Skip to main content

Business Role and Location Assignments

Overview

Business Role and Location assignments establish organizational context for individuals and drive access provisioning through role-based access control policies. EmpowerID automates these assignments by mapping external organizational structures from authoritative systems to internal Business Roles and Locations, enabling consistent access management across the enterprise.

This automation begins after accounts are inventoried and Person identities are created. The system creates external organizational roles and locations from authoritative system data, maps these external structures to internal Business Roles and Locations, and maintains assignments through automated jobs that respond to organizational changes.

External Organizational Roles and Locations

EmpowerID creates External Organizational Roles (External Org Roles) and External Organizational Zones (External Org Zones) to represent organizational structures from authoritative systems. These external structures serve as the foundation for internal Business Role and Location assignments.

External roles and locations can be created through two methods:

Direct Inventorying — HR systems and external data sources with structured organizational hierarchies can be directly inventoried

Dynamic Derivation — For systems lacking structured hierarchies, external roles and locations can be dynamically derived from account attributes such as job titles, job codes, divisions, and departments

Each account in EmpowerID is associated with an Account External Org Role Org Zone record. This record establishes the direct relationship between the account and its external role and location, reflecting the individual's organizational position within the external system.

For information about how external roles and locations are dynamically derived from account attributes, see Dynamic Hierarchy Policies.

Role and Location Mapping

Mapping connects external organizational structures to internal Business Roles and Locations, enabling organizations to unify disparate external structures into consistent internal hierarchies for centralized management and policy delegation.

External Role and Location Mappings

EmpowerID uses two types of mapping records:

External Org Role Mapping — Connects external roles (job titles or job codes) to internal Business Roles, enabling automated role assignments

External Org Zone Mapping — Links external locations (divisions or departments) to internal Business Locations, supporting automated location assignments

These mappings facilitate transitions from external organizational data to internal structures, allowing Person identities to be automatically placed in their correct organizational context.

Many-to-One Mapping

Mappings support many-to-one relationships, allowing multiple external roles to be grouped under a single internal Business Role. Different executive titles—CFO, CEO, COO—can be mapped to a single "Executive" Business Role. This reduces complexity within EmpowerID, making it easier to manage access rights, security assignments, and lifecycle processes.

Similarly, multiple Active Directory or LDAP organizational units representing "London" across different directories can be mapped to a single Location named "London." This consolidation simplifies access management, delegation, and policy enforcement across organizational boundaries.

Role and Location Mapper Tool

The Role and Location Mapper provides administrators with manual control over mapping external roles and locations to internal Business Roles and Locations. This tool is particularly useful when external organizational structures are highly complex and a simplified internal structure is desired.

Administrators use the mapper interface to select external roles or locations from detailed lists, associate these selections with appropriate internal Business Roles or Locations, and save the mappings. Administrators can verify current mappings, identify unmapped roles or locations, and rectify issues to ensure continuity and accuracy.

Automated Assignment Processing

EmpowerID maintains Business Role and Location assignments through automated jobs that continuously evaluate organizational changes and apply necessary adjustments. These jobs ensure assignments remain current as authoritative system data changes.

Business Role and Location Recompiler Job

The Recompiler Job retrieves external roles and locations associated with accounts and evaluates mappings between those external assignments and internal Business Roles and Locations. The job compares current Person assignments against what the mappings indicate should be assigned, identifying discrepancies and determining necessary changes.

When the Recompiler Job identifies needed adjustments, it creates proposed changes and queues them for processing. This two-stage approach separates evaluation from execution, enabling administrators to review proposed changes and providing an audit trail of assignment modifications.

Business Role and Location Processor Job

The Processor Job reads proposed changes from the queue and implements adjustments. This includes assigning new Business Roles and Locations to Person identities, removing assignments no longer applicable based on current mappings, and updating primary designations when organizational changes occur.

Together, these jobs ensure Business Role and Location assignments remain synchronized with authoritative system data. As job titles change in HR systems, as individuals move between departments, or as organizational structures are modified, the Recompiler and Processor jobs detect changes and update internal assignments accordingly.

Integration with Identity Lifecycle

Business Role and Location assignments integrate with the broader identity lifecycle, particularly the Joiner process. When new individuals join and their accounts are inventoried, the system evaluates external role and location assignments and proposes corresponding internal assignments. This automated assignment establishes organizational context and triggers role-based access provisioning.

The assignment process follows this sequence:

  1. Accounts are inventoried from authoritative systems and joined to Person identities
  2. External roles and locations are associated with accounts through Account External Org Role Org Zone records
  3. The Recompiler Job evaluates external role and location mappings and proposes internal assignments
  4. The Processor Job applies the proposed assignments
  5. Access provisioning occurs based on the assigned Business Roles and Locations

This automation ensures individuals receive appropriate access based on their organizational position immediately upon joining, without requiring manual intervention.

For more information about how Business Role and Location assignments fit into the complete identity lifecycle, see Joiner, Mover, and Leaver Processes Overview.