The EmpowerID RBAC/ABAC model, which is resource-centric, not role-centric, allows organizations to focus on what they are protecting — resources and the actions that can be performed against those resources. In EmpowerID, these "resource actions" are blocks of code known as "EmpowerID Operations." Each EmpowerID Operation is a protected code object that when executed, performs a specific action against a specific resource object, such as adding a user to a group, creating a mailbox, or viewing a report. In order to perform resource actions, users must have the operations that allow them to do so. In order to facilitate this, EmpowerID bundles operations—as well as native system rights, where applicable—into Access Levels, which are then grouped together into Management Roles. You can think of Management Roles as collections of operational capabilities packaged together as job-based bundles for quick and easy bulk assignments of resources to users based on what they do in your organization. These assignments can be fine-tuned by user attributes, such as the time of day, IP addresses, device used, and more.
Access Levels and Management Roles can be assigned to any EmpowerID actor type, including individual people. However, to ease audits and recertifications, EmpowerID recommends assigning these to Business Roles and Locations or Query Based Collections. In this way, each person assigned to a target Business Role and Location or meeting the criteria of a Query Based Collection will receive the Access associated with those actors.