You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Identity Administration Overview

Owned by Phillip Hanegan
Last updated: Dec 11, 2024
3 min read

Before implementing Identity Administration, administrators should understand how EmpowerID's security model simplifies resource management and enforces security policies across multiple systems. This overview introduces the core concepts and components of Identity Administration.

EmpowerID provides a centralized framework for managing identity-related objects, such as user accounts, person objects, groups, shared folders, and computers. Administrators and authorized users can interact with these resources through a secure web interface and workflows, eliminating the need to delegate native permissions in external systems. This approach ensures consistency, improves administrative efficiency, and enables comprehensive auditing of all activities.

At the heart of EmpowerID's framework is a hybrid security model that integrates Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). This model governs which objects users can access and defines the specific actions they can perform, combining static roles with dynamic, policy-driven permissions.

Security Model Overview

EmpowerID’s hybrid security model combines complementary approaches to enforce precise, context-aware access control:

Role-Based Access Control (RBAC)

RBAC assigns permissions based on predefined roles, offering a predictable and structured system for managing access. This approach ensures that users gain access that is appropriate to their organizational responsibilities.

Attribute-Based Access Control (ABAC)

ABAC enhances RBAC by applying access rules based on user attributes like department, location, or employment status. These attributes make access control policies more adaptable to real-world scenarios.

Policy-Based Access Control (PBAC)

PBAC introduces further flexibility by enforcing policies that align with organizational rules and specific conditions. This approach enables EmpowerID to handle complex scenarios like time-based access or multi-step approval requirements.

Together, these mechanisms provide comprehensive coverage, ensuring that access decisions are consistent and responsive to contextual changes.

Unified Management Across Systems

EmpowerID allows organizations to manage resources within their environment and in external systems, such as:

  • Azure AD user accounts

  • SAP roles

  • File shares

  • Shared folders

  • Groups and Person objects

By centralizing these management tasks, EmpowerID eliminates the need to delegate native permissions directly within external systems. Instead, its unified security model governs access and actions, automating workflows for approval routing and task generation as needed. Comprehensive logging ensures all actions are traceable, supporting compliance and auditing efforts.

Understanding the RBAC Framework

EmpowerID’s RBAC framework is structured into three tiers, offering scalability and precision:

Access Levels

Access Levels define specific actions users can perform, such as creating, modifying, or deleting objects. These actions map directly to native permissions in managed systems, serving as the foundation for permission assignments.

RBAC Actors

RBAC Actors include Business Roles and Locations, Management Roles, and query-based collections. These entities group users and apply Access Levels to define their permissions logically and consistently.

Rights

Rights represent enforceable permissions within external systems, such as NTFS permissions for file shares or ACLs for mailboxes. EmpowerID translates Access Level assignments into Rights, ensuring they are periodically synchronized with external systems to maintain alignment.

Extending Functionality with Operations

Operations in EmpowerID are discrete, protected tasks executed within workflows or via APIs to manage resources securely. These operations also allow applications to query permissions dynamically, ensuring access decisions reflect current policies and conditions.

Next Steps

To manage user accounts, person objects, groups, and related resources effectively, consider exploring the following areas:

User Administration

App Role / Group Administration

Computer Administration

Mailbox Administration

Shared Folder Administration

Partner Access

Responsible Parties