Skip to main content

Identity Administration Overview

Identity Administration provides centralized management of users, accounts, groups, and resources across connected systems. Administrators can manage identities in Active Directory, Microsoft Entra ID, SAP, and other directories from a unified interface with consistent governance policies and complete audit logging.

This approach eliminates the need to access multiple system-specific administrative tools while ensuring that identity policies, approval workflows, and security controls are consistently applied regardless of where resources reside. All administrative actions flow through EmpowerID's governance framework, providing complete audit trails and maintaining compliance with organizational policies.

Core Administrative Capabilities

Identity and Account Management

EmpowerID enables comprehensive lifecycle management for users across all connected systems. Administrators can onboard new employees, update user attributes, process organizational transfers, and handle offboarding from a single interface. Changes made to a person's core identity information automatically propagate to connected systems according to configured provisioning policies.

Account management extends across Active Directory, Microsoft Entra ID, SAP, and other connected directories. Administrators can create accounts, modify attributes, reset passwords, enable or disable accounts, and manage account permissions without direct access to underlying directory systems. This centralized approach ensures consistent account management practices and simplifies compliance reporting.

Group Administration

Group management capabilities span multiple directory systems, enabling administrators to create groups, manage memberships, and assign group ownership from a unified interface. EmpowerID supports Security Groups, Distribution Lists, Microsoft 365 Groups, and application-specific groups across connected systems.

Group membership changes can flow through approval workflows based on group sensitivity, membership policies, or organizational requirements. Designated group owners can manage their groups through delegated administration interfaces without requiring full administrative access to directory systems. This enables business stakeholders to control group memberships while IT maintains oversight of the overall group structure and policies.

Application Access Control

Application management in EmpowerID includes application configuration, Azure application management, and access permission control. Administrators can configure which applications are available for access requests, define approval workflows for application access, and manage existing access assignments.

The application management interface provides visibility into who has access to applications, how access was granted, and when access expires. This centralized view simplifies access reviews, supports compliance audits, and enables rapid response to security incidents requiring access revocation.

Resource Management

Beyond users and groups, EmpowerID provides administrative interfaces for mailboxes, shared folders, and computer objects. Exchange and Microsoft 365 mailbox provisioning can be automated as part of user onboarding workflows or handled through on-demand requests. Shared folder access management integrates approval workflows that route requests to appropriate approvers based on folder ownership and sensitivity.

Computer object management enables administrators to handle computer accounts in Active Directory and other connected directories, supporting scenarios such as computer account creation during device provisioning or cleanup of stale computer accounts during security hardening initiatives.

Understanding Persons and Accounts

EmpowerID's architecture separates person objects from account objects to enable flexible identity management across multiple systems. This separation is foundational to how EmpowerID handles identities and is essential for understanding the platform's capabilities.

Person Objects

A Person represents an individual in the organization and serves as the authoritative identity record in EmpowerID. Each person has a single Person object containing core identity information such as name, email address, employee ID, and organizational relationships including department, manager, and location.

Person objects exist independently of any specific system or directory. When a person transfers to a new department or changes managers, the Person object is updated once in EmpowerID. Connected systems can then receive these updates through automated provisioning workflows, ensuring consistency across the environment.

The Person object serves as the anchor point for all of an individual's system identities. This enables EmpowerID to track and manage all accounts associated with an individual, provide unified access reviews showing all of a person's access across systems, and ensure consistent lifecycle management when someone joins, moves within, or leaves the organization.

Account Objects

An Account is a system-specific identity linked to a Person object. Common account types include:

  • Active Directory accounts – Domain user accounts with associated permissions and group memberships
  • Microsoft Entra ID accounts – Cloud identities for Microsoft 365 and Azure services
  • SAP accounts – User accounts in SAP systems with specific roles and authorizations
  • Application accounts – Identities in line-of-business applications, SaaS platforms, and custom systems

Each account is linked to a Person object, creating a clear relationship between the organizational identity (Person) and system-specific identities (Accounts). This linkage enables:

Centralized Attribute Management – When a person's department changes, EmpowerID can update the department attribute on all linked accounts according to configured attribute flow rules. This ensures consistency without requiring administrators to update each system individually.

Unified Access Visibility – Administrators and auditors can view all accounts and access associated with a person from a single interface, simplifying access reviews and compliance audits.

Coordinated Lifecycle Management – During offboarding, EmpowerID can disable or delete all accounts linked to a person through a single workflow, ensuring complete access revocation and reducing the risk of orphaned accounts.

Multiple Identity Support – Users can have multiple accounts linked to their Person object, supporting scenarios such as standard user accounts and privileged administrator accounts, or accounts in different domains or forests.

A single person object links to multiple system-specific accounts, including both standard and privileged identities

For detailed information about how Person objects relate to Account objects and how Core Identity links multiple personas, see Understanding the Relationship Between Persons and Accounts.

Core Identity and Personas

When individuals require multiple distinct personas—such as separate standard and privileged accounts—EmpowerID uses Core Identity to link related Person objects while maintaining separation between the personas.

