The EmpowerID RBAC/ABAC model, which is resource-centric, not role-centric, allows organizations to focus on what they are protecting — resources and the actions that can be performed against those resources. In EmpowerID, these "resource actions" are blocks of code known as "EmpowerID Operations." Each EmpowerID Operation is a protected code object that provides users with the ability to perform a task against a resource object, such as adding a user to a group, creating a mailbox, or viewing a report. Each of these actions must be delegated to users before they can do anything with a resource. This section explains how to use RBAC/ABAC to authorize resource actions in EmpowerID.
Access Levels help you to efficiently grant your users access to IT resources. They bundle EmpowerID Operations and native system rights for specific resource types such as Exchange mailboxes or user accounts.
Business Role and Location combinations let you assign resources to a specific Business Role and Location, such as All Employees in London.
Management Roles are collections of operational capabilities packaged as job-based bundles that let you make quick and easy bulk assignments of resources to users that match what they do in your organization.
Query-Based Collections, also known as Set Groups, are logical bundles of Sets grouped together with a friendly name for resource management. Sets are queries made against the EmpowerID Identity Warehouse that result in collections of people or resources.
Visibility Restriction policies limit the ability of people to view resources in EmpowerID. They are SQL statements that give you power and flexibility in determining which users can view what objects.