A key concept in automating the initial assignment and ongoing maintenance of a Person’s Business Roles and Locations isRBAC Mapping. EmpowerID can inventory role and location hierarchies from external systems such as HR, SaaS applications,AD, or LDAP directories. These applications and directories may contain actual role and location structures—as do many HRsystems—or a structure can be built using connector logic based on user attributes such as title, department, and country.These “external rolesâ€? and “external locationsâ€? along with the assignment of user accounts to these are inventoried intothe EmpowerID data model as seen in the below data model diagram.
Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical managementstructure. For example, multiple AD or LDAP directory OUs containers for “London� can be visually mapped to a single virtual “London�Location for unified management and delegation of policies.
A key feature of the Identity Lifecycle is the initial and continuous assignment of the appropriate EmpowerID Business Roleand Location combinations. These assignments can be driven from an authoritative source such as HR through the RBAC mappings.
The recalculation and maintenance of Business Role and Location assignments based on authoritative system data is handledby the Business Role and Location Recompiler Job. This job retrieves the external roles and locations associated with user accounts and the mappings of those external roles and locations to EmpowerID Business Roles and Locations, comparing them to computer a Person’s appropriate current Business Role and Location assignments and any adjustments that should be made. Adjustments are handled by the Business Role and LocationProcessor job which reads the proposed changes from a queue and implements them.