Access Assignment Types Overview
Home /Identity Administration/ Access Assignments / Current: Access Assignment Types Overview
In EmpowerID, you grant access to resources through the assignment of Access Levels—which are comprised of one or more "EmpowerID Operations" and/or "native system rights" that are specific to a particular resource type—to an EmpowerID actor. When you do so, you give that actor the ability to execute the operations and rights of the Access Level against those resources.
The exact number of resources affected by the Access Level assignment is determined by the scope of the assignment. Assignment scope in EmpowerID includes the following:
- Direct
- Scopes Access Level assignments to a single resource of a specific resource type, giving the actor receiving the assignment the ability to perform the operations and rights of the Access Level against that resource and that resource alone. An example would be assigning the Help Desk Access Level for the user account owned by "Ruth" to an EmpowerID Person named "Bob." In this example, user account is the resource type , the user account owned by Ruth is the resource, and the EmpowerID Person Bob is the actor. With this type of Access Level assignment, Bob can perform Help Desk operations against Ruth's user account, but not another.
- By Location
- Scopes the Access Level assignment to all resources of a specific resource type in a designated location, giving the receiving the assignment the ability to perform the operations and rights of the Access Level against those particular resources. An example would be assigning the Help Desk Access Level for all user accounts in Toronto to the Toronto Help Desk group. In this example, user account is the resource type , the user accounts in Toronto are the resources , and the Toronto Help Desk group is the actor . With this type of Access Level assignment, all members of the group can perform Help Desk operations against all the user accounts in Toronto (as well as in any locations for which Toronto is the parent), but not in any other locations.
- Relative
- Scopes the Access Level assignment to all resources of a specific type that belong to the same location as the actor receiving the assignment. An example would be assigning the Help Desk Access Level for all user accounts in Bob's location to Bob. In this example, user account is the resource type, the user accounts in Bob's location are the resources, and the EmpowerID Person Bob is the actor. With this type of Access Level assignment, Bob can perform Help Desk operations against all the user accounts in his location (as well as in any locations for which his location is the parent), but not in any other locations.
- Target RBAC Containers
Scopes the Access Level assignment to all resources of a specific type within the Target RBAC Container--independent of the location of those resources. (Target RBAC Containers act like locations.) Target RBAC Containers are particularly useful when delegating access to resources that are scattered across an enterprise. In situations like these, using any of the previously mentioned delegation methods to grant an actor uniform access to resources s can be difficult. Target RBAC Containers remove this difficulty.
Target RBAC containers include the following:
These assignments affect the properties or attributes of the resources within the RBAC Containers, not the containers themselves.
Target Management Role
Scopes the Access Level assignment to all people who are members of the Target Management Role, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those people.
An example would be assigning the Administrator Access Level for the Self-Service User Limited Access Management Role to the Enterprise IT Administrator Management Role. In the example, EmpowerID Person is the resource type , the people who are members of the Self-Service User Limited Access Management Role are the resources , and the Enterprise IT Administrator Management Role is the actor.
With this type of Access Level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any person with theSelf-Service User Limited Access Management Role.
Target Group
Scopes the Access Level assignment to all user accountsor EmpowerID Persons who are members of the Target Group, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those user accounts or people.
An example would be assigning the Password Manager Access Level for all user accounts in the NDM Sales group to an EmpowerID Person named "Anindya." In this example, user account is the resource type, the user accounts belonging to the group are the resources, and the EmpoweID Person Anindya is the actor.
With this type of Access Level assignment, Anindya can perform Password Manager operations against any of the user accounts in the NDM Sales group.
Target SetGroup
Scopes the Access Level assignment to all resources that belong to the Target SetGroup, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those resources.
An example would be assigning the Administrator Access Level for all user accounts in the AD Accounts Never Logged In SetGroup to the Enterprise IT Administrator Management Role. In this example, user account is the resource type, the user accountsin the SetGroup are the resources, and theEnterprise IT Administrator Management Role is the actor.
With this type of Access level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any of the user accounts belonging to the SetGroup.