Home /Identity Administration/ Access Assignments / Current: Access Assignment Types Overview
In EmpowerID, you grant access to resources through the assignment of Access Levels—which are comprised of one or more "EmpowerID Operations" and/or "native system rights" that are specific to a particular resource type—to an EmpowerID actor. When you do so, you give that actor the ability to execute the operations and rights of the Access Level against those resources.
The exact number of resources affected by the Access Level assignment is determined by the scope of the assignment. Assignment scope in EmpowerID includes the following:
Scopes the Access Level assignment to all resources of a specific type within the Target RBAC Container--independent of the location of those resources. (Target RBAC Containers act like locations.) Target RBAC Containers are particularly useful when delegating access to resources that are scattered across an enterprise. In situations like these, using any of the previously mentioned delegation methods to grant an actor uniform access to resources s can be difficult. Target RBAC Containers remove this difficulty.
Target RBAC containers include the following:
These assignments affect the properties or attributes of the resources within the RBAC Containers, not the containers themselves. |
Target Management Role
Scopes the Access Level assignment to all people who are members of the Target Management Role, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those people.
An example would be assigning the Administrator Access Level for the Self-Service User Limited Access Management Role to the Enterprise IT Administrator Management Role. In the example, EmpowerID Person is the resource type , the people who are members of the Self-Service User Limited Access Management Role are the resources , and the Enterprise IT Administrator Management Role is the actor.
With this type of Access Level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any person with theSelf-Service User Limited Access Management Role.
Target Group
Scopes the Access Level assignment to all user accountsor EmpowerID Persons who are members of the Target Group, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those user accounts or people.
An example would be assigning the Password Manager Access Level for all user accounts in the NDM Sales group to an EmpowerID Person named "Anindya." In this example, user account is the resource type, the user accounts belonging to the group are the resources, and the EmpoweID Person Anindya is the actor.
With this type of Access Level assignment, Anindya can perform Password Manager operations against any of the user accounts in the NDM Sales group.
Target SetGroup
Scopes the Access Level assignment to all resources that belong to the Target SetGroup, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those resources.
An example would be assigning the Administrator Access Level for all user accounts in the AD Accounts Never Logged In SetGroup to the Enterprise IT Administrator Management Role. In this example, user account is the resource type, the user accountsin the SetGroup are the resources, and theEnterprise IT Administrator Management Role is the actor.
With this type of Access level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any of the user accounts belonging to the SetGroup.
|