📄️ Role and Location Mapping
Within EmpowerID, Role and Location Mapping refers to the association of External roles and locations that come from external authoritative sources to the internal RBAC Business Role and Locations that are used to determine identity provisioning and access assignments. As accounts are received from an authoritative source such as an HR system, they are associated with an external role and location assignment based on the attributes and data of the external system. As these accounts are joined to a person identity, the external role and location are translated to an RBAC business role and location based on the mapping between the external and internal assignments. The image below depicts this concept. In the image, the source directory contains an employee record, a job code, and a location code. With role and location mappings, the job code can be mapped to an EmpowerID Business Role and the location code can be mapped to an EmpowerID location. This internal role and location are then assigned to the person object that is joined to the account.
📄️ Role and Location Mapper
EmpowerID Role and Location mappings allow multiple externally inventoried locations (e.g., AD, LDAP, HR) directory containers to be visually mapped to a logical location (EmpowerID Locations) for unified and easy management and delegation of resources. When a mapping occurs, all the resources or objects located in the directory are assigned to a corresponding EmpowerID Location and can be used when assigning user rights and setting default policy settings.
📄️ Automatically Assign Roles and Locations from External Roles and Locations
EmpowerID provides for the automatic assignment of Business Roles and Business Locations based on organizational data that comes from an authoritative source. This is accomplished through the use of two server Jobs that run in the worker role container or server.
📄️ Dynamically Generate External Roles and Locations
You can use Dynamic Hierarchy policies to automatically generate external Business Roles and Locations based on the value of a specified person attribute, such as the name of their department. After the policy is created, the Dynamic Hierarchy engine will add any account with the matching attribute values to the AccountExternalOrgRoleOrgZone table for use by the role and location compiler job. As seen below in the policy settings section of a dynamic hierarchy policy, you can select up to 3 attributes to build your external role tree and your external location tree. Each level represents a Parent/Child level in the tree as described below: