You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Glossary
A
Access Levels
Bundles of EmpowerID operations and/or native system rights specific to a resource type, such as Exchange mailboxes or user accounts. Access Levels, when assigned to users, specify the manner in which those users can access IT resources. Different resource types have their own set of Access Levels defined to maintain consistent access control.
Accounts
User profiles imported from external systems. These may or may not be assigned to a specific Person object.
Account Store
A specialized type of resource system managed by EmpowerID that functions as a directory containing user account objects. Account Stores can perform their own authentication, such as Active Directory authentication.
Approval Flow
A sequential process that governs the evaluation and authorization of user access requests (a.k.a., Business Requests) to organizational resources.
Approval Flow Policy
A predefined set of sequential steps dictating how Business Requests should be approved or rejected. Each step assigns specific approvers responsible for evaluation.
Approval Flow Step
An individual stage within an Approval Flow Policy, designated to a specific approver or group of approvers.
Approver Resolver Rule
Criteria that dictate to whom an Approval Flow Step should be routed for evaluation. Examples include routing to a request initiator's manager or a role-based approver.
Attributes
Attributes are named data elements that describe the properties or characteristics of an entity within a system. They serve as the building blocks for identity profiles and resource configurations. In EmpowerID, attributes could refer to user attributes like username, email, or role, as well as resource attributes such as access levels and permissions.
Attribute Flow
Authorization Object
A group representing a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application.
Authorization Package/Business Function
A bundle of access required to complete a Business Function or participate in a team. Represented by Management Roles, these packages bundle access across multiple systems into a single non-technical assignable unit.
AuthN
Short for Authentication, “AuthN” refers to the process of confirming the identity of an entity, typically a user, system, or application.
AuthZ
Short for Authorization, “AuthZ” refers to the process of determining the access level an authenticated person or system has.
B
Birthright Access
The initial set of entitlements and permissions automatically granted to an individual based on their role within the organization.
Business Request
In EmpowerID, a Business Request is a formalized request that is commonly initiated by end-users for specific actions or access within an organization's IT ecosystem. These requests can vary in nature, ranging from requesting access to particular resources to initiating specific workflows such as account provisioning, role changes, or permission approvals.
The Business Request feature in EmpowerID allows for the customization of request forms and approval workflows. This enables organizations to tailor the request process according to their specific needs, compliance requirements, or governance policies. Once a Business Request is initiated, it undergoes a predefined approval workflow involving one or multiple approvers, depending on the organization's Approval Flow policy configuration.
These policies ensure that each request is processed in a controlled manner, allowing for efficient tracking and auditing. Upon completion of the approval flow, the Business Request is assigned a status, such as 'Approved' or 'Rejected,' which clearly indicates the request's outcome. This feature enhances the organization's ability to maintain compliance and governance standards by providing a structured, auditable trail of all user-initiated actions and administrative decisions.
Business Role
A type of role designed to reflect organizational responsibilities rather than specific technical permissions. Business roles aggregate various entitlements and access rights into a single, easily assignable role.
C
Cloud Gateway
The Cloud Gateway is a small, lightweight Windows application that acts as a connectivity gateway between the customer environment and the EmpowerID SaaS tenant. It enables the EmpowerID Cloud SaaS tenant to inventory and manage on-premise systems without requiring ports to be opened on their firewall
Company
Serves as a high-level organizational unit for grouping various configurable elements, facilitating better resource and permission management.
Compliant Access Delivery
Securely granting access to resources while adhering to laws, regulations, and organizational policies.
Containers
Containers are lightweight, self-sufficient packages that encapsulate the necessary elements to run an application, including code, runtime, libraries, and system tools. They operate in isolation from the host system, ensuring a uniform and consistent environment for applications. In the context of EmpowerID, containers are used to deploy various system components, contributing to enhanced scalability and reliability.
