Overview of Partner Delegations
- Phillip Hanegan
EmpowerID provides a structured approach for organizations to collaborate with external partners by granting them limited access to manage specific IT resources. Through the use of "Organization" locations and predefined Management Roles, EmpowerID ensures that partners can operate securely within their assigned domains without visibility into other areas of the organization's infrastructure.
Key Features of Partner Access
Organization Locations
EmpowerID allows you to create "Organization" locations representing partner organizations within the system. These locations act as isolated containers, enabling partners to access and manage resources within their assigned boundaries.
Access Scope: Organization locations restrict each partner’s access to their specific domain. This isolation prevents partners from seeing or interacting with resources from other partners or your organization's internal areas.
Hierarchical Boundaries: EmpowerID uses a hierarchical model to define access. Users at higher levels in the Organization tree can manage resources in subordinate locations, while those at lower levels are limited to their assigned location and its sub-locations.
Management Roles
EmpowerID includes predefined Management Roles specifically designed for partner access:
Partner Admin Management Role: Grants administrative permissions for managing people and resources within the partner's assigned Organization location.
Partner User Management Role: Allows limited operations, such as searching for people, requesting resources, and initiating workflows.
These roles ensure that partners can effectively manage their responsibilities without gaining access to internal or unrelated resources.
Business Roles and Locations
EmpowerID's RBAC model combines Business Roles and Location assignments to define precise access boundaries. In the context of partner access:
Business Roles define what a user can do.
Locations define where a user can act.
For partner management:
Partner Admin in Partners: Assigned to individuals with administrative responsibilities.
Partner in Partners: Assigned to individuals with standard user responsibilities.
These predefined combinations simplify role assignments and ensure consistency across partner organizations.
How Access Control Works
RBAC Compiler
EmpowerID enforces access control through its Role-Based Access Control (RBAC) compiler. The compiler evaluates Business Role and Location assignments to determine what resources a user can access and manage.
Top-Level Administrators: Users at a top-level Organization location can manage all resources in their location and subordinate locations.
Sub-Organization Administrators: Users assigned to sub-organization locations are restricted to managing resources within their location and its sub-locations. They cannot access resources above their level or in peer locations.
This model ensures that administrative responsibilities are distributed appropriately while maintaining strict boundaries.
Resource Management Example
Consider a partner organization with the following structure:
A top-level administrator (assigned to the root Organization location) can manage all users and resources within the partner organization.
A department-level administrator (assigned to a sub-organization location) can only manage users and resources within their department and any subordinate departments.
Visually, this can be represented as follows:
In this image:
The triangle represents the partner organization hierarchy.
The green-outlined figure represents the top-level administrator who can manage all users in the organization, as shown by green arrows.
The blue-outlined figure represents a department-level administrator who can manage users only within their specific department and subordinate locations, as shown by blue arrows.
The hierarchical relationships ensure that parent-level users have broader access while child-level users remain restricted to their scope.
Access levels such as "People in My Organizations" are determined dynamically by the RBAC compiler based on the assigned Organization tree. For example:
Users in parent Organization locations can manage all users in subordinate locations.
Sub-organization users are restricted to managing resources within their branch of the hierarchy.
EmpowerID includes a default Organization location under which all partner Organizations should be created. This Organization location is the Partner Organization location. For more details, see Managing Partner Delegations.