Defining and maintaining compliant access for a large organization can be a daunting task. Some types of applications and use cases are better suited to a more structured role-based approach, whereas others require real-time contextual decisions. Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) are three approaches to managing authorization policies. While each has its strengths (and weaknesses), no one single method can cover all the necessary aspects of access control. That's why EmpowerID employs a hybrid access control model that supports RBAC relational modeling as the structure for defining an organization and its overall policies, while leveraging the flexibility and real-time contextual nature of ABAC and PBAC to offer the best comprehensive solution.

This hybrid approach allows organizations to focus on what they are protecting — resources and the actions that can be performed against them. In EmpowerID, these "resource actions" are blocks of code known as "EmpowerID Operations." Each EmpowerID Operation is a protected code object that when executed, performs a specific action against a specific resource object, such as adding a user to a group, creating a mailbox, or viewing a report. In order to perform resource actions, users must have the operations that allow them to do so. In order to facilitate this, EmpowerID bundles operations—as well as native system rights, where applicable—into Access Levels, which are then grouped together into Management Roles. You can think of Management Roles as collections of operational capabilities packaged together as job-based bundles for quick and easy bulk assignments of resources to users based on what they do in your organization. These assignments can be fine-tuned by user attributes, such as the time of day, IP addresses, device used, and more.