Location / Business Context that is always assigned in conjunction with a Business Role. For resources that are not Person objects, Locations are used to organize them into hierarchies for the management of managing inherited access policies.
...
A person's core identity can be linked to multiple sub-person objects, which are the : professional identities (i.e., have the business information attached).
...
Resources are the lowest level secured base objects in EmpowerID for which management tasks can be performed. All objects of any type securely managed by EmpowerID in a secure fashion have a resource entry in the EmpowerID Identity Warehouse.
...
Resource systems define the specific system within which a resource resides. They can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, custom applications, and even the EmpowerID system.
Risk Management
...
Business-specific activity, usually in the form of Verb Noun, e.g., Create Purchase Order. Defines the business activity, risk level, and mitigating controls.
▪ Local Function
Local The local version of a function used in risk policies. Localized means that it can specify the “where” for the function; , e.g., Create Purchase Orders in the Widgets sub-company.
▪ Global Risk
...
Risk owners are business users responsible for risks and have the ability to approve, mitigate, or remediate violations.
▪ Rules
...
▪ Mitigating Controls
Checks and balances are assigned to global risks that can be linked to violations if the risk owner decides that the violation should be allowed (mitigated). For example, “Bob” checks the record of purchase orders monthly to mitigate the risk that he might engage in unethical behavior.
...