EmpowerID Worker Containers
Worker Containers constitute the application tier in the EmpowerID architecture. Specialized for back-end system integration, these containers handle inventory management, data synchronization, and security management tasks. They also execute internal web service processes. The specifications and count of Worker Containers are determined by the variety and volume of applications and integrations in your EmpowerID setup. Worker Containers do not handle User Interface (UI) requests and are analogous to the on-premise Worker Role Service.
EmpowerID UI Containers
UI Containers act as the user-interface layer, serving web pages and handling interactive workflows initiated by end-users. These containers are responsible for delivering the Web applications that constitute the user interface of EmpowerID. By default, they operate strictly over HTTPS and maintain a stateless user interface. The EmpowerID UI container role parallels the functions performed by the on-premise Web Role Service.
Core Identity
A unique representation of each individual human user or IoT device, serving as the root or "master" identity from which multiple "Person Objects" can be derived.
E
EmpowerID API Gateway / ReverseProxy
The EmpowerID API Gateway / Reverse Proxy provides single sign-on and authorization for users accessing an organization's web applications. The reverse proxy service stands in front of the web applications and services end-user requests.
EmpowerID LDAP Virtual Directory Server
The EmpowerID LDAP Virtual Directory server provides LDAP virtual directory authentication and data services for exposing EmpowerID Identity Warehouse data and connected directories objects as a single unified LDAP directory with a flexible schema.
EmpowerID RADIUS Server
The EmpowerID RADIUS server provides RADIUS authentication for routers, switches, and other RADIUS-compliant devices.
EmpowerID RBAC Actor Types
Collections of people or objects to which EmpowerID policies can be assigned, including Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role, and Location.
EmpowerID SCIM Virtual Directory Service
The EmpowerID SCIM Virtual Directory service provides a single SCIM-compliant API for the EmpowerID Identity Warehouse and all connected systems.
Entitlement
The set of attributes or resources that a particular user is allowed to access within an application or service.
F
Federated Identity
The linking of a person's electronic identity and attributes across multiple distinct identity management systems.
Federation
A collection of computing or network providers agreeing upon standards of operation in a collective fashion.
FIDO
Fast Identity Online, a set of security specifications for strong authentication.
G
Governance
The set of policies, roles, and processes that control how an organization's business divisions and IT teams work together.
I
IAM
Stands for Identity and Access Management, a framework for business processes that facilitates the management of electronic or digital identities.
IAM Shop
A microservice within EmpowerID where users can browse and request access to various resources. It functions as a self-service portal for access management and is designed to streamline the user experience for acquiring resource permissions.
Identity Federation
Linking of a person's electronic identity and attributes across multiple distinct identity management systems.
Identity Verification
The process of confirming the truth of an attribute of a single piece of data claimed true by an entity.
Inventory Job
A scheduled task that collects data from connected systems and updates the EmpowerID Identity Warehouse.
J
Jobs
Functionalities in EmpowerID are broken down into granular "jobs," hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) or REST Web Services used in workflow processes.
JSON Web Token (JWT)
An open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
L
Location
In EmpowerID, a “Location” is a container for holding resources.
M
MFA
Stands for Multi-Factor Authentication, which refers to the use of more than one method of authentication to verify the user's identity for a login or other transaction.
Management Role
Management Roles serve as customizable containers that aggregate various Access Levels into role-based or job-specific bundles. These roles facilitate streamlined, bulk assignment of access permissions across multiple systems.
Management Role Definition
In EmpowerID, a Management Role Definition acts as a template for creating specific Management Roles. It predefines the structure and attributes, including Access Levels, that are automatically inherited by Management Roles based upon it. This centralized blueprint allows for the uniform application of settings and permissions across multiple Management Roles, streamlining administrative tasks and ensuring consistency in access control.
Microservices
Microservices refer to an architectural approach for software development where an application is composed of loosely-coupled, independently deployable components or services. Each microservice is responsible for a specific, discrete task and communicates with other services via well-defined APIs. This approach facilitates agility, scalability, and resilience, allowing each service to be developed, deployed, and scaled independently. In EmpowerID, microservices such as IAM Shop, MyTasks, Resource Admin, and My Identity handle specific functionalities within the platform.
