Resources and Resource Types Overview

Resources are the lowest level secured base objects in EmpowerID for which management tasks are performed. All objects of any type that are managed by EmpowerID in a secure fashion have a resource entry in the EmpowerID Identity Warehouse. EmpowerID supports many types of resources out of the box and can be extended to support any type of custom resource that an organization wishes to manage. Resource types exist for all secure EmpowerID objects such as people, pages, workflows, etc., as well as resource types for external systems such as Exchange Mailboxes or SharePoint web sites.

EmpowerID catalogs each of these resource objects by resource type so that they can support different properties, management operations, rights, and Access Level Definitions. Classifying resources by resource type provides a consistent interface for ease of resource management.

Among the resource types in EmpowerID, the following two are worth noting:

Asset Types

Asset Types are special categories of resources that are not automatically provisioned through Resource Entitlements policies, but must always be requested. Asset Types can be calls to EmpowerID dlls or other custom .NET assemblies that provision/de-provision actual resources that exist in other systems like Active Directory or they can be simple creations of objects added to the EmpowerID Identity Warehouse for approval routing and tracking purposes only. Asset Types can be thought of as buckets of resources categorized by type you create for special circumstances or needs, such as creating user accounts for specific teams of users. Examples of the former include Exchange mailboxes, user accounts, and Windows shared folders, while examples of the latter include mobile phones, laptops, or any other user-defined objects. Each Asset Type by necessity belongs to an account store, resource system, and resource type inherent to its type and may require a "dependency," such as having an account in the domain. For example, a mailbox Asset Type belongs to an Active Directory account store, a Microsoft Exchange resource system, and an Exchange Mailbox resource type and depends on a user account existing first because users must have an Active Directory account before they can have a mailbox. Asset Types not inherent to another system, but simply being tracked by EmpowerID, such as the aforementioned laptops or mobile phones, must belong to EmpowerID as the account store, Asset Pool as the resource system, and Generic Asset as the resource type.

Asset Types can be of the following resource types:

  • Exchange Mailbox
  • Generic Asset
  • Generic Asset (AD Protected)
  • User Account
  • Windows Shared Folder

Once an Asset Type is created, specific Asset Request catalog items can be created from that type and placed in the Service Catalog to allow users to submit a "request for an asset," either for themselves or on behalf of another user. For example, a manager who is hiring a contractor, can submit an Asset Request asking that an Exchange Mailbox be created select and submit an Asset Request from the catalog to create a mailbox for that contractor. Each Asset Request catalog item in the Service Catalog is a type of protected EmpowerID resource that can be managed like any other resource type in Resource Manager or other EmpowerID user interfaces. In order for an Asset Catalog item to be visible and initiated by an end user, they must be granted the "Requestor" Access Level for the Asset catalog item in question as well as the "Initiator" Access Level for the request workflow specified in the Asset Request catalog item. Having both of these Access Levels will allow the end user to see the Asset Request catalog item when it is published in the Service Catalog. Each request is tied to a Request Workflow that always routes to an approver. Having this Access Level will allow the end user to see the Asset Request request item when it is published in the Service Catalog. To ensure that security policies are enforced, all Asset Requests are routed for approval when necessary.

Request Workflows

One special type of EmpowerID resource that should be mentioned is the Request Workflow. For each workflow used in EmpowerID there exists at least one request workflow resource. The request workflow resource is used to secure the workflow and control who may initiate it. Workflows can be initiated from a variety of methods including Web Services, URLs, Ribbon Menu buttons, and from the Service Catalog. In any case, a person will not be able to initiate the workflow unless they have a Access Level for that request workflow granting them the Initiate operation.

If added to the Self-service Catalog, Request workflows can be accessed in the EmpowerID Management Console or web interface through My Workspace. The Service Catalog allows you to categorize request workflows into logical groupings defined by an administrative boundary, making it easy for users to locate the appropriate workflow when performing tasks. When an EmpowerID user is interacting with workflows from ribbon menus or the catalog, they will not see any workflows for which they have not been granted the Initiate Operation.

It should also be noted that the request workflow resource controls access to who may start a workflow process. Each workflow typically consists of one or more operation activities, each with its own embedded authorization logic. This is to say that the ability to initiate a request workflow does not grant the rights to see any of the objects that may be displayed within the workflow or to execute any of the operations activities contained therein.