Skip to main content

Resource Admin Overview

Introduction

Resource Admin is EmpowerID's microservice for delegated resource management across applications, groups, Management Roles, people, mailboxes, and shared folders. As part of EmpowerID's delegated administration and identity governance suite, Resource Admin enables organizations to distribute administrative responsibilities while maintaining centralized governance and control.

Through role-based access and visibility controls, Resource Admin allows resource owners and designated administrators to manage resources they own or have been granted administrative rights for, without requiring direct access to underlying systems such as Active Directory, Microsoft Entra ID, or other connected account stores. This delegation model addresses a fundamental challenge in identity governance: enabling business stakeholders to manage their resources efficiently while ensuring appropriate oversight and maintaining security boundaries.

Resource Admin provides a web-based interface for managing resource objects across the enterprise—whether they originate in Active Directory, Azure, databases, cloud applications, or file systems. The interface presents users with only the resources they are authorized to manage based on their assigned Management Roles and configured visibility policies. This scoped view simplifies resource management by eliminating the need to navigate complex directory structures or system-specific administrative tools.

Core Functionalities

Resource Admin provides management capabilities across six resource types.

Administration of Applications

Resource Admin enables administrators to manage applications across Azure and on-premises environments without requiring direct access to the systems where those applications are hosted. Administrators can adjust application settings, manage security configurations, and control user access through Resource Admin's centralized interface. This includes managing application settings, configurations, and access permissions while ensuring applications remain current and secure. For Azure applications specifically, Resource Admin provides capabilities for managing client secrets, certificates, and claims mapping policies without requiring administrators to access the Azure portal directly.

Management of Groups

Resource Admin streamlines group management across all connected account stores, enabling administrators to perform all essential group administration tasks from a single interface. Administrators can add or remove members, assign roles and permissions, create new groups, and modify group attributes. The interface provides visibility into group membership and usage patterns, helping administrators understand how groups are being used across the organization. Resource Admin ensures users receive appropriate permissions based on their roles while maintaining the ability to manage groups regardless of which system they reside in—whether Active Directory, Azure AD, or other connected systems.

Management of Management Roles

Management Roles are EmpowerID's native mechanism for delegating administrative permissions, and Resource Admin provides the interface for managing these roles. Administrators can manage roles they own, assign role-based access controls, define permissions, and maintain role configurations. The role management feature provides granular control over roles, enabling flexible delegation while enforcing appropriate boundaries. Delegation boundaries are determined by the administrator's own permissions, implementing the principle that administrators can only delegate permissions they themselves possess. This ensures that role management remains secure and prevents unauthorized elevation of privileges.

Management of Shared Folders

Resource Admin brings governance and oversight to file system permissions by integrating shared folder management with EmpowerID's approval workflows and audit capabilities. Administrators can manage access permissions, share or revoke access to specific folders, and maintain secure collaboration environments. File system permissions are integrated with EmpowerID's approval workflows, ensuring that access to shared folders follows the same governance processes as other resource types. This integration enables organizations to apply consistent security policies and maintain audit trails for file system access, addressing a common gap where file system permissions often lack the same level of governance as other identity resources.

Administration of People

Resource Admin simplifies user lifecycle management through guided wizard workflows that provide step-by-step assistance for complex operations. Administrators can onboard new users, manage user attributes, handle organizational transfers, and perform other user lifecycle operations without requiring deep technical knowledge of underlying directory structures. The wizard-based approach ensures consistency in user management operations while reducing the potential for errors. All people management operations are scoped to the administrator's assigned permissions, ensuring that managers can administer users within their scope of responsibility without accessing users outside their authority. This scoping mechanism enables organizations to delegate user management to department managers or HR personnel while maintaining appropriate security boundaries.

Management of Mailboxes

Resource Admin provides mailbox administration capabilities for Microsoft 365 and Exchange environments, enabling administrators to manage mailboxes through workflows integrated with EmpowerID's approval and governance policies. This integration ensures that mailbox operations maintain appropriate oversight and follow organizational policies for resource provisioning. Mailbox management through Resource Admin allows organizations to apply the same governance framework to email resources as they do to other identity and access resources, ensuring consistency in how access is granted, modified, and audited across the enterprise.

Accessing Resource Admin

Users can access Resource Admin through two methods:

  1. Using the Navigation Bar: Locate and select "Resource Admin (Microservice)" from the navigation bar.

  2. Direct URL Access: Enter the Resource Admin URL directly into the browser. The URL is provided by your organization or system administrator. See Set the URL for the Resource Admin Application for configuration details.

User Interface Overview

Resource Admin presents a role-customized interface where administrators see only authorized resources based on their Management Role assignments and visibility policies. This personalized view eliminates the complexity of navigating resources outside an administrator's scope of responsibility, focusing attention on resources they are authorized to manage.

Resource Admin User Interface Resource Admin interface showing the main components

The interface includes resource type selection that allows switching between different resource categories (applications, groups, Management Roles, etc.), comprehensive filtering capabilities for narrowing resource lists based on ownership, location, or other criteria, and direct access to management workflows for common administrative tasks. Each resource can be managed through detail views that provide complete information about the resource, or through wizard-based workflows that guide administrators through complex operations step by step.

For detailed information about interface components, navigation patterns, and page-specific features, see Navigating Resource Admin.

Management Roles for Resource Admin Access

Access to Resource Admin is controlled through Management Roles that determine which resource types users can view and manage. Management Roles implement a layered access model where all users need common roles that provide basic access to the microservice, plus specific resource-type roles based on their administrative responsibilities.

This role-based approach enables precise delegation by allowing organizations to grant access to specific resource types without providing broader administrative privileges. For example, an administrator responsible for group management would receive roles specific to group administration without gaining access to application management or other resource types outside their scope of responsibility. The role structure supports both least-privileged access through Base roles and comprehensive access through Feature Set roles, allowing organizations to tailor permissions to match job responsibilities.

Role Structure

Common Roles (required by all users):

  • UI-Res-Admin-MS-Common: Access to shared UI components
  • VIS-Res-Admin-MS-API: Access to base web services

Resource-Specific Roles:

Base Roles provide least-privileged access to specific resource types. Examples: UI-Res-Admin-MS-Applications-Base, UI-Res-Admin-MS-Groups-Base.

Feature Set Roles provide access to all features, workflows, and controls for a resource type. Examples: UI-Res-Admin-MS-Applications, UI-Res-Admin-MS-Groups.

For complete role descriptions and assignment procedures, see Assigning Management Roles Needed to Access Resource Admin.

Next Steps

Configuration and Setup

Interface and Navigation

Resource Management

Guides for managing each resource type:

Advanced Configuration