Step by step guide to delegating EmpowerID RBAC operations
This guide will assist an EmpowerID administrator in determining which RBAC permissions need to be delegated to prevent an operation from going for approval. In our example we are going to delegate the ability to edit the Expiration Date and Demographics information for Person records located within the Default Organization and below without the operation going for approval.
Open the EmpowerID web interface and login as an EmpowerID person that is a member of the All Access Management Role. Navigate to the workflow that contains the task you wish to delegate. Make note of the URL in the address bar of your web browser once you have the workflow loaded. In our example this would be https://FQDN/EmpowerIDV5/#w/EditPerson - so the name of the workflow we are targeting is EditPerson
Launch EmpowerID Workflow Studio. In the Solution Explorer pane on the left hand side, click on the Workspace tab, then expand EmpowerID Product Packages > EmpowerID > EmpowerID General > Workflows and Activities > Workflow Applications.
Locate the workflow from Step 1 (in our case, Edit Person). Double click on the workflow to open it in the Workflow Studio Toolbox.
NOTE: You can also search for the workflow by clicking the Search tab within the Solution Explorer pane and typing "EditPerson" without the quotes.
In the EmpowerID Workflow - Flow Chart screen that appears, locate the Approval Activity. The Approval Activity will have a green box and has a key and lock icon associated. Please note that the location of the approval activity will vary from workflow to workflow. In our case, the Approval Activity is called Edit Person operations - may go for approval.
Right click the Approval Activity and click Open/Edit Original Activity.
In the Activity Designer screen that appears, right click on Edit Person Multi-Operations and hover over the Edit Operation Executor flyout menu. This will show you a list of all of the operations associated with this Approval Activity.
Make note of the name of the operation you wish to delegate. For example, if you want to delegate the task of changing the Person Expiration date and changing the demographic information, make note of Person Expiration and Person Demographics.
Open the EmpowerID Management Console and open Configuration Manager.
Navigate to RBAC Definitions > Resource Role Definitions.
11. Click on the Add New button in the right hand pane.
12. In the Create Resource Type Role screen that appears, enter "Edit Person Delegation Test" without the quotes for the Name and Display Name fields. Click on the Resource Type drop-down and choose Person from the list. For the Description field, enter "Test Resource Role to show Edit Person Delegation" without the quotes. Click Submit when finished.
13. Search for "Edit Person Delegation Test" without the quotes using the search box on the right hand pane. Double click the Resource Role (or right click and choose Edit) to open it.
14. In the Resource Role Definition Details screen that appears, click on the Resource Role: Operations tab on the left hand side.
15. Search for "Edit Person Delegation Test" without the quotes using the search box on the right hand pane. Click on the Resource Role to select it. Click on the Unassigned tab across the bottom pane to bring up the unassigned operations list.
16. Using the Search box in the Unassigned tab, search for the name of the operations you wish to delegate from Step 7. For our example search for "Person Expiration" without the quotes. Right click the Edit Person Expiration operation and choose Assign.
17. Repeat this process for any other operations you wish to delegate. For our example, search for "Person Demographics" without the quotes. Right click the Edit Person Demographics operation and choose Assign.
18. To confirm the changes we have made, click on the Allowed tab across the bottom pane and then click the Refresh button.
19. We have now created a Resource Role named Edit Person Delegation Test. This Resource Role is a bundle of permissions that allows the Edit Person Demographics and Edit Person Expiration operations. However, we have not assigned the Resource Role to anyone (or anything) yet. To do this, click on the EmpowerID Configuration Manager breadcrumb at the top left to return to the Configuration Manager.
20. Navigate to RBAC Definitions > Management Roles.
21. Click the Search button next to the search box on the right hand pane. Double click the Management Role you wish to assign your delegation to. In our example we will be assigning the delegation to all users, so we will be opening the Self-Service User Management Role.
22. In the Management Role Details screen that appears, click on the Resource Role Assignments tab on the left hand side.
23. Click on the Add New button in the right hand pane.
24. In the Assign Resource Roles to Management Role screen that appears, click on the Assignment Type: drop-down and choose Person Relative Resource if you want to assign this based on the Person and their location or By Location (Advanced) if you want to give access against all EmpowerID Person objects within a specific Location and below. Click on the Which Resource Type: drop-down and choose Person from the list. Click on the Which Resource Role: drop-down and choose Edit Person Delegation Test from the list. Choose your desired delegation in the middle pane.
For Person Relative Resource this can be Self, Manager, Direct Reports or People In My Locations. This will allow anyone with the Self-Service User Management Role assigned (which is everyone) to Edit Person Demographics and Edit Person Expiration against themselves, their manager, their direct reports, or everyone in their Business Location and below, respectively.
For By Location (Advanced) this can be a Business Location and below of your choosing.This will allow anyone with the Self-Service User Management Role assigned (which is everyone) to Edit Person Demographics and Edit Person Expiration against anyone in the selected Business Location and below.
25. Click the Select button to send the assignment to the bottom pane for review. When satisfied, click Submit to commit the changes.
26. Please wait 10-15 minutes for Role-based Access Control permissions to compile, or force an RBAC Reconciliation if needed. Confirm that performing the task we have delegated no longer goes for approval when initiated by the delegated user.
Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.