The EmpowerID RBAC/ABAC model, which is resource-centric, not role-centric, allows organizations to focus on what they are protecting — resources and the actions that can be performed against those resources. In EmpowerID, these "resource actions" are blocks of code known as "EmpowerID Operations." Each EmpowerID Operation is a protected code object that provides users with the ability to perform a task when executed, performs a specific action against a specific resource object, such as adding a user to a group, creating a mailbox, or viewing a report. Each of these actions must be delegated to users before they can do anything with a resource. This section explains how to use RBAC/ABAC to authorize resource actions in EmpowerID. Access Levels help you to efficiently grant your users access to IT resources. They bundle EmpowerID Operations and native system rights for specific resource types such as Exchange mailboxes or user accounts. Business Role and Location combinations let you assign resources to a specific Business Role and Location, such as All Employees in London. Management Roles are In order to perform resource actions, users must have the operations that allow them to do so. In order to facilitate this, EmpowerID bundles operations—as well as native system rights, where applicable—into Access Levels, which are then grouped together into Management Roles. You can think of Management Roles as collections of operational capabilities packaged together as job-based bundles that let you make for quick and easy bulk assignments of resources to users that match based on what they do in your organization. Query-Based Collections, also known as Set Groups, are logical bundles of Sets grouped together with a friendly name for resource management. Sets are queries made against the EmpowerID Identity Warehouse that result in collections of people or resources. Visibility Restriction policies limit the ability of people to view resources in EmpowerID. They are SQL statements that give you power and flexibility in determining which users can view what objects. These assignments can be fine-tuned by user attributes, such as the time of day, IP addresses, device used, and more.
| Info |
|---|
Access Levels and Management Roles can be assigned to any EmpowerID actor type, including individual people. However, to ease audits and recertifications, EmpowerID recommends assigning these to Business Roles and Locations or Query Based Collections. In this way, each person assigned to a target Business Role and Location or meeting the criteria of a Query Based Collection will receive the Access associated with those actors. |
| 
