Business Role and Location Assignments

Owned by Phillip Hanegan
Feb 29, 2024
2 min read

RBAC Mapping in EmpowerID

Role-Based Access Control (RBAC) Mapping forms a fundamental part of EmpowerID's capacity to automate the assignment and management of an individual's Business Roles and Locations. This system inventories role and location hierarchies from various external systems, such as Human Resources databases, Software as a Service (SaaS) applications, Active Directory (AD), or Lightweight Directory Access Protocol (LDAP) directories, aiding in the automation process.

These external systems carry actual structures pertaining to roles and locations. However, if these structures are not present, a framework for roles and locations can be constructed using connector logic based on user attributes, including title, department, and country. These "external roles" and "external locations," along with the assignment of user accounts to these locations, are inventoried into the EmpowerID data model, as seen in the below data model diagram.



Business Role and Location Mappings

Business Role and Location mappings serve an essential purpose: they facilitate mapping existing physical directory structures to logical business roles and locations within the EmpowerID platform. This process is essential for managing an organization's identities and access control effectively. For example, multiple AD or LDAP directory OUs containers for "London" can be visually mapped to a single virtual "London" Location for unified management and delegation of policies.

A key feature of the Identity Lifecycle is the initial and continuous assignment of the appropriate EmpowerID Business Role and Location combinations. These assignments can be driven from an authoritative source such as HR through the RBAC mappings.

The recalculation and maintenance of Business Role and Location assignments based on authoritative system data is handled by the Business Role and Location Recompiler Job. This job retrieves the external roles and locations associated with user accounts and the mappings of those external roles and locations to EmpowerID Business Roles and Locations, comparing them to computer a Person's appropriate current Business Role and Location assignments and any adjustments that should be made. Adjustments are handled by the Business Role and Location Processor job, which reads the proposed changes from a queue and implements them.