Groups and Membership
- Phillip Hanegan
One of the most crucial entitlements that EmpowerID manages is group membership. In most applications and directories, groups or user collections are the primary methods of granting permissions to user accounts. EmpowerID has been providing powerful group management and self-service features since its inception. To achieve this, EmpowerID normalizes any collection of users in an external Account Store into the same set of tables and components for groups and their members. Unlike other systems, EmpowerID does not segregate groups by system types or group types into different tables or components. This allows EmpowerID to offer a consistent set of functionalities for all currently connected system types and any future ones. All user interfaces, workflows, and APIs are designed to work for all groups in all systems, ensuring a seamless experience for users.
EmpowerID inventories all groups from connected Account Stores into the Group table on a default 10-minute interval. This process detects any new groups as well as any deleted groups. EmpowerID also retrieves the membership of each group and stores this information in the GroupAccount table. Any changes made to the membership are logged in the GroupAccountHistory table for reporting purposes. For systems that support the nesting of groups, EmpowerID stores this information on the GroupMemberGroup table.
Some systems, such as Microsoft Azure AD and Teams, allow the assignment of user accounts as Owners of the group within the Account Store. EmpowerID inventories this information and records any changes made in the GroupOwnerAccount and GroupOwnerAccountHistory tables, respectively. This feature ensures that group owners have accurate and up-to-date information to manage their groups effectively.
As an all-in-one solution for managing groups across different systems, EmpowerID offers a range of capabilities, including reporting, change-tracking, and workflows for managing group membership and access requests. These workflows are designed to work seamlessly with all Account Store connectors that support group functionality, providing a unified user experience.
EmpowerID's workflows operate on the Group and GroupAccount API objects, which enable live changes based on the connector implementation of the Account Store Identity entry for that Security Boundary Type. The same connector code is used for both interactive workflows and background processes and jobs that enforce policy-based access. This ensures that your group management is streamlined and effective, no matter what type of access control you're dealing with.
Â