Access Levels (RBAC)
The bottom tier in the EmpowerID RBAC model comprises technical roles, known as Access Levels. Access Levels are bundles of EmpowerID Operations and/or native system rights specific to a resource type (such as Exchange mailboxes or user accounts) that when assigned to users give those users the ability to access IT resources in the manner specified by the Access Level. Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment. For example, one of the Access Levels in EmpowerID is the Contribute Access Level for Microsoft SharePoint. In the native application, Contribute permissions convey a specific level of access in SharePoint, such as allowing for the adding, editing, and deleting of items in existing SharePoint lists and document libraries. The Contribute Access Level for each appropriate SharePoint resource type (SharePoint Document, SharePoint Folder, SharePoint List, and SharePoint Web Site) is defined with these same rights so that the meaning of Contribute in EmpowerID is exactly the same as it is in SharePoint. EmpowerID allows Access Levels like these to be defined for every type of resource managed by EmpowerID so that those levels of access are codified and enforced for each assignment of an Access Level to a user.
About EmpowerID Operations
Operations are “protected bits of code” executed to perform these tasks in EmpowerID workflows or via its API. Operations can also be arbitrary, not performing any action just serving as a placeholder for applications to query and determine access. |
|
Rights in EmpowerID
| Rights represent actual permissions used in an external system that can be granted in EmpowerID via Access Level assignments. The EmpowerID enforcement engine “pushes” these permissions out to the external system on schedule for any user to which they have been granted. Examples of rights include NTFS permissions for shared folders and mailbox acls in Microsoft Exchange. |
Access Levels can be defined with both EmpowerID Operations and Rights
Access Levels
|
|
The Persona Worksheet will help uncover all the unique combinations of operations and rights for various managed object types (aka Resource Types). These combinations may already exist in the shipping Access Levels management roles defined for each type of resource. If not, new Access Levels can be created or existing Access Levels modified.
Related Docs Topics: