Resources and Resource Systems

As we discussed previously, one of EmpowerID’s primary use cases is to present an accurate picture of the security within each IT system in an organization's on-premise and Cloud landscape. In addition to viewing and auditing this information, EmpowerID is used for Entitlement Management. Entitlement Management is defined as ”Cataloging and managing all the accesses an account may have. This is the business process to provision access.”¹

To perform these capabilities, EmpowerID periodically inventories “Protected Resources”¹ from the systems a customer desires to manage. The process of synchronizing accounts and supporting data to the Identity Warehouse of an IAM system is often referred to as “Reconciliation” but is more commonly referred to as “inventory” in EmpowerID terminology.

Protected Resources are defined as “A system, a process, a service, an information object, or even a physical location that is subject to access control as defined by the owner of the resource and by other stakeholders, such as a business process owner or Risk manager.” EmpowerID is capable of inventorying and managing a wide variety of different types of protected resources. To configure which systems you wish to inventory and manage, on what schedule, and keep track of in which system a protected resource exists, EmpowerID maintains a table named “ResourceSystems”. The Resource System Type is the definition of the connector for inventorying data from an external system. This differs from Security Boundary Types, which contains the connector definition for Create, Update, Delete, and the attribute schema of the native objects directly managed in an external system.

EmpowerID itself contains protected resources for its pages, roles, APIs, etc., which are assigned as being in the EmpowerID Resource System. Each system that contains protected resources you wish to manage must be registered as a Resource System in the EmpowerID Identity Warehouse and is assigned a unique ResourceSystemID and ResourceSystemGUID.

The protected resources themselves can be a wide variety of different types of objects ranging from accounts, groups, and computers to Azure subscriptions, SharePoint Online Site Collections, and many other types. Each of these protected resources is inserted as a record into the Resource table in the Identity Warehouse and assigned a unique value for its ResourceID and ResourceGUID. The ResourceGUID is most often the actual unique identifier of the object in its external system if available in GUID format. From now on, we’ll refer to protected resources simply as resources to align with EmpowerID component terminology. Also, important to note is that each resource record is assigned a ResourceTypeID, which defines the type of resource or object. EmpowerID maintains a ResourceType record to define the types of protected resources it can manage and secure. The Resource Type of a resource becomes important later when discussing the inventory of permissions for resources and managing who has what level of access to view and manage these resources using EmpowerID.

One question some of you might be asking yourself is, “how does EmpowerID store any useful data about such a wide variety of different types of resources in a single Resource table.” The answer is that it doesn’t. As we mentioned in a previous module, the Identity Warehouse contains over 1,200 tables. A table exists for each resource type to hold valuable information about that type of resource. Entries in these tables will always have a pointer back to the ResourceID and ResourceGUID of their resource record. Having a unique table per resource type allows a richer user experience when viewing the information about these resources and managing them.

¹ Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).