As we discussed previously, one of EmpowerID’s primary use cases is to present an accurate picture of the security within each IT system in an organization's on-premise and Cloud landscape. In addition to viewing and auditing this information, EmpowerID is used for Entitlement Management. Entitlement Management is defined as ”Cataloging and managing all the accesses an account may have. This is the business process to provision access.”1
In order to perform these capabilities, EmpowerID periodically inventories “Protected Resources”1 from the systems a customer desires to manage. Protected Resources are defined as “A system, a process, a service, an information object, or even a physical location that is subject to access control as defined by the owner of the resource and by other stakeholders, such as a business process owner or Risk manager.”
EmpowerID is capable of inventorying and managing a wide variety of different types of protected resources. In order to configure which systems you wish to inventory and manage, on what schedule, and to keep track of in which system a protected resource exists, EmpowerID maintains a table named “ResourceSystems”. EmpowerID itself contains protected resources for its pages, roles, APIs, etc. which are assigned as being in the EmpowerID Resource System. Each system that contains protected resources you wish to manage, must be registered as a Resource System in the EmpowerID Identity Warehouse and is assigned a unique ResourceSystemID and ResourceSystemGUID.
The protected resources themselves can be a wide variety of different types of objects ranging from accounts, groups, computers, to Azure subscriptions, SharePoint Online Site Collections, and many other types. Each of these protected resources is inserted as a record into the Resource table in the Identity Warehouse and assigned a unique value for its ResourceID and ResourceGUID. The ResourceGUID is most often the actual unique identifier of the object in its external system if available in GUID format. From now on, we’ll refer to protected resources simply as resources to align with EmpowerID component terminology. Also, important to note is that each resource record is assigned a ResourceTypeID which defines the type of resource or object. EmpowerID maintains a ResourceType record as a definition of the types of protected resources it can manage and secure. The Resource Type of a resource becomes important later when we discuss the inventory of permissions for resources and managing who has what level of access to view and manage these resources using EmpowerID.
One question some of you might be asking yourself is “how does EmpowerID store any useful data about such a wide variety of different types of resources in a single Resource table.” The answer is that it doesn’t. As we mentioned in a previous module, the Identity Warehouse contains over 1,200 tables. There exists a table for each resource type to hold the valuable information pertaining to that type of resource. Entries in these tables will always have a pointer back the ResourceID and ResourceGUID of their resource record. Having a unique table per resource type allows a richer user experience when viewing the information about these resources and when managing them.
https://youtu.be/g86rqKy_mi0
1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).