Mutual SSL/TLS
A security measure whereby both the client and server authenticate each other's identity before establishing a secure connection.
OAuth 2.0
An open standard for access delegation commonly used for token-based authentication and authorization.
Operations
In EmpowerID, Operations are protected code objects that, when executed, allow a resource to be accessed in a manner consistent with the type of resource and the operation.
O
OIDC
Stands for OpenID Connect, it is a simple identity layer on top of the OAuth 2.0 protocol, which allows clients to verify the identity of the end-user.
OrgRole
An object in EmpowerID representing a person's Business Role, which is assigned in conjunction with an Organizational Location.
OrgZone
An Organizational Location/Business Context that is always assigned in conjunction with a Business Role.
P
Person
An object representing a human being, typically owning multiple user accounts in external systems. The base identity in EmpowerID's RBAC model.
Personas
Core identities linked to multiple sub-person objects, which are the professional identities with business information attached.
Polyarchical RBAC
A system where people are assigned to one or more Business Roles for a specific Location/Context, reducing role bloat.
Provisioning
The process of setting up a new user account, creating a directory entry, and providing initial access permissions.
PKI
Stands for Public Key Infrastructure, a framework that manages digital keys and certificates.
Q
Query-Based Collections
Also known as Set Groups, these are logical bundles of Sets grouped together with a friendly name for resource management.
R
Resource Systems
Specific systems within which a resource resides, such as Active Directory domains, LDAP directories, or custom applications.
Risk Management
The process of identifying, assessing, and treating risks associated with an organization’s IT resources.
RBAC
Stands for Role-Based Access Control, a method where access permissions are associated with roles, and users are assigned roles to receive those permissions.
RBAC Actor Types
Collections of people or objects to which EmpowerID policies can be assigned, including Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role, and Location.
Resources
The lowest level object in the EmpowerID security model, representing a specific IT asset.
S
Single Sign-On (SSO)
A mechanism that allows users to securely authenticate with multiple services and applications using one set of credentials.
Self-Service
The ability for end-users to perform actions themselves without requiring assistance from IT staff, such as password reset or access request.
SCIM
System for Cross-domain Identity Management, a standard for automating the exchange of user identity information between IT systems.
T
Token
A small hardware device that the owner carries to authorize access to a network service.
Two-Factor Authentication (2FA)
A security process in which the user provides two different authentication factors to verify their identity.
W
Workflow
A sequence of connected steps that automate the process of data and tasks flow as they are passed from one participant to another.
X
XACML
Stands for eXtensible Access Control Markup Language, an XML-based standard for expressing security policies and access rights to information.
XML
Stands for eXtensible Markup Language, a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
Y
YubiKey
A hardware authentication device manufactured by Yubico that supports one-time passwords, public-key cryptography, and authentication, among other services.
Z
Zero Trust Architecture
A security model that advocates the strict limitation of access to all resources within a network, regardless of whether they are inside or outside the perimeter.
For additional information or queries regarding the EmpowerID glossary, consult the official documentation or reach out to the EmpowerID support team.
A
Access Levels
Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that, when assigned to users, give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment.
Accounts
User profiles imported from external systems. May or may not be assigned to a specific Person object.
Account Store
EmpowerID inventories, manages and protects resources in what is called resource systems. Account Stores represent a special type of resource system managed by EmpowerID. Account stores differ from other resource systems because they function as directories containing user account objects and can perform their own authentication, such as Active Directory.
Approval Flow
A sequential process in EmpowerID that governs the evaluation and authorization of user access requests to organizational resources.
Approval Flow Policy
A predefined set of sequential steps that dictate how Business Requests should be approved or rejected. Each step assigns a specific approver or group of approvers responsible for evaluating each request.
Approval Flow Step
An individual stage within an Approval Flow Policy, each of which is assigned to a designated approver or approvers. At each step, approvers can approve or reject the request or specific resource items within the request.
