In EmpowerID, a Business Role is a user-defined hierarchical container for grouping EmpowerID Person objects that can be used to delegate access to resources based on a particular job function; in its simplest form, an EmpowerID Location is a container for holding resources. These two objects combine in EmpowerID to determine a collection of people based on their job function and location within an organization, allowing for polyarchical RBAC resource assignments. This is implemented in EmpowerID via tree interfaces (with inheritance) that allow for the intersection of Business Roles with Locations to support the following:
Static assignments of people – You can directly assign individuals to a Business Role and Location combination based on their job function and location that allows them to access the resources granted to the Business Role and Location. For example, if you have a "Sales Manager" Business Role and a "London" location that has been assigned all the resources that a Sales Manager in London needs, you can then assign the "Sales Manager-London" Business Role and Location to a specific EmpowerID Person. This will give that person access to all the resources you assigned to the Business Role and Location.
RBAC mapping – Business Role and Location mappings allow existing physical directory locations and roles to be mapped to logical EmpowerID Locations for an easy resource management strategy that hides the complexity of the back-end directory structure from business users. For example, if you have multiple AD or LDAP directory containers for London, those containers can be visually mapped to a single, virtual EmpowerID "London" location. Once the mapping occurs, the resources in the physical directory containers "belong" to the corresponding EmpowerID Location. Then when you assign people to a Business Role and Location, they receive access to the resources in that location in the manner defined by the Access Level assignments granted to the Business Role and Location.
SetGroup mapping – SetGroups that contain collections of EmpowerID Person objects can be mapped to Business Roles and Locations to allow the people in that SetGroup to receive the Access Level assignments granted to the Business Role and Location. For example, if you have users in your organization with a Job Title of "Help Desk Technicians" and a City of "New York," you can use a SetGroup to contain users with those attributes and then map the SetGroup to a corresponding EmpowerID Business Role and Location (such as "Help Desk Technicians" Business Role in the “New York” location).
Locations
To assign resources to users, those resources must be located somewhere. In EmpowerID, the "somewhere" is an object known as the "EmpowerID Location." An EmpowerID Location is a container used to group resources for scoping access to those resources. This occurs through the use of two types of Location trees: The "External Locations" tree and the "EmpowerID Locations" tree. The External Locations tree represents the location of resources in the actual resource systems to which EmpowerID is connected. EmpowerID maintains a dynamic link with these resource system locations, reflecting any changes in the structure of an external location in this tree. The EmpowerID Locations tree is a user-defined logical representation of an enterprise's organizational and geographical structure that can be mapped to actual resource locations in the External Locations tree.
When EmpowerID connects to a resource system, it copies the structure of that resource system into the External Locations tree, maintaining a dynamic link through it to the actual locations of the resources in the resource system. Once the External Locations tree is populated, you can create EmpowerID Locations, map them to the External Locations and then use those EmpowerID Locations for assigning the resources in your resource systems to the users in your organization.
Direct Static Assignment – Resources can be manually assigned to one or more EmpowerID Locations.
Implicit Assignment – Resources automatically belong to their resource system and their actual "location" in that system. For example, Active Directory objects belong to their OUs, and SharePoint objects belong to their site in the site tree.
RBAC Mapping – EmpowerID "logical" Locations can be created that map to one or more "physical" resource system locations. Once a mapping occurs, resources will automatically belong to any EmpowerID Location mapped to the actual resource system location of those resources.
Relative Location Assignment – Resources automatically belong to "relative" assignments that can be used with relative Access Levels.
Locations in EmpowerID include the following:
Logical Locations
Logical locations in EmpowerID represent an enterprise’s organizational and geographical structure in a way that mirrors its operational model. Logical locations are optional, user-defined tools that can be used to create intuitive, business-friendly nodes on a hierarchical locations tree that offers delegated users the ability to interact more easily with system resources. These logical locations map to the physical locations of your resource systems and always reflect the resources inclusive to that location. When mapping occurs, all the resources or objects located in the directory are assigned to their corresponding logical location and can be used when delegating user rights. If a resource is removed from the external location, it is removed from the corresponding logical location; if a resource is added to the external location, it is added to the corresponding logical location.
External Locations
These are the locations of your resources in your resource systems.
All IT Systems
The All IT Systems location is a default EmpowerID location below, which resides locations for all the IT systems that EmpowerID protects, including the EmpowerID system itself. Within this location, EmpowerID creates and dynamically maintains the locations that represent the various resource systems, such as Active Directory, Microsoft Exchange, and Microsoft SharePoint, to which EmpowerID connects and manages via the inventory process. Resources inventoried from the managed resource system automatically exist in their corresponding EmpowerID location. Their EmpowerID location updates if it changes in the external system because these locations map to actual resources, the internal structure of these locations should not be reorganized or modified.
These locations differ from standard EmpowerID locations in the following few key ways:
Due to the dynamic nature of these locations, the All IT Systems locations are hidden from the role and location selectors that are used to assign Business Roles and locations to Person objects and are not intended to be used for those purposes. An exception to this is when it is desirous to utilize the actual structure of the Active Directory as a business location rather than recreating it in a logical representation. In this case, it is necessary to map your directory.
These locations are maintained automatically via inventory. They move when moved in the external system and are deleted when deleted in the external system.
These locations are not mapped to external locations with the RBAC Mapper as they automatically map one-to-one to an actual external location.
Resources are not assigned to these locations as the resources belonging to these locations reflect what exists in the external location.
Resource Systems Locations
These special locations in EmpowerID represent the structure of the various resource systems to which EmpowerID is connected. These locations are contained under the All IT Systems node of the EmpowerID Locations tree.
EmpowerID provides several ways by which resources can belong to a location:
If a resource has been manually assigned to a location, then it belongs to that location.
Locations are resources that belong to themselves as a location.
Person objects belong to the location of the person's primary Business Role and Location. If a person is assigned a secondary Business Role and Location, the Person object does not belong to the secondary location. Person objects also belong to any locations that their person is assigned manually as a resource or through a Set Group.
If the resource has a path (currently user accounts, computers, Exchange mailboxes), the resource belongs to any locations mapped to an external location whose path matches the ParentPath field of the resource. When this is the case, the external location is actually the parent OU of the object in the external directory.
If the resource is an account and a person owns it (joined), the user account belongs to the person's primary Business Role and location.
If the resource is an Exchange Mailbox, and its account is assigned to a person, it belongs to the person's primary Business Role and location.
Special "Resource System Match" locations that represent an Account Store or Resource System to which the resources belong: These are designated as locations of ResourceSystemType = 12, and the ResourceSystem of the resource is the same as that set for the MatchingResourceSystemID of that location.
A resource belongs to any parent location of any location to which it has been assigned using the above criteria. The only exception to this rule is the location root node, Anywhere. Resources do not belong to this node unless they are direct children of that location or the resource has been explicitly assigned there.
Related
Map EmpowerID Locations to External Locations
Create Business Role and Location Combinations
Assign Access Levels to Business Role and Location Combinations
Assign Management Roles to Business Role and Location Combinations
Map Groups to Business Role and Location Combinations
Add People to Business Role and Location Combinations
View Members of Business Role and Location Combinations