Skip to end of banner
Go to start of banner

Business Roles and Locations

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Business Roles are the top tier in the EmpowerID 3-tiered RBAC model.

EmpowerID’s unique approach to Business Roles solves RBAC's fundamental weakness, known as the “role explosion” problem. Organizations often end up with large numbers of roles to accommodate people performing the same job function within an organization but in different geographies or areas of the company. To accommodate the slight differences between “organizational locations” for a position, they are forced to create and manage many very similar Business Roles. This role duplication is known as “role explosion.” Often organizations with an inflexible RBAC system will end up managing thousands of roles and be forced to build roles for each simple access case. 

To solve the role explosion challenge, EmpowerID provides a unique two-trees or “polyarchical” RBAC approach. The top tier or Business Role tier describes a user’s position in the organization in combination with a hierarchical Organizational Location representing where within the organization or in which context the user performs their Business Role. This position is visualized as two trees with people assigned to one or more Business Roles combined with an Organizational Location. A person’s Business Roles bundle up direct technical entitlements and, more commonly, Task or Activity-Based roles.

 

As an example, let’s consider how both models address managing resource access needs for an employee familiar to banking institutions, the Teller. Most bank tellers perform relatively the same Functions and Access similar systems to perform their daily duties. So, using RBAC to manage access sounds relatively straightforward: You create a “Teller” role, assign all tellers to the Teller role, and then assign the access need to the Teller role. At this point, everything appears fine. Only one role is needed. However, what if the banking institution has branches located in multiple cities, regions, and even countries? Although each Teller needs access to a shared pool of resources, they would also need access outside the shared pool by their location. Tellers in New York require access specific to New York, but not London or Sydney. Tellers in London would need access to resources in London, but not New York or Sydney. And, Tellers in Sydney would need access to resources in Sydney, but not New York or London. In this case, using the same Teller role for all tellers is problematic because doing so would create a “super role,” giving each teller access to resources beyond their scope, violating an organization’s risk policies and the concept of Compliant Access.

 

Benefits of Business Roles and Locations:

  • Business Roles and Locations provide a familiar and commonly accepted grouping mechanism that non-technical users of the system can recognize and easily navigate.  The structure can be mapped to the organizational structure of the business.

  • Provides an anchor point for mapping external roles and locations from connected systems so that the master person identities can be provisioned into a business structure

  • Business Roles and Locations can be architected to leverage powerful and complex inheritance relationships to allow you to anchor common access and policy assignments very efficiently at varying inheritance levels.  Inheritance eliminates the need to create unnecessary duplicate assignments.

  • Provides a structure for rolling up multiple and varied assignments to a common anchor point allowing the administrator to accumulate widely varying types of assignments and policies to an easily recognized business structure.

Related Docs Topics:

Business Roles and Locations

  • No labels