Automating Business Role and Location Assignments

A pivotal concept in the automation of the initial assignment and ongoing maintenance of a person's Business Roles and Locations in EmpowerID is RBAC Mapping. EmpowerID provides the capability to catalog role and location hierarchies from external systems, including but not limited to HR systems, SaaS applications, Active Directory (AD), or LDAP directories. These external systems may already have established role and location structures, as commonly found in HR systems, or they can be structured using connector logic based on user attributes such as job title, department, and country.

These externally derived "external roles" and "external locations," along with the corresponding assignment of user accounts to these roles and locations, are systematically inventoried within the EmpowerID data model. The data model diagram below provides a visual representation of this concept:

Open

In this diagram, you can observe how EmpowerID seamlessly integrates and manages the external role and location structures, making them part of the EmpowerID data model. This integration serves as the foundation for automated processes that assign and maintain Business Roles and Locations for individuals based on their attributes and associations within external systems. EmpowerID's RBAC Mapping empowers organizations to streamline identity and access management by leveraging existing organizational structures and data sources.

Automated Assignment of Business Roles and Locations

EmpowerID facilitates the automatic assignment of Business Roles and Business Locations based on organizational data obtained from authoritative sources. This automation is achieved through two server jobs that run within the worker role container or server.

Role and Location Compiler

The Role and Location Compiler, hosted by the EmpowerID Worker Role Windows service, operates on a scheduled basis, typically every 5 minutes. It determines the Business Roles and Locations to be assigned to an EmpowerID Person by leveraging data from external systems, such as an HR system. The Compiler considers only account stores where the "Allow Role and Location Recalculation" is enabled. In cases where multiple account stores are monitored, those with a higher "Role and Location Re-Eval Order" value take precedence. This job relies on the following data sources:

• Accounts linked to an EmpowerID Person

• External Roles

• External Locations

• Associations between accounts, external roles, and external locations within an Account Store, taking into account whether the association is marked as "Primary" (only one association can be designated as "Primary" for a given account per Account Store)

Additionally, the Role and Location Compiler uses mappings managed in the EmpowerID Role and Location Mapper, including mappings between external roles and EmpowerID Roles and mappings between external locations and EmpowerID Locations. As it processes account records, it deposits transaction records into a queue table known as the "Role and Location Compiler Inbox," where they await processing by the Role and Location Processor job.

Open

Business Role and Location Recompiler Inbox

Role and Location Processor

The Role and Location Processor, another job hosted by the EmpowerID Worker Role Windows service, runs every minute. It executes Business Role and Location changes as dictated by the Role and Location Compiler. This processor performs several critical actions:

• Modifies a person's primary Business Role and Location (relevant for individuals whose primary roles and locations were not explicitly assigned)

• Assigns secondary roles and locations to a person

• Removes secondary roles and locations from a person

• Addresses ambiguous assignments by reassigning individuals whose Business Role and Location is uncertain to the role and location specified in the EmpowerID Resource System's "Default User Creation Path." This occurs only when a person's primary Business Role and Location were previously determined by the Role and Location Compiler and set by the processor but can no longer be determined due to insufficient or inconclusive information.

By segregating these functions into two distinct jobs, you have the option to disable the processor temporarily, allowing you to review suggested changes in the Recompiler inbox before processing them.