/
Identity Administration Overview

Identity Administration Overview

Owned by Phillip Hanegan
Last updated: Feb 11, 2025
3 min read

Managing access to systems, data, and applications requires a structured approach to ensure consistency, security, and compliance. Without centralization, organizations often face administrative overhead and inconsistencies across different systems. EmpowerID provides a framework for managing identity-related objects and permissions across multiple environments, allowing administrators to enforce policies, track changes, and maintain control over access.

Centralized Framework for Managing Resources

EmpowerID includes a web-based console and workflow engine that consolidates identity and resource management. In many environments, user accounts, person objects, and groups are distributed across multiple directories and file shares, each requiring separate permissions and administrative processes. Without a centralized system, managing these resources can become complex and lead to security gaps.

Administrators can use EmpowerID’s interface and workflows to manage these objects without assigning direct permissions in each external system. This centralized approach ensures that identity and access policies are consistently enforced across all connected systems, whether provisioning Azure AD accounts, assigning SAP roles, or managing file share permissions.

Hybrid Security Model in EmpowerID

EmpowerID integrates Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) to provide a flexible access management model. Each method serves a distinct purpose in authorization, allowing organizations to apply access controls based on roles, attributes, and policies.

Role-Based Access Control (RBAC)

RBAC assigns permissions to roles linked to job functions or organizational structures. Users assigned to a role automatically inherit the relevant permissions. This model simplifies access control in environments with well-defined job hierarchies by reducing the need for direct user-to-permission assignments.

Attribute-Based Access Control (ABAC)

ABAC determines access based on user attributes such as department, location, or employment status. As these attributes change, access is adjusted dynamically. This eliminates the need for manual role updates when users change organizational positions. For example, if users transfer from one office to another, they automatically receive permissions relevant to the new location while losing outdated ones.

Policy-Based Access Control (PBAC)

PBAC enforces access control based on predefined policies and contextual conditions. These policies can include requirements such as multi-step approvals for high-risk actions or time-based access restrictions. PBAC is useful for scenarios requiring more granular control, such as restricting access to certain resources outside of business hours or enforcing segregation of duties.

Managing Access Across Systems

EmpowerID applies its access control model across multiple internal and external systems, allowing administrators to manage accounts, roles, and permissions in a centralized manner. This approach:

  • Streamlines approval processes – Access requests follow predefined workflows and approval chains based on policy rules.

  • Provides centralized auditing – Every access change is logged for visibility and compliance tracking.

  • Reduces misconfiguration risks – Enforcing policies consistently across systems prevents inconsistencies that can arise from manual permission management.

RBAC Components in EmpowerID

RBAC in EmpowerID is based on three core elements:

  • Access Levels – Define the actions a user can perform on a resource, such as Create, Update, Delete, or Delegate.

  • RBAC Actors – Define how access is assigned, using groups such as Business Roles and Locations, Management Roles, or dynamic Query-Based collections.

  • Rights – Map access levels to each system’s native permission model, ensuring consistency between EmpowerID policies and external resources.

Operations and Workflows

In addition to role assignments, EmpowerID uses Operations to enforce controlled, auditable actions. Operations define specific tasks—such as creating a user in Azure AD or modifying group memberships—that can be executed through workflows or APIs. Before an operation is completed, EmpowerID evaluates the requestor’s permissions based on RBAC, ABAC, and PBAC rules, triggering approvals if required. This ensures that access changes follow defined authorization processes.

Example Scenario

In an organization that frequently hires contractors, EmpowerID’s hybrid model ensures access is granted and revoked as needed:

  • RBAC – Assigns contractors a predefined role, such as “Contractor-Finance,” providing baseline access.

  • ABAC – Uses attributes like “Temporary” to enforce automatic expiration of access at the contract’s end date.

  • PBAC – Requires finance manager approval for file share modifications initiated by a contractor, ensuring oversight and auditing.

This approach reduces the need for manual intervention while ensuring compliance with security policies.

Next Steps

For more information on managing identities and resources in EmpowerID, refer to the following topics:

  • User Administration – Managing user accounts, person objects, and roles.

  • Group Administration – Organizing users into logical groups and managing memberships.

  • Computer Administration – Managing computer objects and permissions.

  • Mailbox Administration – Configuring email settings and access rights.

  • Shared Folder Administration – Managing file shares, permissions, and approval workflows.

Related content