EmpowerID uses the concept of "functions," which are "business-defined activities that a person can perform within one or more applications." Functions represent user actions in IT systems using the organization's everyday business language. For instance, creating a purchase order in a business process could be defined as a function. In SAP, this right is marked with the TCode, ME21N, but in user-friendly terms, it may be represented as "Create Purchase Order.”
Functions are utilized as foundational elements to define users' abilities within technical systems. Organizations create risk policies based on these functions, naming them in line with their business language. Functions are then linked with their respective entitlements in different applications by business process and technical application specialists. This enables the risk management engine to periodically review user privileges and functions.
There are two types of functions in EmpowerID: Global Functions and Local Functions.
Global Functions
Global functions represent the system-wide privileges that can be assigned to users across multiple applications. Examples could be "Create Purchase Orders" or "Create Groups", depending on the company's operational terminology. These are "system agnostic", meaning they can denote rights across various applications, such as ServiceNow, AWS, SAP, Salesforce, and EmpowerID. For instance, a "Create Group" action in various applications can be represented by a single "Create Group" global function in EmpowerID.
Image 2: Global Function representing a user action applicable across multiple systems
The first step in using Functions is to determine the user actions within an organization’s applications and create corresponding global functions. Once set, these global functions can then accommodate local functions.
Local Functions
Local functions are specific instances of global functions, denoting actions within precise entities, systems, and locations as per an organization’s business framework. Local functions are added to global functions, associating generic actions with the precise contexts in which they occur. For instance, "Create Groups in Austria" or "Create Purchase Order in SAP Prod" could be local functions under the respective global functions. A global function can have multiple local functions, as necessary.
Image 3: The correlation between local and global functions
Function Mapping
Functions, in themselves, are mere placeholders representing potential user actions within the IT infrastructure. To become operational, they must be linked to precise rights and roles sourced from your connected applications. In EmpowerID, this is termed as adding "function mapping rules" to functions, which happens initially at the global function level, followed by the local function level.
Global Function Mapping
At the global function level, function mapping involves adding “rules” to the function, which are the global rights, global roles and local functions that logically represent what users with the function could do. If you create a "Create Azure Groups" global function to monitor who can create groups in Azure, you should add only those function mapping rules related to this specific action.
Image 4: Function Mapping Rules at the global function level
From Image 4, three types of function mapping rules are visible:
Global Rights Granting Function (Mapped) – Indicates the global rights, if any, associated with the function. In this example, the global rights would be those permitting someone to create groups in Azure.
Global Roles Granting Function (Mapped) – Indicates the global roles, if any, associated with the function. Here, the global roles would be the Azure roles allowing someone to create groups in Azure.
Local Functions – Specifies the local functions that will derive from the global function. All local functions should have a relationship to the parent global function. In this case, a local function might be "Create Azure Groups in Austria."
Local Function Mapping
Local functions are established by incorporating them into global functions as function mapping rules. For instance, using the "Create Azure Groups" global function, if you wish to identify who could potentially form groups in an Azure tenant in Austria, you could incorporate "Create Azure Groups in Austria" as a function mapping rule.
Image 5: Representation of Local Functions as Function Mapping Rules
After a local function is linked to a global function via a function mapping rule, you can then associate the local function with specific local rights or roles. Local function mappings encompass the following possibilities:
Local Rights Granting Function (Mapped) – This outlines the local rights, if any, linked to the function. Local rights that can be associated with local functions depend on the global rights linked to the parent global function. Any right not initially mapped in the parent global function cannot be chosen for the local function.
Local Roles Granting Function (Mapped) – This details the local roles, if any, connected to the function. Local roles that can be connected to local functions rely on the global roles linked to the parent global function. A role that is not initially mapped in the parent global function cannot be selected for the local function.
Assignees Granting Local Function (Mapped) – This enables you to designate one or more EmpowerID actor types associated with the function. Actor types can comprise:
Business Role and Location – All people belonging to the Business Role and Location will be flagged as having the function
Group – All people belonging to the group will be flagged as having the function
Management Role – All people belonging to the Management Role will be flagged as having the function
Management Role Definition – All people belonging to the Management Roles derived from the definition will be flagged as having the function
Person – The specified person will be flagged as having the function
Query-Based Collection – All people belonging to the Query-Based Collection will be flagged as having the function