Creating Visibility Restriction Policies
You can create Visibility Restriction policies to limit the ability of policy holders to view resources in EmpowerID. These policies are like RBAC delegations in that you can assign them to any EmpowerID Actor. Once assigned to an actor, any Person belonging to that actor receives the policy. For example, if your organization uses the services of contractors, you could create a Visibility Restriction policy that only allows contractors to see other contractors within the organization, and apply that policy to a group or Management Role designated for Contractors. Then, when a contractor logs in, they can only see other contractors.
Visibility restriction policies do not affect the EmpowerIDAdmin user.
This topic demonstrates how to create Visibility Restriction policies.
To create a Visibility Restriction policy
- In the Navigation Sidebar of the EmpowerID Web interface, expand Identities and click Manage Delegations.
- From the Delegations Management page, click the Visibility Restriction Policies tab.
This opens the Create a Visibility Restriction Policy form. - From the Assign Policy To drop-down, select the Actor type to receive the policy. Actor types include the following:
- Person - Applies the policy to a specific person.
- Group - Applies the policy to a specific group. Each person who is a member of the group receives the policy.
- Business Role and Location - Applies the policy to a specific Business Role and Location. Each person who belongs to the Business Role and Location receives the policy.
- Management Role - Applies the policy to a specific Management Role. Each person who is a member of the role receives the policy.
- Management Role Definition - Applies the policy to a specific Management Role Definition. Each Management Role that is a child of the definition receives the policy.
- Query-Based Collection (SetGroup) - Applies the policy to a specific Query-Based Collection. Each person who is a member of the collection receives the policy.
This example assigns the policy to a group.
Type the name of the specific actor to whom the policy is to be assigned in the Assignee field and click the tile that appears for that actor.
This field binds to the value of the Assign Policy To drop-down, so you can only input an actor matching the selected Actor type. For example, if you select Group from the Assign Policy To drop-down, then you can only search for and input a group in the Assignee field.
This example assigns the policy to the Contractors group.- Select the Object Type To Restrict from the drop-down. For example, to restrict the ability to see people, select Person.
This example restricts the ability of group members to see people. - From the Assignment Type drop-down, select from the following options to define the scope of the policy.
- Person Relative Resource - Policy holders can see only those objects relative to their own person.
For example, if you limit the visibility of computers with this assignment type and assign the policy to Bob in Boston, Bob can only see computers located in Boston. - Direct - Policy holders can only see a specific resource object of a specific type, such as "Computer X" or "Person Y."
Scoped At Location - Policy holders can only see resource objects of a specific type in a specific location, such as all computers or all people in Boston.
- Target Group - Policy holders can only see specified resource objects belonging to a specific group.
For example, if you limit the visibility of people with this assignment type, and assign the policy to Bob in the Accounting group, Bob can only see people belonging to the Accounting group. - Target Management Role - Policy holders can only see specified resource objects belonging to a specific Management Role.
For example, if you limit the visibility of people with this assignment type, and assign the policy to Bob, can only see people belonging to the target Management Role. - Target Query-Based Collection - Policy holders can only see specified resource objects belonging to a specific Query-Based Collection.
For example, if you limit the visibility of people with this assignment type, people with the policy can only see people belonging to the target collection.
This example is a Target Group.
- Person Relative Resource - Policy holders can see only those objects relative to their own person.
- In whichever field appears based on the Assignment Type selected above, do the following:
- Enter a <Resource Object> Name to Search - Type the name of the specific resource object for which you are creating the policy and then Click the tile for that object to select it.
- Person Relative Resource - Select the relative resource for the restricted resource object type, such as People in Person's Location or Accounts in Person's Location.
For example, if you limit the visibility of accounts and the Assignment Type is Person Relative Resource, selecting Accounts in Person's Location limits any person with the policy to only seeing accounts in their location. - Can See All Below - Click the Select a Location link, and in the Location Selector that appears, search for and select a location and click Save to close the Location Selector.
This example is a Target Group, so search for and select the specific group to target.
- Enter a <Resource Object> Name to Search - Type the name of the specific resource object for which you are creating the policy and then Click the tile for that object to select it.
- In the Priority field, enter a numeric value from 1 to 100 to set the priority of this Visibility Restriction policy if a user has more than one policy. The lower the number, the higher the priority.
- Leave the Mode value set to Default.
At this point, the Create a Visibility Restriction Policy form looks like the following image (with variations for the selected options). In the image, the Visibility Restriction policy restricts the ability of anyone who is a member of the Contractors group to see only people inside of the group. - Click Save.
To test the Visibility Restriction policy
- Log out of the EmpowerID Web application and log back in as a person assigned the policy. For example, if you created a Visibility Restriction policy and assigned it to a group, log in as a person who is a member of that group.
- From the Home page of the Web application, search for any resource object restricted by the policy. For example, if you created a Visibility Restriction policy that restricts the ability to see people, search for people. This example creates just such a policy and navigates to the White Pages.
You are only able to see those objects for which the policy was created. In this example, the logged-in person is a member of the Contractors group. Because the Visibility Restriction policy restricts the ability of anyone who is a member of the Contractors group to see anyone outside of that group, only those people in the organization who belong to the group appear.