Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To enforce the principle of least privilege and assist with data privacy efforts, EmpowerID provides fine-grained control to limit the user interfaces, APIs, and workflows a user may see/use and the amount of data they may see.

User Interface Visibility Restrictions (aka “Security Trimming”)

  • Controls which pages and controls on pages a user may see

  • Can refer to controlling which data objects (i.e., groups, people, roles) a person may see

  • Control of access to view pages and controls is based on RBAC delegations to a person or their roles, groups, etc.

  • Control of data visibility is based on Visibility Restriction policies which are also assigned to people by role and location, group, query-based collection, etc.

  • The Noun, Verb, Action navigation system also leverages security trimming to filter which options are displayed.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Security Trimming</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/SecurityTrimming.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth:

...

80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}

How is Security Trimming implemented?

  • Each UI Action links to a specific page or workflow in the Noun, Verb, Action navigation system. The system will only return actions for which the person has the “use” (aka view) operation.

  • The left navbar has a special wrapper for each node to only show it if has access

  • In specific pages security trimming can be implemented by:

    • Check access to page or control - if (EidAuthenticationHandler.HasAccessToPage(new Guid("22231fdf-cc2a-4e00-8a40-655be8af3fc1")))

    • Check access for an operation to current object like a person –

      • if(Model.HasAccessToOperation("ViewAdvancedPersonAttributes"))

      • if (EidContext.HasAccessToOperation((int)Model.GetProperty("ResourceID"), "Edit Person Demographics"))

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Has Access Checks</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/HasAccess.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth:

...

80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}

Data Visibility Restrictions

EmpowerID provides the ability to control who may see which objects and which object attributes at the lowest level in the Identity Warehouse database. Three types of policies are available to limit and control this access:

  • Visibility Restriction policies are policies that you can create to limit the ability of people to view (objects) in EmpowerID in the user interface and via the API. These policies are similar to RBAC delegations in that you can assign them to any EmpowerID Actor, such as a Management Role, Group, Query-Based Collection (SetGroup), and so forth.

  • Data Visibility Filters are SQL-based filters written against the EmpowerID Identity Warehouse; they offer great flexibility and power, allowing you to show and hide objects based on any data in the Identity Warehouse.

  • Column Visibility Filters are SQL-based filters written against the EmpowerID Identity Warehouse; they offer great flexibility and power, allowing you to show and hide data in the Identity Warehouse at the column and attribute level.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<article>\r\n <div class=\"cont\">\r\n <h3>Visibility Policies</h3>\r\n </div>\r\n <audio controls>\r\n <source src=\"https://docs.empowerid.com/assets/audio/VisibilityFilters.wav\" type=\"audio/wav\">\r\n</audio>\r\n \r\n</article>\r\n","javascript":"","css":"@import 'https://fonts.googleapis.com/css?family=Lato';\r\n\r\n\r\nbody {\r\n\t\r\n\tfont-family: 'Lato';\r\n}\r\n\r\narticle{\r\n\tbackground: #343436;\r\n\twidth:

...

80%;\r\n\ttext-align: center;\r\n\tpadding: 30px 5%;\r\n\tbox-sizing: border-box;\r\n\tbox-shadow: 0 0 21px 0px rgba(0,0,0,0.3);\r\n\tborder-radius: 10px;\r\n\tmargin-left: 40px;\r\n}\r\n\r\n.cont h3{\r\n\tfont-family: 'Lato';\r\n\tfont-size: 25px;\r\n\tmargin: 0 0 10px 0;\r\n\tcolor: #ccc;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n}"}
Info

Related Docs Topics:

Visibility Filters Overview

...