EmpowerID's Identity Administration feature allows authorized individuals to manage a variety of objects, including user accounts, shared folders, SharePoint sites, and computers, through a controlled web interface and workflows. The real-time hybrid security model employed by EmpowerID combines Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) to determine which objects an individual can view and what management tasks they can perform. This approach eliminates the need to delegate native permissions in the systems where objects are managed, streamlining Identity Administration with a single interface and security model. To implement an effective Identity Administration strategy, it's essential to identify various "Personas" in your environment and categorize them based on the objects they can access and the actions they can perform.
EmpowerID enables users to securely manage objects in both external systems and within EmpowerID itself, such as Azure AD User Accounts, SAP Roles, File Shares, SharePoint sites, and more. The combined RBAC, ABAC, and PBAC security controls dictate which users can manage specific objects and the actions they can perform. Additionally, the system handles logging, automatic approval routing, and workflow task generation for unauthorized actions.
The 3-tiered RBAC model in EmpowerID features an Access Levels tier at the bottom, defining the actions and native system permissions a user can perform on accessible resources. Access Levels are often assigned to RBAC Actors in higher tiers, such as Business Roles and Locations, Management Roles, and others. Operations, which are code snippets executed to perform tasks in EmpowerID workflows or via its API, are protected and can also serve as placeholders for applications to query access. Rights represent actual permissions used in external systems that can be granted in EmpowerID through Access Level assignments, like NTFS permissions for shared folders and mailbox ACLs in Microsoft Exchange. EmpowerID periodically pushes these permissions to the external system for any user granted access.