Skip to end of banner
Go to start of banner

Resources and Resource Systems

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

One of EmpowerID’s primary functions is to present an accurate picture of security across an organization's on-premises and cloud-based IT systems. In addition to viewing and auditing these systems, EmpowerID provides Entitlement Management capabilities—defined as “cataloging and managing all the accesses an account may have, as part of the business process used to provision access.”¹

To support these capabilities, EmpowerID periodically inventories “protected resources”¹ from the systems you want to manage. Within EmpowerID, this inventory process is often called “inventory,” although it may be known in other IAM systems as “reconciliation.”

What Are Protected Resources?

Protected resources are defined as “a system, process, service, information object, or even a physical location that is subject to access control as defined by the resource owner and other stakeholders, such as a business process owner or risk manager.” EmpowerID can inventory and manage a wide variety of protected resources, including:

  • Accounts

  • Groups

  • Computers

  • Azure subscriptions

  • SharePoint Online site collections

  • Many other resource types

Resource Systems and Resource System Types

To specify which systems you want to inventory, the schedule for inventorying them, and where each protected resource resides, EmpowerID maintains a ResourceSystems table. Each table entry represents a system containing protected resources you want EmpowerID to manage. Every registered system receives a unique ResourceSystemID and ResourceSystemGUID.

Additionally, EmpowerID itself has protected resources (for its pages, roles, APIs, etc.), which are treated as being in the “EmpowerID Resource System.”

Resource System Type vs. Security Boundary Type

  • Resource System Type: Defines the connector used to inventory data from an external system.

  • Security Boundary Type: Defines the connector used for Create, Update, Delete operations, as well as the attribute schema for the native objects that are managed directly in the external system.

Resource Records

When EmpowerID inventories protected resources, each resource is inserted into the Resource table with a unique ResourceID and ResourceGUID. The ResourceGUID matches the external system's unique identifier (GUID) wherever possible.

From here on, “protected resources” will simply be called “resources” to align with EmpowerID component terminology. It is important to note that each resource in EmpowerID has a ResourceTypeID, specifying the resource type or object. EmpowerID maintains a ResourceType record for each type of protected resource it can manage and secure. The ResourceTypeID becomes especially relevant when determining or modifying who can view or manage each resource.

Storing Resource Data

You might wonder how EmpowerID stores meaningful information about such diverse resource types in a single Resource table. It does not store all data in one place. As mentioned in a previous module, the Identity Warehouse has over 1,200 tables. For each ResourceType, a dedicated table holds detailed information specific to that type of resource. Each record in these specialized tables points back to the ResourceID and ResourceGUID in the Resource table.

By maintaining a separate table per resource type, EmpowerID offers a richer user experience when you view and manage the information associated with different types of resources.

https://youtu.be/g86rqKy_mi0

1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).

  • No labels