Before implementing Identity Administration, administrators should understand how EmpowerID's Identity Administration feature allows authorized individuals to manage a variety of objects, including user accounts, shared folders, SharePoint sites, and computers, through a controlled web interface and workflows. The real-time hybrid security model employed by EmpowerID combines security model simplifies resource management and enforces security policies across multiple systems. This overview introduces the core concepts and components of Identity Administration.
EmpowerID provides a centralized framework for managing identity-related objects, such as user accounts, person objects, groups, shared folders, and computers. Administrators and authorized users can interact with these resources through a secure web interface and workflows, eliminating the need to delegate native permissions in external systems. This approach ensures consistency, improves administrative efficiency, and enables comprehensive auditing of all activities.
At the heart of EmpowerID's framework is a hybrid security model that integrates Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) to determine . This model governs which objects an individual users can view and what management tasks they can perform. This approach eliminates the need to delegate native permissions in the systems where objects are managed, streamlining Identity Administration with a single interface and security model. To implement an effective Identity Administration strategy, it's essential to identify various "Personas" in your environment and categorize them based on the objects they can access and the actions they can perform.
EmpowerID enables users to securely manage objects in both external systems and within EmpowerID itself, such as Azure AD User Accounts, SAP Roles, File Shares, SharePoint sites, and more. The combined RBAC, ABAC, and PBAC security controls dictate which users can manage specific objects and the actions they can perform. Additionally, the system handles logging, automatic approval routing, and workflow task generation for unauthorized actions.
The 3-tiered RBAC model in EmpowerID features an Access Levels tier at the bottom, defining the actions and native system permissions a user can perform on accessible resources. Access Levels are often assigned to RBAC Actors in higher tiers, such as access and defines the specific actions they are allowed to perform, combining static roles with dynamic, policy-driven permissions.
Security Model Overview
EmpowerID’s hybrid security model combines complementary approaches to enforce precise, context-aware access control:
Role-Based Access Control (RBAC)
RBAC assigns permissions based on predefined roles, offering a predictable and structured system for managing access. This approach ensures that users gain access appropriate to their organizational responsibilities.
Attribute-Based Access Control (ABAC)
ABAC enhances RBAC by applying access rules based on user attributes, such as department, location, or employment status. These attributes make access control policies more adaptable to real-world scenarios.
Policy-Based Access Control (PBAC)
PBAC introduces further flexibility by enforcing policies that align with organizational rules and specific conditions. This approach enables EmpowerID to handle complex scenarios like time-based access or multi-step approval requirements.
Together, these mechanisms provide comprehensive coverage, ensuring that access decisions are consistent and responsive to contextual changes.
Unified Management Across Systems
EmpowerID allows organizations to manage resources within their environment and in external systems, such as:
Azure AD user accounts
SAP roles
File shares
Shared folders
Groups and Person objects
By centralizing these management tasks, EmpowerID eliminates the need to delegate native permissions directly within external systems. Instead, its unified security model governs access and actions, automating workflows for approval routing and task generation as needed. Comprehensive logging ensures all actions are traceable, supporting compliance and auditing efforts.
Understanding the RBAC Framework
EmpowerID’s RBAC framework is structured into three tiers, offering scalability and precision:
Access Levels
Access Levels define specific actions users can perform, such as creating, modifying, or deleting objects. These actions map directly to native permissions in managed systems, serving as the foundation for permission assignments.
RBAC Actors
RBAC Actors include Business Roles and Locations, Management Roles, and others. Operations, which are code snippets executed to perform tasks in EmpowerID workflows or via its API, are protected and can also serve as placeholders for applications to query access. Rights represent actual permissions used in external systems that can be granted in EmpowerID through Access Level assignments, like NTFS permissions for shared folders and mailbox ACLs in Microsoft Exchange. EmpowerID periodically pushes these permissions to the external system for any user granted access.
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
App Role / query-based collections. These entities group users and apply Access Levels to define their permissions logically and consistently.
Rights
Rights represent enforceable permissions within external systems, such as NTFS permissions for file shares or ACLs for mailboxes. EmpowerID translates Access Level assignments into Rights, ensuring they are periodically synchronized with external systems to maintain alignment.
Extending Functionality with Operations
Operations in EmpowerID are discrete, protected tasks executed within workflows or via APIs to manage resources securely. These operations also allow applications to query permissions dynamically, ensuring access decisions reflect current policies and conditions.
Next Steps
To manage user accounts, person objects, groups, and related resources effectively, consider exploring the following areas:
User Administration
Group Administration
Computer Administration
Mailbox Administration
Shared Folder Administration
/wiki/spaces/EAGV24R2/pages/3390566612
Insert excerpt