Overview of Partner Delegations

Owned by Phillip Hanegan
Feb 29, 2024
4 min read

In the context of multi-partner enterprises, EmpowerID offers a sophisticated delegation model to manage IT resources effectively. This model involves creating distinct "Organization" locations for partners, assigning specific Management Roles, and leveraging Business Role and Location assignments. This system ensures partners can manage their domain independently without accessing or being aware of each other's resources or internal organizational infrastructure.

EmpowerID allows organizations to manage partner interactions effectively within their IT infrastructure. This is achieved through the creation of specialized EmpowerID locations known as "Organization" locations, which, in conjunction with specific Management and Business Roles, enable partners to manage their allocated IT resources independently.

Partner Management Roles

EmpowerID provides two key Management Roles for partners:

  1. Partner Admin Management Role: This role grants administrative capabilities, allowing the assignee to manage people and resources within their partner locations.

  2. Partner User Management Role: This role is focused on basic actions like searching for people, requesting resources, and initiating workflows.

Both roles are designed with specific Access Levels to suit the partner's needs, ensuring they can manage their domain effectively without access to the internal resources of the hosting organization.

For information on the specific access associated with each of these roles, please see

Organization Locations

Organization locations in EmpowerID are unique in their functionality. They are set apart from other locations due to their specific Access Levels, such as "People In My Organizations," which are effective only within the assigned Organization locations. The RBAC compiler in EmpowerID plays a crucial role here, determining the relative access based on the Organization tree hierarchy.

When people are assigned to an Organization location via a Business Role and Location assignment, the RBAC compiler determines their relative access and limits them as actors to those resources in their Organization location and any Organization locations below theirs in the Organization tree. They cannot act on resources above their location (see the below image and discussion). This limitation, however, does not apply to people as resources. As resources, people belong to all Organization locations in the tree, including the parent. This allows people in top-level Organization locations to act on those below them.

Visually, this can be represented as follows:

In the image, the triangle represents the partner organization in its entirety. Within the organization, there is a top-level parent Organization location and a person belonging to that location with the "User Admin" Business Role (depicted by the figure outlined in green). As this person belongs to the root location, the RBAC compilation of "People in her Organizations" includes the people in the root as well as all the people in the locations below the root. Thus, they can manage all users in the partner organization (represented by the green arrows).

In addition to the User Admin at the root or top-level Organization location, there is a person with the User Admin Business Role (depicted by the figure outlined in blue) at a sub-organization location. As this person belongs to a location below the parent, the RBAC compilation of "People in their Organizations" includes only those people in the person’s sub-organization location and below. Thus, the person can manage all users in those locations but not any of those in the locations above their organization (represented by the blue arrow). And because the user admin is also a resource, that person can be managed by the User Admin at the parent location. This structure allows partner organizations to have sub-organization locations with their own self-contained management capabilities that can be altered as needed by those in the top-level Organization.

EmpowerID includes a default Organization location under which all partner Organizations should be created. This Organization location is the Partner Organization location. We demonstrate this in the topic.

Partner Business Roles

As mentioned in the above discussion, managing your partners' access involves another component, the Business Role. In the EmpowerID RBAC model, Business Roles and Locations intersect to provide scope in access assignments. All people must have a Business Role, and all resources must belong to a location. In partner delegations, the EmpowerID RBAC compiler uses partner Business Role and Location assignments to determine the relative access to resources the people in those Business Roles and Locations have.

By default, EmpowerID includes two partner Business Role and Location combinations: Partner Admin in Partners and Partner in Partners. These Business Roles and Locations are assigned to the Partner Admin and Partner User Management Roles, respectively. This means that any person assigned to those Business Role and Location combinations receives the Access Levels granted to those Management Roles. We demonstrate how this works in the topic.