Business Roles and Locations

Owned by Patrick Parker
Last updated: Aug 18, 2021 by Phillip Hanegan
4 min read

Business Roles are the top tier in the EmpowerID 3-tiered RBAC model.

EmpowerID’s unique approach to Business Roles solves RBAC's fundamental weakness, known as the “role explosion” problem. Organizations often end up with large numbers of roles to accommodate people performing the same job function within an organization but in different geographies or areas of the company. To accommodate the slight differences between “organizational locations” for a position, they are forced to create and manage many very similar Business Roles. This role duplication is known as “role explosion.” Often organizations with an inflexible RBAC system will end up managing thousands of roles and be forced to build roles for each simple access case. 

Simple Example of the Role Explosion Challenge

 

To solve the role explosion challenge, EmpowerID provides a unique two-trees or “polyarchical” RBAC approach. The top tier or Business Role tier describes a user’s position in the organization in combination with a hierarchical Organizational Location representing where within the organization or in which context the user performs their Business Role. This position is visualized as two trees with people assigned to one or more Business Roles combined with an Organizational Location. A person’s Business Roles bundles up direct technical entitlements and, more commonly, Task or Activity-Based roles.

Screenshot of the people assigned to Business Roles and Locations

Benefits of Business Roles and Locations:

  • Business Roles and Locations provide a familiar and commonly accepted grouping mechanism that non-technical users of the system can recognize and easily navigate.  The structure can be mapped to the organizational structure of the business.

  • Provides an anchor point for mapping external roles and locations from connected systems so that the master person identities can be provisioned into a business structure

  • Business Roles and Locations can be architected to leverage powerful and complex inheritance relationships to allow you to anchor common access and policy assignments very efficiently at varying inheritance levels.  Inheritance eliminates the need to create unnecessary duplicate assignments.

  • Provides a structure for rolling up multiple and varied assignments to a common anchor point allowing the administrator to accumulate widely varying types of assignments and policies to an easily recognized business structure.

Combining Business Roles and Locations in Delegations

  • In EmpowerID, access is never assigned to just a business role or a business location.  All organizational assignments must have both a role and a location assignment.

  • Leveraging inheritance you can essentially create a one-sided assignment by specifying a granular target on one of the trees and a broadly inherited assignment on the other tree.

Business Roles vs. Other RBAC Actors

  • The Business Role and Location structure should be used for common assignments that apply to a large group of people that have a basic organizational commonality such as a business unit, department, job function, or geographic relationship

  • Business role and locations should be used when there is an opportunity to leverage inheritance either on the business role or business location hierarchies to provide common assignments.

  • Direct assignment of Management Roles to individuals is recommended when the assignments are less organizational and more request-based, team-based, project-based or apply to a more narrow set of people within an organizational or job-related grouping.

  • Direct management role or group assignment is also preferred if assignments need to be based on a dynamic attribute or another aspect of a person’s identity.  These assignments can be applied using EmpowerID’s Dynamic Hierarchy Assignment Policies.

Design Strategies and Considerations

  • When designing your business role and location structure there are a few key questions that you should ask yourself:

    • Will the system be used by non-technical, business-oriented employees or only by centralized, technical, IT staff?

    • What is the architecture of the target back-end resource systems that EmpowerID needs to automatically provision to or provide access to?

    • What entitlements (accounts, mailboxes, home folders) will need to be automatically provisioned?

    • What other access assignments will need to be automatically provisioned?

General Tips and Advice

  • Don’t try to boil the ocean!  Start out by identifying the critical assignment points and mappings to your back-end systems and establish a base architecture that will support the direction you want to go.  Then configure the base structure and begin assigning the global assignments and entitlements.  You can always get more granular and grow the configuration as you become more comfortable with the system and with your understanding of the patterns within your organization.

  • Not all job titles represent unique technology assignments.  Look for areas that you can consolidate job roles and location structures.  If a secretary, janitor, receptionist, and file clerk do not need to have special access outside of the department they are in then consider rolling all of these job titles into a single role called “Employee”.  Create unique roles only for job functions that have distinct access requirements or entitlements.

Related Docs Topics:

Business Roles and Locations