You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Groups and Membership

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

The most important type of entitlement managed by EmpowerID is group membership. Most applications and directories use groups or user collections as the primary means of granting permissions to accounts. Since its inception, EmpowerID has provided robust group management and self-service capabilities. To achieve this, EmpowerID normalizes any collection of users in an external Account Store into the same set of tables and components for groups and their members. EmpowerID does not segregate groups by system types or group types into different tables or components, allowing it to offer a consistent set of functionalities for all currently connected system types and any future ones. All user interfaces, workflows, and APIs are designed to work for all groups in all systems.

EmpowerID inventories all groups from connected Account Stores into the Group table on a 10-minute interval by default. New groups are detected and as well as any deleted groups. Inventory also retrieves the membership of each group and stores this information in the GroupAccount table. Any membership changes discovered are also logged in the GroupAccountHistory table for reporting purposes. For systems supporting the nesting of groups, EmpowerID stores this information on the GroupMemberGroup table.

Some systems, such as Microsoft Azure AD and Teams, support the assignment of Accounts as Owners of the group within the Account Store. EmpowerID inventories this information and records changes in the GroupOwnerAccount and GroupOwnerAccountHistory tables, respectively.

EmpowerID not only provides reporting and change-tracking capabilities but also offers workflows for managing group membership and access requests. These workflows are designed to work with all Account Store connectors that support group functionality, providing a unified user experience. EmpowerID's workflows operate on the Group and GroupAccount API objects and make live changes based on the connector implementation of the Account Store Identity entry for that Security Boundary Type. The same connector code is used for both interactive workflows and background processes and jobs that enforce policy-based access.

https://youtu.be/7OKc81_V7FU

Group Administration

  • No labels