Establishing Business Roles and Organizational Locations is usually the starting point for many EmpowerID projects. This data's best sources are usually an organization’s HR or Human Capital Management system (HCM) and Active Directory. HR systems such as Workday, SuccessFactors, or SAP HCM maintain a rough organization structure and the positions occupied by all employees. Even when only available as user attribute data, these systems provide an invaluable source for the initial Business Roles and Organizational Locations to get the analysis rolling. EmpowerID can also include additional sources such as the “Sensitive Attributes” file maintained by Proximusthe customer. EmpowerID’s out-of-the-box connector model supports inventorying this data into what are is known as “External Roles” and “External Locations.” At any point in time, EmpowerID knows the organization's external roles and locations and which users are assigned to each. Active Directory is often a rich source for the Organizational Locations as some portions of the AD OU tree represent a hierarchical view of the company.
Once this external data resides within the EmpowerID system, it can generate an initial Business Role and Organization Location tree. A one-to-one match between external roles and locations and internal is not required or desired. EmpowerID’s role and location mapping technology, “RBAC Mapping,” allows the internal trees to be designed independently of the actual external structures, which may be more rigid and not optimally designed for managing access.
...
Another powerful policy engine included in EmpowerID is known as Dynamic Hierarchies. EmpowerID’s Dynamic Hierarchies engine is like an autopilot for creating attribute-driven roles. The idea behind Dynamic Hierarchies is simple: organizations require self-maintaining roles based on attribute combinations such as location, company, division, department, and title. Any attribute within the EmpowerID Identity and Entitlement Warehouse can be used in a policy. The Proximus A customer’s “sensitive attributes” file would could be brought in for management within EmpowerID and be a source for Dynamic Hierarchy Policies. These policies define the attribute rules to generate or create the internal or external roles and locations based on the distinct combinations of attributes found in an organization’s data and maintain the matching members. The lifecycle of these dynamic roles is automatically handled with new roles being created as new combinations of attributes appear and older roles being retired when they no longer have members. Dynamic Hierarchies save organizations time, and money, and improve the ability of users to collaborate effectively.
...