What are Resources and Resource Types?
EmpowerID inventories, manages, and protects resources in what are called resource systems. Resource systems define the specific system within which a resource resides and can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, custom applications, and even the EmpowerID system itself.
Resources are the lowest level secured base objects in EmpowerID for which management tasks can be performed. All objects of any type that are managed by EmpowerID in a secure fashion have a resource entry in the EmpowerID Identity Warehouse. EmpowerID supports many types of resources out of the box and can be extended to support any type of custom resource that an organization wishes to manage. Resource types exist for all secure EmpowerID objects such as people, pages, workflows, etc., as well as resource types for external systems such as Exchange Mailboxes or SharePoint web sites.
EmpowerID catalogs each of these resource objects by resource type so that they can support different properties, management operations, rights, and Access Level Definitions. Classifying resources by resource type provides a consistent interface for ease of resource management.
Among the resource types in EmpowerID, the following two are worth noting:
Asset Types
Asset Types are special categories of resources that are not automatically provisioned through Resource Entitlements policies, but must always be requested. Asset Types can be calls to EmpowerID dlls or other custom .NET assemblies that provision/de-provision actual resources that exist in other systems like Active Directory or they can be simple creations of objects added to the EmpowerID Identity Warehouse for approval routing and tracking purposes only. Asset Types can be thought of as buckets of resources categorized by type you create for special circumstances or needs, such as creating user accounts for specific teams of users. Examples of the former include Exchange mailboxes, user accounts, and Windows shared folders, while examples of the latter include mobile phones, laptops, or any other user-defined objects. Each Asset Type by necessity belongs to an account store, resource system, and resource type inherent to its type and may require a "dependency," such as having an account in the domain. For example, a mailbox Asset Type belongs to an Active Directory account store, a Microsoft Exchange resource system, and an Exchange Mailbox resource type and depends on a user account existing first because users must have an Active Directory account before they can have a mailbox. Asset Types not inherent to another system, but simply being tracked by EmpowerID, such as the aforementioned laptops or mobile phones, must belong to EmpowerID as the account store, Asset Pool as the resource system, and Generic Asset as the resource type.
Asset Types can be of the following resource types:
Exchange Mailbox
Generic Asset
Generic Asset (AD Protected)
User Account
Windows Shared Folder
Once an Asset Type is created, specific Asset Request catalog items can be created from that type and placed in the Service Catalog to allow users to submit a "request for an asset," either for themselves or on behalf of another user. For example, a manager who is hiring a contractor, can submit an Asset Request asking that an Exchange Mailbox be created select and submit an Asset Request from the catalog to create a mailbox for that contractor. Each Asset Request catalog item in the Service Catalog is a type of protected EmpowerID resource that can be managed like any other resource type in Resource Manager or other EmpowerID user interfaces. In order for an Asset Catalog item to be visible and initiated by an end user, they must be granted the "Requestor" Access Level for the Asset catalog item in question as well as the "Initiator" Access Level for the request workflow specified in the Asset Request catalog item. Having both of these Access Levels will allow the end user to see the Asset Request catalog item when it is published in the Service Catalog. Each request is tied to a Request Workflow that always routes to an approver. Having this Access Level will allow the end user to see the Asset Request request item when it is published in the Service Catalog. To ensure that security policies are enforced, all Asset Requests are routed for approval when necessary.
Request Workflows
One special type of EmpowerID resource that should be mentioned is the Request Workflow. For each workflow used in EmpowerID there exists at least one request workflow resource. The request workflow resource is used to secure the workflow and control who may initiate it.