You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
What is an Organization?
In EmpowerID, the concept of an Organization refers to a top-level parent location within the Business Location structure, which can represent a business unit, geographical region, or functional grouping within a company's organizational hierarchy. Organizations serve as logical aggregation points in a location hierarchy, connecting lower-level locations together in a unified sub-tree.
Objects assigned to these lower-level child locations are considered to be part of the higher-level organization, allowing for efficient management through organization-based delegation. These organization locations are designated as "Organization – Security Container" location types during location configuration.
Here are a few examples of organization nodes within a business location structure. In these examples, we can see how organization locations within EmpowerID can represent various aspects of a business, such as business units, geographic regions, and long-running enterprise projects.
Organization Example 1: Business Units
In this scenario, the Finance Division and Sales Division are configured as organization locations representing business units. Each of these higher-level business units includes department locations under them, which are considered part of the organization. Furthermore, any objects assigned to these child locations, such as people, groups, or accounts, are also considered to belong to the organization.
Organization Example 2: Geographic Regions
In this case, Europe and North America are configured as organization locations representing geographic regions. Each of these higher-level regions includes country and city locations beneath them, which are considered part of the organization. Additionally, any objects assigned to these child locations, such as people, groups, or accounts, are also considered to belong to the regional organization.
Organization Example 3: Long-Running Enterprise Projects
In this example, the Messaging Migration and Infrastructure Upgrade projects are configured as organization locations representing long-running enterprise projects. Each of these projects includes project teams beneath them, which are considered part of the project organization. Moreover, any objects assigned to these child locations, such as people, groups, or accounts, are also considered to belong to the organization.
How can Organizations be used for Delegation?
Organizations in EmpowerID can be utilized for delegation, allowing permissions or visibility for objects within a person's organization. For example, “People in Organizations I belong to” and “Security Groups in Organizations I Belong to” will include all people and security groups assigned to locations below the organization location common to where the person is located. In order to determine what organization(s) a person belongs to, the EmpowerID RBAC engine will find the location that a person is assigned to and begin evaluating the location tree up from that point until it finds a location that is designated as an organization type of location. The following illustrates this process:
A person is assigned to a specific location (e.g., the Health location).
The RBAC engine moves up the location tree to determine if the parent location (e.g., Internal Sales) is an organization.
If the parent location is not an organization, the RBAC engine continues moving up the tree until it finds a location designated as an organization type (e.g., Sales Division).
Once the RBAC engine identifies an organization, it determines that the person belongs to that organization and assigns the appropriate delegation to the objects in all locations below the organization location.
However, caution should be taken when configuring delegations by organization, as incorrect configurations can lead to unintended delegations. If the RBAC engine cannot find an organization location, it will continue moving up the tree until it encounters an organization, potentially granting more permissions than intended.
To fix such issues, administrators should ensure that the correct location is configured as an "Organization – Security Container." Once this configuration is updated, the RBAC engine will properly evaluate the person's organization assignment during its next evaluation.
About Business Roles and Locations
Map EmpowerID Locations to External Locations
Create Business Role and Location Combinations
Assign Access Levels to Business Role and Location Combinations
Assign Management Roles to Business Role and Location Combinations
Map Groups to Business Role and Location Combinations
Add People to Business Role and Location Combinations
View Members of Business Role and Location Combinations