Understanding Multiple Personas

Organizations commonly implement privileged access management strategies that require users to have separate accounts for standard daily work and elevated administrative tasks. For example:

  • Standard persona: john.smith – Used for email, document editing, and routine business applications
  • Privileged persona: john.smith-admin – Used only when performing administrative tasks requiring elevated permissions

These separate accounts (each with its own Person object in EmpowerID) represent the same individual but serve different purposes and carry different access rights. Core Identity links these Person objects, enabling the individual to authenticate with either set of credentials and switch between personas as needed while maintaining separate audit trails for each persona.

How Core Identity Works

Core Identity automatically links Person objects based on matching attributes configured by administrators. During identity synchronization, EmpowerID evaluates Person objects against configured matching rules such as:

  • FirstName + LastName + BirthDate – Provides high confidence matching when birth dates are reliably available
  • FirstName + LastName – Simpler matching suitable for controlled environments
  • Email + EmployeeID – Custom matching based on unique organizational identifiers

When Person objects match the configured criteria, EmpowerID creates a Core Identity record and links the matching Person objects to it. Users can then select which persona to use at login or switch between linked personas during their session. This provides flexibility for administrators who need to switch between standard and privileged accounts without logging out and back in.

The Core Identity linkage maintains separation between personas for access control and auditing purposes. Each Person object retains its own accounts, group memberships, and permissions. Audit logs clearly distinguish which persona performed specific actions, supporting compliance requirements for privileged access monitoring.

For conceptual details about Core Identity, including use cases and matching strategies, see Understanding the Relationship Between Persons and Accounts. For procedures to configure Core Identity linking rules, see Configuring Core Identity.

Delegated Administration

EmpowerID enables organizations to distribute administrative responsibilities to business stakeholders while maintaining centralized governance and oversight. This delegated administration model allows resource owners, department managers, and designated administrators to manage resources within their scope of responsibility without requiring full system access or elevated permissions in underlying directories.

Management Roles

Management Roles are EmpowerID's mechanism for delegating administrative permissions. A Management Role defines three key aspects of delegated access:

Resource Types – What types of resources the role grants access to, such as groups, people, applications, or mailboxes. A role might grant access to group management, user account management, or both depending on the delegated responsibilities.

Permitted Actions – What operations users with the role can perform on those resources, such as create, view, modify, or delete. Action permissions can be granular, allowing a role to permit viewing and modifying existing resources without allowing creation of new resources.

Visibility Scope – Which specific instances of those resources users with the role can see and manage. Scope can be defined by organizational structure (department, location, business unit), ownership, or custom policies that match resources based on attributes or other criteria.

This combination implements least-privilege access by granting precise permissions aligned with job responsibilities. For example:

Department Administrator – A role granting rights to manage groups and people, limited to viewing and modifying resources where the department attribute matches the administrator's department. This enables department heads to manage their team members and departmental groups without visibility into other departments.

Application Owner – A role granting rights to manage a specific application, including configuring application settings, managing access permissions, and viewing access assignments. Application owners can handle routine administrative tasks for their applications without IT involvement while IT maintains the ability to revoke or modify ownership.

Help Desk Operator – A role granting rights to reset passwords and unlock accounts for users in specific locations or business units. Help desk staff can assist users within their support scope without gaining broader administrative access that would violate least-privilege principles.

Management Roles can be combined, allowing users to receive multiple roles that collectively define their administrative scope. A regional IT manager might hold roles for managing groups in their region, managing user accounts in their region, and managing specific applications used by their regional teams.

Resource Ownership

Resources in EmpowerID can have designated owners who are responsible for managing those resources. Ownership is a distinct concept from approval authority—owners manage resource configurations and perform administrative actions, while approvers handle access requests according to configured workflows.

Group Ownership – Group owners can manage group memberships, update group descriptions, and configure group settings. This allows business stakeholders to control group memberships for their teams, distribution lists, or project groups without requiring IT to process every membership change. IT retains the ability to configure which groups can have delegated ownership and what actions group owners can perform.

Application Ownership – Application owners manage application configurations, maintain accurate application information in EmpowerID, and have visibility into who has access to their applications. This enables application owners to support access reviews and respond to audit inquiries without requiring administrators to pull reports on their behalf.

Resource-Level Delegation – Ownership enables resource-level delegation where individuals responsible for specific resources can manage those resources within governance boundaries. This scales administrative capabilities by distributing routine management tasks while centralized policies ensure consistency and compliance.

Ownership assignments can be based on organizational hierarchy, explicit delegation, or automated assignment rules. EmpowerID tracks ownership relationships and includes ownership information in audit logs, supporting accountability requirements and enabling quick identification of who is responsible for specific resources.

Workflow-Driven Operations

Administrative actions in EmpowerID flow through configurable workflows that enforce approval requirements, policy checks, and compliance controls. This workflow-driven approach ensures that changes follow defined authorization processes and organizational policies regardless of whether actions are initiated by end users requesting access, administrators performing provisioning tasks, or automated processes executing scheduled jobs.

Approval Workflows

When users request access to resources through the IAM Shop or when administrators initiate provisioning actions, EmpowerID evaluates the request against configured workflows. Workflows determine whether the request requires approval, who must approve it, and what conditions must be met before the request is fulfilled.

Workflows can incorporate multiple approval steps with different approvers at each step. For example, a request for access to a sensitive application might require approval from both the requester's manager (verifying business need) and the application owner (verifying appropriate access level) before being fulfilled. Workflows can include conditional logic that varies approval requirements based on factors such as:

  • Risk level – High-risk access requests might require additional approvals or security team review
  • Resource sensitivity – Sensitive applications or privileged groups might require executive approval
  • Requester attributes – Requests from certain departments or locations might follow different approval paths
  • Requested duration – Temporary access requests might follow expedited approval while permanent access requires standard review

Policy Enforcement

Workflows can enforce policies by evaluating requests against organizational rules before allowing them to proceed. Policy checks might verify that:

  • The requester is eligible to receive the access based on organizational policies
  • The requested access does not create separation of duties violations
  • The requester has completed required training for the access being requested
  • The access request complies with regulatory requirements or compliance frameworks

When policy violations are detected, workflows can automatically deny requests, route them for exception approval, or require additional justification from the requester. This automated policy enforcement reduces the burden on approvers by catching policy violations before requests reach the approval stage.

Audit Logging

All workflow actions are logged, providing complete audit trails for compliance reporting and security reviews. Audit logs capture:

  • Who initiated the request or action
  • What was requested or changed
  • When the action occurred
  • Who approved or denied the request (if approval was required)
  • What policy checks were evaluated
  • The final outcome of the request

This comprehensive logging supports compliance with regulatory frameworks requiring documented approval processes and enables security teams to investigate suspicious activity or policy violations. Audit reports can be generated for specific time periods, users, resources, or actions, facilitating regular access reviews and audit preparation.

Administrative Interfaces

Resource Admin

Resource Admin is a web-based interface designed specifically for delegated resource management. Users with assigned Management Roles access Resource Admin to manage resources within their scope of authority.

The interface provides a role-customized view where users see only resources they are authorized to manage. For example, a department administrator sees only groups and people from their department, while an application owner sees only their assigned applications. This focused view simplifies administration by eliminating clutter from unauthorized resources and reduces the risk of accidental changes to resources outside the administrator's scope.

Resource Admin supports management of:

  • Applications – Configure application settings, manage access permissions, view access assignments
  • Groups – Create groups, manage memberships, update group descriptions, assign ownership
  • Management Roles – View assigned roles and role membership (if authorized)
  • People – Update person attributes, manage organizational relationships, view account information
  • Mailboxes – Provision mailboxes, configure mailbox settings, manage mailbox permissions
  • Shared Folders – Manage folder access, process access requests, review access assignments

All management actions initiated through Resource Admin flow through configured workflows, ensuring that delegated administrators operate within governance boundaries. Filtering capabilities allow administrators to narrow resource lists by ownership, location, or other criteria to quickly locate specific resources.

Resource Admin is ideal for resource owners and delegated administrators who need focused access to specific resources without the complexity of the full EmpowerID administrative interface. For detailed information about Resource Admin capabilities, access requirements, and usage, see Resource Admin Overview.

EmpowerID Web Interface

The EmpowerID Web interface provides comprehensive administrative capabilities for IT administrators with full system access. This interface supports the complete range of identity administration tasks across the organization, including advanced configuration options, bulk operations, and system-level settings not available through delegated interfaces.

IT administrators use the Web interface for tasks requiring broader organizational visibility or access, such as:

  • Organizational structure configuration – Define departments, locations, business units, and reporting relationships
  • Bulk operations – Import users from HR systems, perform bulk attribute updates, process organizational changes affecting multiple users
  • Workflow management – Configure approval workflows, define policy rules, manage workflow assignments
  • System-wide settings – Configure account stores, manage identity synchronization, set password policies, define provisioning rules
  • Advanced reporting – Generate comprehensive reports spanning the entire organization, create custom reports, export audit data

The Web interface provides full visibility into all resources and complete control over EmpowerID configuration, supporting scenarios where Resource Admin's scoped access would be insufficient. System administrators use this interface to maintain the identity management infrastructure, respond to incidents affecting multiple systems or users, and perform administrative tasks that cross organizational boundaries.

Getting Started

Understanding Foundation Concepts

Before performing administrative tasks, review these foundational concepts:

  1. Person and Account Relationship – Understanding how Person objects relate to Account objects is essential for effective identity administration. Review Understanding the Relationship Between Persons and Accounts for detailed information about this core concept, including how Core Identity links multiple personas.

  2. Delegated Administration Model – If you are a resource owner or delegated administrator, review Resource Admin Overview to understand your access scope and available capabilities.

Common Administrative Tasks

Managing People:

Managing Groups:

Managing Resources: