About Query-Based Collections
Query-Based Collections are dynamic groupings of people or resources in EmpowerID that automatically update based on defined criteria. Unlike static groups where members must be manually added or removed, Query-Based Collections use queries to determine membership, ensuring collections stay current as organizational data changes.
How Query-Based Collections Work
Query-Based Collections execute queries against EmpowerID's Identity Warehouse or connected systems to identify members that match specific criteria. When the underlying data changes—such as a person's department, location, or job title—the Query-Based Collection membership automatically updates without manual intervention.
For example, a Query-Based Collection defined as "All employees in the Finance department" automatically includes new Finance hires and removes employees who transfer to other departments.
Types of Query-Based Collections
EmpowerID supports two types of Query-Based Collections based on how the query is defined:
SQL-Based Sets
SQL-Based Sets use SQL queries to define membership criteria. Administrators can create these directly in the EmpowerID web interface by building queries against the Identity Warehouse. SQL-Based Sets are ideal for criteria based on identity attributes such as department, location, job title, or custom attributes.
Example use case: Create a collection of all contractors in the Boston office by querying for people where EmployeeType = 'Contractor' AND Location = 'Boston'.
Code-Based Sets
Code-Based Sets use custom code to define membership criteria and must be developed in Workflow Studio and published to the Enterprise Workflow Server. Code-Based Sets enable complex logic and can query external systems beyond the Identity Warehouse, such as HR systems or external databases.
Example use case: Create a collection of all managers with more than 10 direct reports by executing custom logic that counts reporting relationships.
Query-Based Collections as RBAC Actors
Query-Based Collections function as RBAC Actors, similar to groups and Management Roles. You can assign access, permissions, and policies to Query-Based Collections, and all members automatically inherit those assignments. This enables:
- Access Level assignments — Grant resource access to everyone matching the criteria
- Management Role assignments — Assign administrative roles based on dynamic criteria
- Policy assignments — Apply password policies, provisioning policies, or attribute flows to specific populations
- Delegation — Delegate permissions to create and manage specific Query-Based Collections
When to Use Query-Based Collections
Use Query-Based Collections when:
- Membership changes frequently — Department transfers, location changes, or role changes occur regularly
- Criteria-based access is needed — Access requirements are based on attributes rather than explicit membership
- Manual maintenance is impractical — The population is too large or changes too often for manual group management
- Cross-system criteria apply — Membership depends on data from multiple connected systems
Use static groups when membership is manually curated or when members don't share common queryable attributes.
Query-Based Collections vs. Groups
| Aspect | Query-Based Collections | Groups |
|---|---|---|
| Membership | Dynamic, based on query criteria | Static, manually managed |
| Updates | Automatic when data changes | Manual addition/removal required |
| Maintenance | Query maintained | Member list maintained |
| Use Case | Attribute-based populations | Curated membership lists |
Related Topics
- Create SQL-Based Query-Based Collections — Create collections using SQL queries
- Create Code-Based Query-Based Collections — Create collections using custom code
- Assign Access Levels to Query-Based Collections — Grant permissions to collection members
- About Business Roles and Locations — Understand other RBAC Actor types