You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
In previous versions of EmpowerID, users could not see resources within their own organizations without an RBAC assignment. For example, a user could not look up information about users within their office until they were granted the Viewer Access Level for each of those users. This is no longer the case as RBAC control over the visibility of resources has been replaced by three types of policies:
Visibility Restriction policies,
Column Visibility Filter policies, and
Data Visibility Filter policies.
Visibility Restriction policies most resemble RBAC and are easy to implement. EmpowerID recommends using these policies in most cases.
Visibility restriction policies do not affect the EmpowerIDAdmin user.
Column Visibility Filters and Data Visibility Filters are SQL-based filters that you write against the EmpowerID Identity Warehouse to show and hide data at the column and attribute level. These offer flexibility and power, allowing you to show and hide data at the column and attribute level. However, as they are more difficult to implement, only use them when Visibility Restriction policies cannot cover your use case.
Each of these policy types are discussed in greater detail below.
Visibility Restriction Policies
You can create Visibility Restriction policies to limit the ability of people to view resources in EmpowerID. These policies are similar to RBAC delegations in that you can assign them to any EmpowerID Actor, such as a Management Role, group, Query-Based Collection (SetGroup), and so forth. Once the policy is assigned to an actor, any person belonging to that actor (e.g. members of the IT Manager Management Role) receives the policy.
For example, if your organization uses the services of contractors, you could create a Visibility Restriction policy that allows contractors to see only other contractors within the organization, and apply that policy to a group or Management Role designated for Contractors. Then, when a contractor who belongs to that group or role logs in, they will only be able to see other contractors.
For help in applying Visibility Restriction policies, see Creating Visibility Restriction Policies.
Visibility Filter Policies
Visibility Filter policies are SQL statements written against the EmpowerID Identity Warehouse that give you power and flexibility in determining which users can view what objects. They even allow you to specify the visibility of individual attributes, without concern for the complexities of location-based delegations. You can assign Visibility Filter policies to any EmpowerID Actor type, such as a Management Role, Business Role and Location, group, or Set Group, and to individual accounts and people.
Visibility Filter Policies come in two types, the Column Visibility Filter policy and the Data Visibility Filter policy.
Column Filter Policy
The Column Filter Policy is a SQL Select Clause written against an EmpowerID component or object type, such as an account. It specifies what attributes of the component someone with the policy can view.
For example, one of the Column Filter Policies included with EmpowerID is the "Sample AccountView removing visibility on email" policy. This policy hides the true value of each user account's Email attribute, replacing it with "N/A" so that assignees of the policy will see "N/A" as the Email address for any user accounts they view.
The following code snippet shows how to write the substitution for the email in the filter.
'N/A' AS Email, [TABLEALIAS].*
EmpowerID includes the following Column Filter Policy that you can use out of the box.
Column Filter Policy | EmpowerID Component | Purpose | Assignee Type |
|---|---|---|---|
Sample AccountView removing visibility on email | Account | Substitutes the actual value of the email attribute on an account with "N/A" for anyone assigned the filter. | Empty |
Data Filter Policy
The Data Filter Policy is a SQL Select Statement written against an EmpowerID component or object type, such as a Person, that places limits on the number of objects of that type that can be viewed by someone with the policy. For example, one of the sample Data Filter Policies included with EmpowerID is a Data Filter for the Person object that only allows a person to view people in or below their location. This means that if a person is located in Boston and has this filter through some type of assignment, the person only sees people in the Boston location (or locations below Boston).
EmpowerID includes the following Data Filter Policies that you can use out of the box.
Data Filter Policy | EmpowerID Component | Purpose | Assignee Type |
|---|---|---|---|
Anonymous user cannot see anyone | Person | Anonymous users cannot see anyone in EmpowerID | Person |
Sample filter for Account (see only accounts in or below my locations) | Account | Filters the accounts that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty |
Sample filter for Account (see only own accounts) | Account | Assignees cannot view any accounts in EmpowerID beyond their own | Empty |
Sample filter for Business Roles (see only business roles in a list) | OrgRole | Filters the business roles that can be viewed in EmpowerID to include only those specified | Empty |
Sample filter for Computer (see only computers in or below my locations) | Computer | Filters the computers that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty |
Sample filter for Groups (see only groups in a list) | Group | Filters the groups that can be viewed in EmpowerID to include only those specified | Empty |
Sample filter for Groups (see only groups in a specific OU) | Group | Filters the groups that can be viewed in EmpowerID to include only those in a specified OU | Empty |
Sample filter for Groups (see only groups in or below my locations) | Group | Filters the groups that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty |
Sample filter for Groups (see only groups I belong to) | Group | Filters the groups that can be viewed in EmpowerID to include only those to which the assignee belongs | Empty |
Sample filter for Locations (see only locations below my locations) | Location | Filters the locations that can be viewed in EmpowerID to include only those below the assignee's locations | Empty |
Sample filter for Management Role (see only management roles in a list) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those specified | Empty |
Sample filter for Management Role (see only management roles in a location) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those in the location specified | Empty |
Sample filter for Management Role (see only management roles in or below my locations) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those in or below the assignee's locations | Empty |
Sample filter for Management Role Definition (see only management role definitions in a list) | Management Role Definition | Filters the management role definitions that can be viewed in EmpowerID to include only those specified | Empty |
Sample filter for Person (see only self) | Person | Assignees cannot view anyone in EmpowerID beyond their own person | Empty |