Identity Administration Overview
Before implementing Identity Administration, administrators should understand how EmpowerID's security model simplifies resource management and enforces security policies across multiple systems. This overview introduces the core concepts and components of Identity Administration.
EmpowerID provides a centralized framework for managing identity-related objects, such as user accounts, person objects, groups, shared folders, and computers. Administrators and authorized users can interact with these resources through a secure web interface and workflows, eliminating the need to delegate native permissions in external systems. This approach ensures consistency, improves administrative efficiency, and enables comprehensive auditing of all activities.
At the heart of EmpowerID's framework is a hybrid security model that integrates Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). This model governs which objects users can access and defines the specific actions they are allowed to perform, combining static roles with dynamic, policy-driven permissions.
Security Model Overview
EmpowerID’s hybrid security model combines complementary approaches to enforce precise, context-aware access control:
Role-Based Access Control (RBAC)
RBAC assigns permissions based on predefined roles, offering a predictable and structured system for managing access. This approach ensures that users gain access appropriate to their organizational responsibilities.
Attribute-Based Access Control (ABAC)
ABAC enhances RBAC by applying access rules based on user attributes, such as department, location, or employment status. These attributes make access control policies more adaptable to real-world scenarios.
Policy-Based Access Control (PBAC)
PBAC introduces further flexibility by enforcing policies that align with organizational rules and specific conditions. This approach enables EmpowerID to handle complex scenarios like time-based access or multi-step approval requirements.
Together, these mechanisms provide comprehensive coverage, ensuring that access decisions are consistent and responsive to contextual changes.
Unified Management Across Systems
EmpowerID allows organizations to manage resources within their environment and in external systems, such as:
Azure AD user accounts
SAP roles
File shares
Shared folders
Groups and Person objects
By centralizing these management tasks, EmpowerID eliminates the need to delegate native permissions directly within external systems. Instead, its unified security model governs access and actions, automating workflows for approval routing and task generation as needed. Comprehensive logging ensures all actions are traceable, supporting compliance and auditing efforts.
Understanding the RBAC Framework
EmpowerID’s RBAC framework is structured into three tiers, offering scalability and precision:
Access Levels
Access Levels define specific actions users can perform, such as creating, modifying, or deleting objects. These actions map directly to native permissions in managed systems, serving as the foundation for permission assignments.
RBAC Actors
RBAC Actors include Business Roles and Locations, Management Roles, and query-based collections. These entities group users and apply Access Levels to define their permissions logically and consistently.
Rights
Rights represent enforceable permissions within external systems, such as NTFS permissions for file shares or ACLs for mailboxes. EmpowerID translates Access Level assignments into Rights, ensuring they are periodically synchronized with external systems to maintain alignment.
Extending Functionality with Operations
Operations in EmpowerID are discrete, protected tasks executed within workflows or via APIs to manage resources securely. These operations also allow applications to query permissions dynamically, ensuring access decisions reflect current policies and conditions.
Next Steps
To manage user accounts, person objects, groups, and related resources effectively, consider exploring the following areas:
User Administration
Group Administration
Computer Administration
Mailbox Administration
Shared Folder Administration
These resources will help administrators implement and maintain an effective Identity Administration strategy within EmpowerID.