Sources of Business Roles and Organizational Locations

Establishing Business Roles and Organizational Locations is usually the starting point for many EmpowerID projects. This data's best sources are usually an organization’s HR or Human Capital Management system (HCM) and Active Directory. HR systems such as Workday, SuccessFactors, or SAP HCM maintain a rough organization structure and the positions occupied by all employees. Even when only available as user attribute data, these systems provide an invaluable source for the initial Business Roles and Organizational Locations to get the analysis rolling. EmpowerID can also include additional sources such as the “Sensitive Attributes” file maintained by the customer. EmpowerID’s out-of-the-box connector model supports inventorying this data into what is known as “External Roles” and “External Locations.” At any point in time, EmpowerID knows the organization's external roles and locations and which users are assigned to each. Active Directory is often a rich source for the Organizational Locations as some portions of the AD OU tree represent a hierarchical view of the company.

Once this external data resides within the EmpowerID system, it can generate an initial Business Role and Organization Location tree. A one-to-one match between external roles and locations and internal is not required or desired. EmpowerID’s role and location mapping technology, “RBAC Mapping,” allows the internal trees to be designed independently of the actual external structures, which may be more rigid and not optimally designed for managing access.

 

 

 

Figure: RBAC Mapper showing external role mappings

 

 



 

3.2.5.2 Dynamic Attribute-Based Maintenance of User to Role Assignments

 

Once an organization has generated its roles, maintaining accurate membership can be alleviated by employing a Dynamic-Roles model, a hybrid of RBAC and ABAC technologies. Dynamic roles are assigned to users by attribute-based policies. An example of one of these policies is the RBAC Mapping technology mentioned above. RBAC Mapping allows “sensitive attributes” in external authoritative source systems to automate Business Role and Location assignment continuously ensuring that users are assigned to the correct compliant roles in EmpowerID. These changes are typically the key driver for the Joiner, Mover, and Leaver process and ensure Day Zero access for employees in their new positions and Day Zero termination when they leave. Automation based on authoritative systems changes is a key driver in continuous Compliant Access Delivery to eliminate laborious and expensive manual administration.

 

3.2.5.3 Dynamic Hierarchies

 

Another powerful policy engine included in EmpowerID is known as Dynamic Hierarchies. EmpowerID’s Dynamic Hierarchies engine is like an autopilot for creating attribute-driven roles. The idea behind Dynamic Hierarchies is simple: organizations require self-maintaining roles based on attribute combinations such as location, company, division, department, and title. Any attribute within the EmpowerID Identity and Entitlement Warehouse can be used in a policy. A customer’s “sensitive attributes” file could be brought in for management within EmpowerID and be a source for Dynamic Hierarchy Policies. These policies define the attribute rules to generate or create the internal or external roles and locations based on the distinct combinations of attributes found in an organization’s data and maintain the matching members. The lifecycle of these dynamic roles is automatically handled with new roles being created as new combinations of attributes appear and older roles being retired when they no longer have members. Dynamic Hierarchies save organizations time, and money, and improve the ability of users to collaborate effectively.

 

3.2.5.4 Role Modelling Inbox

 

If a customer is working with business consultants utilizing other role modeling tools, EmpowerID supports leveraging the roles and locations designed in these systems. The Role Modeling Inbox integrates external role and access management with EmpowerID by providing a set of inboxes into which roles and access changes can be published. Configurable rules within EmpowerID determine if these upstream decisions are automatically put into effect or must go through workflow approval processes before becoming active.