About Management Roles

Owned by Phillip Hanegan
Feb 29, 2024
2 min read

Management Roles in EmpowerID serve as an intermediate layer between job-based Business Roles and technical entitlements and permissions in external systems. These activity-based functional roles, known as Task-Based RBAC or T-RBAC, help manage and audit access more efficiently by bundling the necessary roles, entitlements, and permissions required to complete everyday job duties or tasks.

Management Roles act as an 'Anti-Corruption Layer,' ensuring that business activities performed by various job roles remain unaffected by changes in the IT landscape, thereby protecting business processes and operating models. This approach reduces the need to redesign multiple Business Roles when systems change, as the adjustments are made only in the mapping of the activity-based Management Roles to the new system's corresponding technical roles and permissions.

Figure 1: IAM Acting as an Anti-Corruption Layer Insulating the Business Model from Technical Changes and Limitations

 

 

Apart from providing activity-based roles, Management Roles can also be used for teams, cross-department collaborations, or project teams. This tier is more flexible and less tied to a person's job description compared to the Business Role tier.

T-RBAC

EmpowerID uses T-RBAC internally to organize access for user interfaces, APIs, workflows, data visibility, and data access. These are broken down into three primary types: "UI/API" roles, Data Visibility ("VIS-") roles, and Data Access roles ("ACT-").

Figure 2: Venn diagram of the 3 types of T-RBAC Management Roles and how they combine to enable task-based access

 

Users need a combination of these Management Roles to have task access:

  1. UI/API Management Roles: Grant access to user interface elements, such as pages and controls, and access to run workflows.

  2. VIS-Management Roles: Grant visibility access to view specific types of objects or resources within a particular scope and control access to API endpoints that retrieve data for that object type.

  3. ACT-Management Roles: Grant authorization to perform specific actions or "operations" within EmpowerID user interfaces and workflows against scoped data.

By segregating activity-based or task-based roles, they can be easily reused and combined into various combinations without requiring the creation and maintenance of new roles.