If your company or organization always sets up groups or management roles based on Person or user account attributes (e.g., state/city, org chart hierarchy), Dynamic Hierarchy policies provide a way to specify the conditions allowing EmpowerID to automatically provision and/or deprovision specific groups or Management Role Definitions and Management Roles based on one or more Person attributes. Dynamic Hierarchies also dynamically manage the membership of those groups or Management Roles. You can then assign resources to the generated groups and/or Management Roles as needed and EmpowerID will grant those assignments to the people in those groups and roles. The topics in this section show you howDynamic Group Automation
EmpowerID’s Group Management module provides self-service, delegated administration and role-based group membership for groups or application roles in all your systems. These tasks are performed using friendly web-based interfaces and workflows. For most organization’s there are another category of groups whose lifecycle are typically managed via scripts or time-consuming manual processes. These are your data-driven groups. Data-driven groups are groups that should be created automatically, whose membership should be updated automatically, and which should be retired or deleted automatically based upon attribute query policies leveraging enterprise data from HR or any of your other authoritative sources. EmpowerID’s Dynamic Group Management module entirely automates the lifecycle of these special groups.
Dynamic Group Hierarchies
EmpowerID’s Dynamic Hierarchies engine is like an autopilot for creating data-driven nested groups in systems like Active Directory and Azure Active Directory. The idea behind Dynamic Hierarchies is simple: organizations need collaboration or email groups for each location, company, division, department, and manager. Even more useful is to generate nested groups based on the business hierarchy. As an example, a group for each Company and then nested inside a group for each department within each company. The information to power these rules can be found in HR, Active Directory, or another key system. Dynamic Hierarchy policies are easily defined and leverage this data to automatically create and maintain these valuable groups. Dynamic Hierarchy policies also support creating EmpowerID Management Roles in addition to external directory groups.
The power of Dynamic Hierarchies is their ability to run completely automated without any costly human intervention. As an example, when a new department is added in HR, it will automatically show up as a nested group. If Sarah gets promoted and has 5 new direct reports, her team gets its own distribution list. If your organization is undergoing a complete reorganization, the new structure is automatically created and will be accurate. Dynamic Group Hierarchies save organizations time, money and improve the ability for users to collaborate effectively.
Leverage Data from Any System
EmpowerID includes one of the largest libraries of IGA system connectors available. EmpowerID inventories user and HR record data from a wide variety of systems ranging from modern Cloud HR systems such as Workday, SuccessFactors, Ultipro, and others to traditional on-premise systems such as Active Directory, RACF, and SAP. These authoritative sources of user data empower flexible attribute-based policies to maintain up to date groups for collaboration and security.
Every implementation of a Dynamic Hierarchy policy has four steps.
- The first step is the Generation process, which finds what objects need to be created or deleted based on the settings applied to the policy. When an object is created, EmpowerID places that object in the Dynamic Hierarchy Provision Inbox queue.
- The second step is Membership Recalculation, where changes to group or management role memberships occurring as a result of a Dynamic Hierarchy policy are placed in the Dynamic Hierarchy Membership Inbox queue.
- The third step is the Provision process, which pulls the new objects from the Dynamic Hierarchy Membership Provision Inbox and provisions those objects in the appropriate system.
- The fourth step is the Set Membership process, which pulls the objects from the Dynamic Hierarchy Membership Inbox and pushes those changes to the external systems.