Approver Resolver Rule
Criteria that determine to whom an Approval Flow Step should be routed for evaluation. Examples include routing to the request initiator's manager, the target person's manager, or a designated role-based approver.
Authorization Object
A group that represents a specific access assignment in an application or directory system. The group can either be a security group in Active Directory or a generic group in EmpowerID that represents a group or role in a target application.
Authorization Package/Business Function
Management Roles are used to represent Authorization Packages (AKA Business Functions) in EmpowerID. An Authorization Package is a business-designed bundle of access required to complete a Business Function or for participation in a team or working group. Authorization packages bundle access across multiple systems and present a single non-technical assignable unit of access. The Management Role allows this flexibility and enables the business owners to create friendly, non-technical descriptions and manage the governance cycle of these packages.
B
Birthright Access
A concept that refers to the initial set of entitlements and permissions automatically granted to an individual based on their role within the organization. In EmpowerID, birthright access is managed through two primary mechanisms:
Provisioning Policies: These policies define the new objects (e.g., user accounts or roles) that should be automatically created for an individual when they join the organization.
Access Assignments: These are policies that automatically add the individual's user accounts to predefined groups, application roles, or permissions based on their role in the organization.
Business Role
A type of role in EmpowerID that is designed to reflect organizational responsibilities, job functions, or business needs rather than specific technical permissions. Business roles aggregate various entitlements, dynamic roles, and access rights into a single role that can be easily assigned to individuals or groups. This approach simplifies administration and enhances understanding of access rights from a business perspective. Business roles are often aligned with the organization's titles, departments, or functions.
C
Company
In the context of EmpowerID, the term "Company" serves as a high-level organizational unit for grouping users, roles, policies, and other configurable elements, facilitating better management and segmentation of resources and permissions across the platform. People belong to companies via their Business Role and Location assignments.
Compliant Access Delivery
The practice of securely granting access to information or resources while adhering to applicable laws, regulations, and organizational policies. Compliant access delivery aims to safeguard sensitive information by ensuring that only authorized individuals with a legitimate need can access it. This approach strives to strike a balance between the necessity for information access and the imperative to mitigate security risks, including unauthorized access, data theft, or information misuse.
Core Identity
A unique representation within EmpowerID for each individual human user or Internet of Things (IoT) device. A Core Identity serves as the root or "master" identity from which multiple "Person Objects" can be derived. These Person Objects may represent various facets of the individual's or device's interactions with different systems, services, or roles within the organization. By allowing a Core Identity to own multiple Person Objects, EmpowerID provides a flexible and comprehensive approach to identity management.
EmpowerID RBAC Actor Types
Objects representing collections of people to which policies can be assigned. These include Person, Group, Management Role Definition, Management Role, Query-Based Collection, Business Role and Location.
Accounts – Accounts are users inventoried from external systems and may or may not have a single person assigned as the owner. Accounts such as service identities can be managed but do not always require a Person object for management. Often a person object will be created anyway to leverage the ease of assigning RBAC policies for group membership and other access. Accounts in social media systems or web applications are linked to a person to facilitate single sign-on between systems.
Person – A Person is an object in EmpowerID that represents a human being. A Person typically owns multiple user accounts in external systems such as Active Directory, Azure AD, Facebook, SAP, etc.
Business Role and Location – In EmpowerID, a Business Role is a user-defined hierarchical container for a grouping of EmpowerID Person objects that can be used for delegating access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on job function and location within an organization.
Group – Groups are collections of users that can be used as vehicles to grant access to user accounts belonging to them.
Management Role – Management Roles are user-defined containers holding collections of Access Levels that have been packaged into responsibility or job-based bundles to allow for the quick and easy bulk assignment of access to resources across multiple systems. They are like groups in EmpowerID that are not limited to granting access to only the resources in a single system. Management Roles have a single-level hierarchy, inheriting access from their Management Role Definition.
