Organizations

Owned by Phillip Hanegan
Last updated: Feb 09, 2021
4 min read

The concept of an Organization, within the Business Location structure of EmpowerID, refers to a high-level parent location such as a business unit, geographic region, or operational collection point within the organizational structure of an enterprise.  Organizations provide logical aggregation points within a location hierarchy to group lower level locations together in a common sub-tree.  Any objects that are assigned to the lower level child locations are considered to belong to the upper level organization and can be managed together through organization-based delegation.  These organization locations are simply business locations that have been assigned the location type of “Organization – Security Container” in the configuration of the location.  Below are some examples of organization nodes in a business location structure.

Organization Example 1

In this example, the Finance Division and the Sales Division have been configured as organization locations that represent business units.  Each of these upper level business units have department locations under them which would be considered as belonging to the organization.  In addition, any objects, such as people, groups, accounts, etc. which are assigned to these child locations would also be considered to belong to the organization.

 

 

 

 

 

 

Organization Example 2

In this example, Europe and North America have been configured as Organization locations that represent geographic regions.  Each of these upper level regions have country and city locations under them which would be considered as belonging to the organization.  In addition, any objects, such as people, groups, accounts, etc. which are assigned to these child locations would also be considered to belong to the regional organization.

 

 

 

 

 

Organization Example 3

In this example, the Messaging Migration and Infrastructure Upgrade projects have been configured as Organization locations that represent long-running enterprise projects.  Each of these projects have project teams under them which would be considered as belonging to the project organization.  In addition, any objects, such as people, groups, accounts, etc. which are assigned to these child locations would also be considered to belong to the organization.

 

 

 

How can Organizations be used for Delegation?

EmpowerID provides the ability to delegate permissions or visibility for objects within a person’s organization.  For example, “People in Organizations I belong to” and “Security Groups in Organizations I Belong to” will include all people and security groups assigned to locations below the organization location common to where the person is located.   In order to determine what organization(s) a person belongs to, the EmpowerID RBAC engine will find the location that a person is assigned to and begin evaluating the location tree up from that point until it finds a location that is designated as an organization type of location.  The following image illustrates this process:

  1. A person is assigned to the Health location.

  2. The RBAC engine moves up the tree to see if Internal Sales location is an organization.

  3. Since the Internal Sales location is not an organization, it continues up to the next level to see if the Sales Division is an organization

  4. Since the Sales Division is an organization, the RBAC engine determines that the person belongs to the Sales Division and then assigns the appropriate delegation to the objects in all locations below the Sales Division location.

 

 

 

 

 

 

Caution should be observed when configuring delegations by organization since wrongly configuring a location can cause unintended delegations, such as those described below.

  1. A person is assigned to the Health location.

  2. The RBAC engine moves up the tree to see if the Internal Sales location is an organization.

  3. Since the Internal Sales location is not an organization, it continues up to the next level to see if the Sales Division is an organization.

  4. Since the Sales Division was not configured correctly and is not an organization, it continues up to the next level to see if the Delegation Scopes location is an organization.

  5. Since the Delegation Scopes location is not an organization, it continues up to the next level to see if the RB Organization location is an organization.

  6. Since the BR Organization is an organization type location, and is the first organization location that was encountered, the RBAC engine determines that the person belongs to the RB Organization and then assigns the appropriate delegation to the objects in all locations below the RB Organization location which grants permissions to many more objects than the administrator intended.

To correct this situation, all the administrator needs to do is to edit the configuration of the Sales Division location and change the type to “Organization – Security Container” and the next time that the RBAC engine evaluates the organization assignment, it will properly evaluate the organization of the person to the Sales Division.