Overview of Functions

Owned by Phillip Hanegan
Feb 29, 2024
5 min read

In today's IT landscape, security and risk management are pivotal. A fundamental aspect of this is understanding the concept of Functions within EmpowerID. These Functions act as a bridge, translating technical entitlements in IT systems into a language that resonates with the organization's everyday business operations. This comprehensive overview highlights the types of Functions in EmpowerID, the process of function mapping, and their critical role in risk management.

Functions in EmpowerID

Functions are defined as "business-defined activities that a person can perform within one or more applications." A practical example is the transformation of "TCode ME21N" in SAP to a more intuitive "Create Purchase Order." This translation is essential for achieving a common understanding across various business units. The below image underscores the transition from technical terminologies to business-centric Functions, illustrating how Functions in EmpowerID simplify complex system entitlements.

Image 1: Comparison between Native System Entitlements and Functions

 

Functions are utilized as foundational elements to define users' abilities within technical systems. Organizations create risk policies based on these functions, naming them in line with their business language. Functions are then linked with their respective entitlements in different applications by business process and technical application specialists. This enables the risk management engine to periodically review user privileges and functions.

 

Types of Functions in EmpowerID

There are two types of functions in EmpowerID: Global Functions and Local Functions.

Global Functions

Global Functions represent system-wide privileges applicable across multiple applications. They are 'system agnostic,' meaning their scope extends over various platforms like ServiceNow, AWS, SAP, Salesforce, and EmpowerID itself. An example of a Global Function could be "Create Group," which applies uniformly across these applications.

Image 2: Global Function representing a user action applicable across multiple systems

 

Local Functions

Local Functions are more specific and denote actions within particular entities, systems, or locations. These functions are tied to Global Functions but provide a more granular level of detail. For instance, "Create Groups in Austria" or "Create Purchase Order in SAP Prod" are examples of Local Functions that fall under broader Global Functions.

Image 3: The correlation between local and global functions

Function Mapping and Risk Management

The effective use of Functions in risk management hinges on the process of function mapping, which links Functions to precise rights and roles:

Global Function Mapping

At this level, function mapping involves adding Function Mapping Rules to Global Functions, which denote the associated global rights and roles. This mapping is essential to define what users can do with these functions. The screenshot below provides an example of function mapping for a “Create Azure Groups” Global Function.

Image 4: Function Mapping Rules at the Global Function Level

 

We see that there are three types of function mapping rules are visible:

  • Global Rights Granting Function (Mapped): Indicates the global rights, if any, associated with the function. In this example, the global rights would be those permitting someone to create groups in Azure.

  • Global Roles Granting Function (Mapped): Indicates the global roles, if any, associated with the function. Here, the global roles would be the Azure roles, allowing someone to create groups in Azure.

  • Local Functions: Specifies the local functions that will derive from the global function. All local functions should have a relationship to the parent global function. In this case, a local function might be "Create Azure Groups in Austria."

Local Function Mapping

Local Function mapping is about incorporating these functions into the global framework and associating them with specific local rights or roles. This allows for a detailed view of user capabilities within a particular context.

Image 5: Representation of Local Functions as Function Mapping Rules

After a local function is linked to a global function via a function mapping rule, you can then associate the local function with specific local rights or roles. Local function mappings encompass the following possibilities:

  • Local Rights Granting Function (Mapped): This outlines the local rights, if any, linked to the function. Local rights that can be associated with local functions depend on the global rights linked to the parent global function. Any right not initially mapped in the parent global function cannot be chosen for the local function.

  • Local Roles Granting Function (Mapped): This details the local roles, if any, connected to the function. Local roles that can be connected to local functions rely on the global roles linked to the parent global function. A role that is not initially mapped in the parent global function cannot be selected for the local function.

  • Assignees Granting Local Function (Mapped): This enables you to designate one or more EmpowerID actor types associated with the function. Actor types can comprise:

    • Business Role and Location: All people belonging to the Business Role and Location will be flagged as having the function

    • Group: All people belonging to the group will be flagged as having the function

    • Management Role: All people belonging to the Management Role will be flagged as having the function

    • Management Role Definition: All people belonging to the Management Roles derived from the definition will be flagged as having the function

    • Person: The specified person will be flagged as having the function

    • Query-Based Collection: All people belonging to the Query-Based Collection will be flagged as having the function

Risk Management and Functions

Each Function in EmpowerID is assigned a risk level, reflecting the potential impact of the associated activities:

  • Low: Risk score = 0

  • Medium: Risk score = 30

  • High: Risk score = 60

  • Critical: Risk score = 80

  • Very Critical: Risk score = 100

The EmpowerID Risk engine calculates the overall risk associated with each user based on the functions they are assigned to, whether directly or through an assignment to roles or groups with functions. The total risk score for each user is computed based on these risk scores.

Conclusion

Functions in EmpowerID are crucial in aligning business operations with IT security and risk management. By converting technical system entitlements into business-oriented Functions and assigning appropriate risk levels, EmpowerID enables organizations to effectively monitor and mitigate IT system risks. This structured approach ensures that user activities are in sync with the organization's risk tolerance, enhancing overall risk management strategies and maintaining robust control over IT environments.