About Business Roles and Locations
- Phillip Hanegan
In EmpowerID, the combination of Business Roles and Locations allows for efficient and flexible management of access to resources based on job functions and locations within an organization. This polyarchical RBAC resource assignment approach is facilitated through tree interfaces that support:
Static assignments of people: Individuals can be directly assigned to a Business Role and Location combination based on their job function and location. This grants them access to the resources associated with the Business Role and Location.
RBAC mapping: Existing physical directory locations and roles can be mapped to logical EmpowerID Locations to simplify resource management and hide the complexity of back-end directory structures from business users. This allows resources in physical directory containers to "belong" to the corresponding EmpowerID Location, granting users access to resources when assigned to a Business Role and Location.
SetGroup mapping: SetGroups containing collections of EmpowerID Person objects can be mapped to Business Roles and Locations, enabling people in the SetGroup to receive Access Level assignments associated with the Business Role and Location. This helps in organizing users based on specific attributes and granting them access accordingly.
By leveraging Business Roles and Locations, EmpowerID allows organizations to easily manage access to resources based on an individual's job function and location within the organization, enhancing security and streamlining resource management.
Â
EmpowerID provides several ways by which resources can belong to a location:
If a resource has been manually assigned to a location, then it belongs to that location.
Locations are resources that belong to themselves as a location.
Person objects belong to the location of the person's primary Business Role and Location. If a person is assigned a secondary Business Role and Location, the Person object does not belong to the secondary location. Person objects also belong to any locations that their person is assigned manually as a resource or through a Set Group.
If the resource has a path (currently user accounts, computers, Exchange mailboxes), the resource belongs to any locations mapped to an external location whose path matches the ParentPath field of the resource. When this is the case, the external location is actually the parent OU of the object in the external directory.
If the resource is an account and a person owns it (joined), the user account belongs to the person's primary Business Role and location.
If the resource is an Exchange Mailbox, and its account is assigned to a person, it belongs to the person's primary Business Role and location.
Special "Resource System Match" locations that represent an Account Store or Resource System to which the resources belong: These are designated as locations of ResourceSystemType = 12, and the ResourceSystem of the resource is the same as that set for the MatchingResourceSystemID of that location.
A resource belongs to any parent location of any location to which it has been assigned using the above criteria. The only exception to this rule is the location root node, Anywhere. Resources do not belong to this node unless they are direct children of that location or the resource has been explicitly assigned there.
Map EmpowerID Locations to External Locations
Create Business Role and Location Combinations
Assign Access Levels to Business Role and Location Combinations
Assign Management Roles to Business Role and Location Combinations
Map Groups to Business Role and Location Combinations
Add People to Business Role and Location Combinations
View Members of Business Role and Location Combinations