EmpowerID's Identity Administration feature enables designated individuals to manage various objects such as user accounts, shared folders, SharePoint sites, and computers, among others, through a controlled web interface and workflows. EmpowerID's real-time hybrid security model, which combines Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC), determines which objects an individual can see and what management tasks they can perform against them. This eliminates the need to delegate native permissions in the systems where objects are managed, simplifying Identity Administration through a single interface and security model. To create an effective Identity Administration strategy, it's crucial to identify the different "Personas" in your environment and classify them based on the objects they can see and the actions they can perform.
EmpowerID allows users to securely manage objects existing in external systems and EmpowerID itself. This includes Azure AD User Accounts, SAP Roles, File Shares, SharePoint sites, and more. The RBAC, ABAC, and PBAC security controls determine who can manage which objects and what actions they can perform against them. The system also handles logging, automatic approval routing, and workflow task generation if users attempt an unauthorized action.
EmpowerID's 3-tiered RBAC model has the Access Levels tier at the bottom, which defines which actions and native system permissions a user can perform against any resources to which they have access. Access Levels are often assigned to RBAC Actors in higher tiers like Business Roles and Locations, Management Roles, etc. Operations, which are bits of code executed to perform tasks in EmpowerID workflows or through its API, are protected and can also serve as placeholders for applications to query to determine access. Rights represent actual permissions used in external systems that can be granted in EmpowerID via Access Level assignments, like NTFS permissions for shared folders and mailbox ACLs in Microsoft Exchange. EmpowerID pushes these permissions out into the external system on schedule for any user to whom they've been granted.