You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

About Query-Based Collections

Owned by Phillip Hanegan
Last updated: Jan 09, 2024
3 min read

Query-Based Collections in EmpowerID offer a powerful way to unify connected account stores such as Active Directory, LDAP directories, SQL or Oracle databases, and external systems like HR systems. By providing live access to data from these sources, Query-Based Collections (also known as Set Groups) enable you to create dynamic groupings of people or resources based on SQL-based or code-based queries, known as “Sets.” SQL-Based Sets are created within the EmpowerID user interface and can be used to create collections based on information in the Identity Warehouse. Code-Based Sets, however, require development staff to create them in Workflow Studio and publish them to the Enterprise Workflow Server. These Sets can be used in connected account stores and external systems to return collections of people and resources, such as Shared Folders, Workflows, and EmpowerID Protected Controls.

Query-Based Collections can be used as an RBAC Actor type, similar to groups or Management Roles, to assign various types of access, provisioning policies, attribute assignments, password policies, and more. Essentially, Query-Based Collections serve as a type of RBAC-protected resource, allowing you to delegate creation and management permissions for enhanced access control and resource management.

Some key benefits of using Query-Based Collections in EmpowerID include:

  1. Dynamic groupings: Query-Based Collections enable you to create dynamic groups of people or resources based on specific criteria, ensuring that your collections stay up-to-date as your organization evolves.

  2. Efficient resource management: By bundling Sets into Query-Based Collections, you can manage resources more efficiently and maintain a clear overview of your resource assignments.

  3. Flexible access control: Query-Based Collections allow you to grant various types of access and permissions to different Actor types, providing flexible and granular control over your resources.

  4. Delegated permissions: You can delegate the creation and management of Query-Based Collections to specific users or groups, empowering them to maintain collections relevant to their job functions.

By leveraging the power of Query-Based Collections in EmpowerID, you can create a unified, dynamic, and efficient access control system that adapts to your organization's needs and simplifies resource management.

What to read next

Create SQL Sets

SQL Sets are SQL queries that return a collection of resource objects from the EmpowerID Identity Warehouse, such as all people who have been hired in the last week. You can add these Sets to Query-Based Collections (SetGroups) and use them to make dynamic RBAC delegation assignments. [Read More]

Create Code-Based Sets

Code-based Sets are queries that can result in collections of people or collections of other resource types protected by EmpowerID. Each code-based Set requires a Set Runtime, which is a custom implementation of the EmpowerID API that allows C# code to be used to return a collection of EmpowerID object types. You create code-based Sets in Workflow Studio. [Read More]

Create Query-Based Collections

Query Based Collections (SetGroups) are logical groupings of Sets bundled together with a friendly name for resource management, such as "Helpdesk Technicians" or "High Security SharePoint Documents." Membership within a Query-Based Collection is dynamic. Each compilation of the Set Compiler Job adds and removes objects from each Query-Based Collection based on the query results of the Sets. [Read More]

Assign Access Levels to Query-Based Collections

Access Levels are bundles of EmpowerID operations and/or native system rights specific to a resource type that, when assigned to users, grants those users the ability to access IT resources in the manner specified by the Access Level. When you assign Access Levels to Query-Based Collections, each member of the Query-Based Collection will receive those Access Levels and be able to perform the tasks associated with them. For example, if you assign the Member Access Level for a generic group to a Query-Based Collection, each person in the collection will be granted group membership. [Read More]

Assign Query-Based Collections to Roles

Assigning Query-Based Collections to EmpowerID Roles gives everyone in the Query-Based Collection (QBC) access to any resources defined for those roles. [Read More]

Evaluate Query-Based Collections

Evaluating a Query Based Collection executes the query in each of the Sets belonging to the Collection. These evaluations are dynamic, adding and removing objects from the Collection as determined by the Sets. For example, if you have a Query-Based Collection with a Set that returns all people hired within the last week, the people in the Collection vary from week to week. [Read More]