• Active Directory,
• LDAP directories, and
• SQL or Oracle databases as well as
• external systems, such as an HR system.

EmpowerID provides live access to this data using Query-Based Collections, formerly known as Set Groups. Sets are SQL-based or code-based queries that result in collections of people or resources, while Set Groups (Query-Based Collections) are logical bundles of Sets grouped together with a friendly name for resource management.

You can use Query-Based Collections of EmpowerID person objects as an RBAC Actor type (like Groups or Management Roles) to assign any type of access, policies for provisioning, attribute assignment, password policies, etc. Think of Query-Based Collections as a type of RBAC-protected resource for which you can delegate creation and management permissions.

Sets

SQL-Based Sets are SQL queries that you can base on any information in the Identity Warehouse. Like code-based Sets, you can use SQL-based Sets to create collections of People or any other type of resource. SQL-based Sets are created within the EmpowerID user interface.

Code-Based Sets have greater reach than their SQL counterparts because you can also use them in connected account stores and external systems to return collections of people and of resources, such as

• Shared Folders,
• Workflows, and
• EmpowerID Protected Controls.

As their name implies, code-based Sets use code for their query mechanism. Thus, to add a code-based Set to EmpowerID, development staff must first created it in Workflow Studio and publish it to the Enterprise Workflow Server.

An example of a code-based Set is one that returns

• a list of customers from an external database with
• a unique identifier, such as a Customer ID, that matches the identifier to EmpowerID Person objects with
• a specific status, such as "gold-level customers,"
• for the purpose of granting resources based on that status.

Set Groups

Set Groups are logical groupings of Sets bundled together with a friendly name for resource management, such as "Engineers in Basel" or "High Security SharePoint Documents."

Membership within a Set Group is dynamic. Each compilation of the Set Compiler Job adds and removes objects from each Set Group, based on the query results of the Sets.

For example, if you have an "All Engineers in Basel" Set Group and hire a new engineer in the Basel location named "Dominic," at the next compilation of the Set Compiler Job, Dominic is added to that Set Group. If, however, Dominic later relocates to Sydney, his Person object is removed from the Set Group at the next compilation of the Set Compiler Job after his relocation.

Set Groups are both an EmpowerID Actor type and a resource type, depending on the objects they contain. You can map them to Business Roles and Locations for dynamic assignments of people, or to EmpowerID Locations for dynamic assignments of resources.

Set Groups that contain collections of EmpowerID Person objects, such as the "Engineers in Basel" Set Group, are EmpowerID actors capable of receiving Resource Role assignments like any other EmpowerID actor type.

Set Groups that return resources other than people, such as the SharePoint documents in the "High Security SharePoint Documents" Set Group, cannot be the recipients of resources. As collections of non-actors, this type of Set Group is always the object of Resource Role assignments.

Using these two Set Groups as an example, to allow all engineers in Basil to see all SharePoint documents marked as high security, make a Resource Role assignment against the "High Security SharePoint Documents" Set Group, and grant the Viewer Resource Role for that Set Group to the "Engineers in Basel" Set Group. Then, when an engineer in Basel logs into EmpowerID, she can see each SharePoint document classified as a high security object.