Query-Based Collections – Query-based Collections, also known as Set Groups, are logical bundles of Sets (queries made against the EmpowerID Identity Warehouse that result in collections of people or resources) grouped together with a friendly name for resource management. Set Groups offer advantages over groups and roles in that they can contain any type of resources, are continuously evaluated to ensure they contain the appropriate resources, and can be used as actors as well as be the recipients of EmpowerID policies for provisioning, deprovisioning, attribute assignment, password policies, etc.
Jobs
EmpowerID functionality is broken down into a large number of granular "jobs," which are hosted and run in Windows services that communicate back to the EmpowerID Identity Warehouse over REST Web services. Jobs are either specific tasks that run on a scheduled basis (such as Inventory) or REST Web Services used in workflow processes.
Location
An EmpowerID Location is a container for holding resources.
Operations
Each EmpowerID Operation is a protected code object that, when executed within an EmpowerID workflow, allows a resource within EmpowerID or a custom application to be accessed in a way that is consistent with the operation and the type of resource being accessed. Some examples include adding users to groups, creating mailboxes, updating user attributes, and viewing certain objects such as EmpowerID pages and reports.
OrgRole
An OrgRole is an object in EmpowerID that represents a person's Business Role. Business Roles are always assigned to people in conjunction with an Organizational Location.
OrgZone
An OrgZone is an Organizational Location / Business Context that is always assigned in conjunction with a Business Role. For resources that are not Person objects, Locations are used to organize them into hierarchies for the management of inherited access policies.
Person
A Person is an object in EmpowerID that represents a human being. A Person typically owns multiple user accounts in external systems such as Active Directory, Azure AD, Facebook, SAP, etc. The EmpowerID Person is the base identity in the EmpowerID RBAC model, without which a user cannot access any resources or perform any tasks.
Personas
A person's core identity can be linked to multiple sub-person objects, which are the professional identities (i.e., have the business information attached).
Polyarchical RBAC
Business Roles and Locations are both hierarchical trees. People are assigned to one or more Business Roles for a specific Location/Context. This polyarchy dramatically reduces the number of roles and eliminates role bloat.
Resources
Resources are the lowest level secured base objects in EmpowerID for which management tasks can be performed. All objects of any type managed by EmpowerID in a secure fashion have a resource entry in the EmpowerID Identity Warehouse.
Resource Systems
Resource systems define the specific system within which a resource resides. They can include Active Directory domains, LDAP directories, HR systems, Microsoft Exchange Organizations, SharePoint Farms, custom applications, and even the EmpowerID system.
Risk Management
Risk management is the process of managing risks associated with an organization’s IT resources. It involves identifying, assessing, and treating risks to those resources in a manner that best reflects the organization’s risk tolerance. EmpowerID Risk management has the following components:
Global Function
Business-specific activity, usually in the form of Verb Noun, e.g., Create Purchase Order. Defines the business activity, risk level, and mitigating controls.
Local Function
Local version of a function used in risk policies. Localized means that it can specify the “where” for the function; e.g., Create Purchase Orders in Widgets sub-company.
Global Risk
Policies that define functions that are critical/sensitive or those where two combinations of functions produce a toxic combination or SOD violation.
Local Risk
The local version of a global risk. Local risks are scoped to a specific instance of an application
Risk Owner
Risk owners are business users responsible for risks and have the ability to approve, mitigate or remediate violations.
Rules
Rules are the functions added to local risk policies.
Mitigating Controls
Checks and balances assigned to global risks that can be linked to violations if the risk owner decides that the violation should be allowed (mitigated). For example, “Bob” checks the record of purchase orders monthly to mitigate the risk that he might engage in unethical behavior.
Violation
A violation occurs when the rules that comprise a local risk are broken. Violations only occur for local risks. EmpowerID distills all violations down to the person violating the rule, regardless of how they received the violating functions. For example, if numerous people belong to a role that has the function, EmpowerID flags each person in the role as a violator to give you a full picture of the magnitude of the risk. Risk owners can view the exact assignment point that caused the person to be in violation.