A key concept in automating the initial assignment and ongoing maintenance of a Person's Business Roles and Locations is RBAC Mapping. EmpowerID can inventory role and location hierarchies from external systems such as HR, SaaS applications, AD, or LDAP directories. These applications and directories may contain actual role and location structures—as do many HR systems—or a structure can be built using connector logic based on user attributes such as title, department, and country.These "external roles" and "external locations" along with the assignment of user accounts to these are inventoried into the EmpowerID data model as seen in the below data model diagram.
Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. For example, multiple AD or LDAP directory OUs containers for "London" can be visually mapped to a single virtual "London" Location for unified management and delegation of policies.
A key feature of the Identity Lifecycle is the initial and continuous assignment of the appropriate EmpowerID Business Role and Location combinations. These assignments can be driven from an authoritative source such as HR through the RBAC mappings.
The recalculation and maintenance of Business Role and Location assignments based on authoritative system data is handled by the Business Role and Location Recompiler Job. This job retrieves the external roles and locations associated with user accounts and the mappings of those external roles and locations to EmpowerID Business Roles and Locations, comparing them to computer a Person's appropriate current Business Role and Location assignments and any adjustments that should be made. Adjustments are handled by the Business Role and Location Processor job which reads the proposed changes from a queue and implements them.