Role and Location Mapping

Owned by Phillip Hanegan
Feb 29, 2024
2 min read

Within EmpowerID, Role and Location Mapping refers to the association of External roles and locations that come from external authoritative sources to the internal RBAC Business Role and Locations that are used to determine identity provisioning and access assignments. As accounts are received from an authoritative source such as an HR system, they are associated with an external role and location assignment based on the attributes and data of the external system. As these accounts are joined to a person identity, the external role and location are translated to an RBAC business role and location based on the mapping between the external and internal assignments. The image below depicts this concept. In the image, the source directory contains an employee record, a job code, and a location code. With role and location mappings, the job code can be mapped to an EmpowerID Business Role and the location code can be mapped to an EmpowerID location. This internal role and location are then assigned to the person object that is joined to the account.

It is also important to note that external roles and locations can be identified through the connector mappings of organizational information, which is the most common methodology. However, if an external system does not have a clear representation of an organizational structure that is suitable for creating the external roles and locations, a dynamic hierarchy policy can be created that can automatically combine up to 3 attributes to create the external roles and 3 attributes to create the external locations. These dynamic hierarchy policies can be easily created in the EmpowerID Web UI.

Mapping between job and location codes in an HR system to EmpowerID Business Roles and Locations

Key Terms to know

•RBAC Mapping – the ability to inventory role and location hierarchies from external systems and use the assignment of users to these hierarchies to automate and drive Business Role and Location assignments in EmpowerID

•ExternalOrgRole – job codes or roles inventoried from a connected system

•ExternalOrgZone – organizational structure inventoried from a connected system

•AccountExternalOrgRoleExternalOrgZone – assignments of users or HR records to roles and locations in a connected system

•OrgRoleExternalOrgRole – mapping of EmpowerID Business Role to external system roles

•OrgZoneExternalOrgZone – mapping of EmpowerID Business Location to external system locations

Data model showing the relationship between external roles and locations, EmpowerID roles and locations, inventoried accounts, and EmpowerID Person objects.