As we discussed previously, one of EmpowerID’s primary use cases is to present an accurate picture of the security within each IT system in an organization's on-premise and Cloud landscape. In addition to viewing and auditing this information, EmpowerID is used for Entitlement Management. Entitlement Management is defined as ”Cataloging and managing all the accesses an account may have. This is the business process to provision access.”1
In order to perform these capabilities, EmpowerID periodically inventories “Protected Resources”1 from the systems a customer desires to manage. Protected Resources are defined as “A system, a process, a service, an information object, or even a physical location that is subject to access control as defined by the owner of the resource and by other stakeholders, such as a business process owner or Risk manager.”
EmpowerID is capable of inventorying and managing a wide variety of different types of protected resources. In order to configure which systems you wish to inventory and manage, on what schedule, and to keep track of in which system a protected resource exists, EmpowerID maintains a table named “ResourceSystems”. EmpowerID itself contains protected resources for its pages, roles, APIs, etc. which are assigned as being in the EmpowerID Resource System. Each system that contains protected resources you wish to manage, must be registered as a Resource System in the EmpowerID Identity Warehouse and is assigned a unique ResourceSystemID and ResourceSystemGUID.
The protected resources themselves can be a wide variety of different types of objects ranging from accounts, groups, computers, to Azure subscriptions, SharePoint Online Site Collections, and many other types. Each of these protected resources is inserted as a record into the Resource table in the Identity Warehouse and assigned a unique value for its ResourceID and ResourceGUID. The ResourceGUID is most often the actual unique identifier of the object in its external system if available in GUID format. From now on, we’ll refer to protected resources simply as resources to align with EmpowerID component terminology. Also, important to note is that each resource record is assigned a ResourceTypeID which defines the type of resource or object. EmpowerID maintains a ResourceType record as a definition of the types of protected resources it can manage and secure. The Resource Type of a resource become important later when we discuss inventory of permissions for resources and managing who has what level of access to view and manage these resources using EmowerID.
selected object types and their information from the systems a customer desires to manage.
the user account objects from these “external” or “managed” systems into the Account table. From here on out we'll refer to them simply as Accounts in order to avoid confusion and avoid the terms user accounts or user. Accounts are users from external systems and Person objects are the primary identity or user object for the EmpowerID system. External systems containing user accounts are known as “Account Stores” in EmpowerID terminology and will be referred to as such going forward.
1 Source: Bago (Editor) E. & Glazer I., (2021) “Introduction to Identity - Part 1: Admin-time (v2)”, IDPro Body of Knowledge 1(5).