Versions Compared

Version Old Version 1 New Version Current
Changes made by

Phillip Hanegan

Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the context of multi-partner enterprises, EmpowerID offers a sophisticated delegation model to manage IT resources effectively. This model involves creating distinct "Organization" locations for partners, assigning specific Management Roles, and leveraging Business Role and Location assignments. This system ensures partners can manage their domain independently without accessing or being aware of each other's resources or internal organizational infrastructure.

EmpowerID allows organizations to manage partner interactions effectively within their IT infrastructure. This is achieved through the creation of specialized EmpowerID locations known as "Organization" locations, which, in conjunction with specific Management and Business Roles, enable partners to manage their allocated IT resources independently.

Partner Management Roles

EmpowerID provides two key Management Roles for partnersEmpowerID provides a structured approach for organizations to collaborate with external partners by granting them limited access to manage specific IT resources. Through the use of "Organization" locations and predefined Management Roles, EmpowerID ensures that partners can operate securely within their assigned domains without visibility into other areas of the organization's infrastructure.

Key Features of Partner Access

Organization Locations

EmpowerID allows you to create "Organization" locations representing partner organizations within the system. These locations act as isolated containers, enabling partners to access and manage resources within their assigned boundaries.

  • Access Scope: Organization locations restrict each partner’s access to their specific domain. This isolation prevents partners from seeing or interacting with resources from other partners or your organization's internal areas.

  • Hierarchical Boundaries: EmpowerID uses a hierarchical model to define access. Users at higher levels in the Organization tree can manage resources in subordinate locations, while those at lower levels are limited to their assigned location and its sub-locations.

Management Roles

EmpowerID includes predefined Management Roles specifically designed for partner access:

  1. Partner Admin Management Role: This role grants administrative capabilities, allowing the assignee to manage Grants administrative permissions for managing people and resources within their partner locationsthe partner's assigned Organization location.

  2. Partner User Management Role: This role is focused on basic actions like Allows limited operations, such as searching for people, requesting resources, and initiating workflows.

Both roles are designed with specific Access Levels to suit the partner's needs, ensuring they can manage their domain effectively without access to the internal resources of the hosting organization.

Info

For information on the specific access associated with each of these roles, please see 23R3 - Partner Access Details

Organization Locations

Organization locations in EmpowerID are unique in their functionality. They are set apart from other locations due to their specific Access Levels, such as "People In My Organizations," which are effective only within the assigned Organization locations. The RBAC compiler in EmpowerID plays a crucial role here, determining the relative access based on the Organization tree hierarchy.

When people are assigned to an Organization location via a Business Role and Location assignment, the RBAC compiler determines their relative access and limits them as actors to those resources in their Organization location and any Organization locations below theirs in the Organization tree. They cannot act on resources above their location (see the below image and discussion). This limitation, however, does not apply to people as resources. As resources, people belong to all Organization locations in the tree, including the parent. This allows people in top-level Organization locations to act on those below themThese roles ensure that partners can effectively manage their responsibilities without gaining access to internal or unrelated resources.

Business Roles and Locations

EmpowerID's RBAC model combines Business Roles and Location assignments to define precise access boundaries. In the context of partner access:

  • Business Roles define what a user can do.

  • Locations define where a user can act.

For partner management:

  • Partner Admin in Partners: Assigned to individuals with administrative responsibilities.

  • Partner in Partners: Assigned to individuals with standard user responsibilities.

These predefined combinations simplify role assignments and ensure consistency across partner organizations.

How Access Control Works

RBAC Compiler

EmpowerID enforces access control through its Role-Based Access Control (RBAC) compiler. The compiler evaluates Business Role and Location assignments to determine what resources a user can access and manage.

  • Top-Level Administrators: Users at a top-level Organization location can manage all resources in their location and subordinate locations.

  • Sub-Organization Administrators: Users assigned to sub-organization locations are restricted to managing resources within their location and its sub-locations. They cannot access resources above their level or in peer locations.

This model ensures that administrative responsibilities are distributed appropriately while maintaining strict boundaries.

Resource Management Example

Consider a partner organization with the following structure:

  • A top-level administrator (assigned to the root Organization location) can manage all users and resources within the partner organization.

  • A department-level administrator (assigned to a sub-organization location) can only manage users and resources within their department and any subordinate departments.

Visually, this can be represented as follows:

In the image, the this image:

  • The triangle represents the partner organization

in its entirety. Within the organization, there is a top-level parent Organization location and a person belonging to that location with the "User Admin" Business Role (depicted by the figure outlined in green). As this person belongs to the root location, the RBAC compilation of "People in her Organizations" includes the people in the root as well as all the people in the locations below the root. Thus, they

  • hierarchy.

  • The green-outlined figure represents the top-level administrator who can manage all users in the

partner

  • organization

(represented

  • , as shown by

the

  • green arrows

).In addition to the User Admin at the root or top-level Organization location, there is a person with the User Admin Business Role (depicted by the figure outlined in blue) at a sub-organization location. As this person belongs to a location below the parent, the RBAC compilation of "People in their Organizations" includes only those people in the person’s sub-organization location and below. Thus, the person can manage all users in those locations but not any of those in the locations above their organization (represented by the blue arrow). And because the user admin is also a resource, that person can be managed by the User Admin at the parent location. This structure allows partner organizations to have sub-organization locations with their own self-contained management capabilities that can be altered as needed by those in the top-level Organization

  • .

  • The blue-outlined figure represents a department-level administrator who can manage users only within their specific department and subordinate locations, as shown by blue arrows.

  • The hierarchical relationships ensure that parent-level users have broader access while child-level users remain restricted to their scope.

Access levels such as "People in My Organizations" are determined dynamically by the RBAC compiler based on the assigned Organization tree. For example:

  • Users in parent Organization locations can manage all users in subordinate locations.

  • Sub-organization users are restricted to managing resources within their branch of the hierarchy.

Info

EmpowerID includes a default Organization location under which all partner Organizations should be created. This Organization location is the Partner Organization location. We demonstrate this in the Managing Partner Delegations topic.

Partner Business Roles

As mentioned in the above discussion, managing your partners' access involves another component, the Business Role. In the EmpowerID RBAC model, Business Roles and Locations intersect to provide scope in access assignments. All people must have a Business Role, and all resources must belong to a location. In partner delegations, the EmpowerID RBAC compiler uses partner Business Role and Location assignments to determine the relative access to resources the people in those Business Roles and Locations have.

By default, EmpowerID includes two partner Business Role and Location combinations: Partner Admin in Partners and Partner in Partners. These Business Roles and Locations are assigned to the Partner Admin and Partner User Management Roles, respectively. This means that any person assigned to those Business Role and Location combinations receives the Access Levels granted to those Management Roles. We demonstrate how this works in the Managing Partner Delegations topic

For more details, see Managing Partner Delegations.

Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue