Skip to main content

Identity Administration Overview

Identity Administration in EmpowerID provides centralized management of identities, access, and resources across your enterprise. Whether managing user accounts in Active Directory, provisioning Entra ID identities, configuring application access, or delegating administrative responsibilities, EmpowerID enables consistent policy enforcement and governance across all connected systems.

Key Capabilities

Centralized Identity Management

EmpowerID consolidates identity and resource management into a unified platform, eliminating the need to access multiple system-specific administrative tools. Administrators can manage user accounts, person objects, groups, applications, mailboxes, shared folders, and computer objects across Active Directory, Entra ID, SAP, Microsoft 365, and other connected systems from a single interface.

This centralized approach ensures that identity policies, approval workflows, and security controls are consistently applied regardless of where resources reside. All administrative actions flow through EmpowerID's governance framework, providing complete audit trails and maintaining compliance with organizational policies.

Delegated Administration

Organizations can distribute administrative responsibilities while maintaining centralized governance through EmpowerID's delegated administration model. Resource owners, department managers, and designated administrators can manage resources within their scope of responsibility without requiring full system access or direct permissions in underlying directories.

Resource Admin, EmpowerID's microservice for delegated administration, provides role-based access to administrative functions. Users see only the resources they are authorized to manage, with visibility automatically scoped based on organizational structure, location, ownership, or custom policies. This approach enables business stakeholders to manage their resources efficiently while IT maintains oversight and control.

Workflow-Driven Operations

Administrative actions in EmpowerID follow configurable workflows that enforce approval requirements, policy checks, and compliance controls. Whether onboarding a new employee, modifying group membership, or provisioning application access, workflows ensure that changes follow defined authorization processes and organizational policies.

Workflows can incorporate multiple approval steps, conditional logic based on risk level or resource sensitivity, and integration with external systems. All workflow actions are logged, providing complete audit trails for compliance reporting and security reviews.

Comprehensive Resource Management

EmpowerID provides administrative capabilities across the full spectrum of identity-related resources:

  • People and Accounts – User lifecycle management including onboarding, attribute updates, organizational transfers, and offboarding
  • Groups – Group creation, membership management, and ownership assignment across multiple directory systems
  • Applications – Application configuration, Azure application management, and access permissions
  • Mailboxes – Exchange and Microsoft 365 mailbox provisioning and configuration
  • Shared Folders – File share access management with integrated approval workflows
  • Computer Objects – Computer account management in connected directories

Core Concepts

Persons and Accounts

EmpowerID distinguishes between person objects and account objects to support comprehensive identity management across multiple systems.

Person objects represent individuals in the organization and serve as the authoritative identity record in EmpowerID. Each person has a single person object that contains core identity information and organizational relationships. Person objects exist independently of any specific system or directory.

Account objects are system-specific identities such as Active Directory accounts, Entra ID accounts, or application accounts. Each account is linked to a person object, enabling EmpowerID to track all system identities associated with an individual and manage them as a unified identity.

A single person object links to multiple system-specific accounts

This separation allows centralized management of an individual's organizational identity while maintaining the flexibility to provision, modify, and deprovision accounts in multiple systems as business needs require. When a person transfers departments or changes roles, their person object is updated once, and EmpowerID can automatically adjust account attributes and permissions across all connected systems.

Management Roles

Management Roles are EmpowerID's mechanism for delegating administrative permissions. These roles define what types of resources users can access, what actions they can perform, and which specific resource instances they can see and manage.

Management Roles implement least-privilege access by allowing organizations to grant precise permissions aligned with job responsibilities. For example, a department administrator can be granted rights to manage groups and people within their specific department without gaining access to resources in other parts of the organization.

Management Roles can be combined to provide access to multiple resource types or administrative functions. Users typically receive a set of roles that collectively define their administrative scope, ensuring they have the permissions necessary for their responsibilities without over-privileging.

Resource Ownership

Resources in EmpowerID can have designated owners who are responsible for managing those resources. Ownership determines who can modify resource configurations, perform administrative actions on the resource, and delegate management responsibilities to others.

The ownership model enables business stakeholders to control resources relevant to their responsibilities while maintaining appropriate governance boundaries. For example, an application owner can manage their application's settings and configurations without requiring IT involvement for routine administrative tasks.

Ownership assignments respect organizational hierarchies and delegation boundaries, ensuring that resource owners can only perform actions within their authorized scope. Approval processes for access requests are configured separately based on organizational requirements and can involve owners, managers, or other designated approvers as determined by workflow configuration.

Administrative Interfaces

Resource Admin

Resource Admin provides a web-based interface specifically designed for delegated resource management. Administrators access Resource Admin to manage applications, groups, Management Roles, people, mailboxes, and shared folders within their scope of authority.

The interface presents a role-customized view where users see only resources they are authorized to manage based on their assigned Management Roles and configured visibility policies. Filtering capabilities allow administrators to narrow resource lists by ownership, location, or other criteria. All management actions are performed through guided workflows that maintain consistency and ensure appropriate approvals.

Resource Admin is ideal for resource owners and delegated administrators who need focused access to specific resources without the complexity of the full EmpowerID administrative interface. See Resource Admin Overview for detailed information on capabilities, access requirements, and usage.

EmpowerID Web Interface

The EmpowerID Web interface provides comprehensive administrative capabilities for IT administrators with full system access. This interface supports the complete range of identity administration tasks across the organization, including advanced configuration options, bulk operations, and system-level settings not available through delegated interfaces.

IT administrators use the Web interface for tasks requiring broader organizational visibility or access, such as configuring organizational structures, performing bulk user imports, managing complex approval workflows, or administering system-wide policies and settings.