This document discusses authorization services that provide claims-based and role-based access control for enterprise-wide security. It summarizes challenges with security and access management across multiple systems and locations. It then describes how the solution implements flexible role-based access control models to address these challenges.
31. Send AsOutlook Full Control Resource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows). 8
32. The Bottom Line: Access = Person Resource RolesAll Assignments Types Result in Matching a Person to a Resource Role Resource: John Doe’s Mailbox ? Person: Steve Smith Editor Via Any Possible Assignment Path Administrator Outlook Full Control All permissions management in EmpowerID occurs by some type of assignment that results in a Person being granted a Resource Role for a Resource.
33. The Measure of an RBAC System is its Flexibility in Obtaining Collections of People and Collections of Resources Left Side = People Right Side = Resources Resource Role ? The key is how to assign theproper people to the proper Resource Roles without creating and managing large numbers of static assignments
34.
35. Right Side: Collections of ResourcesResource Roles are Assigned to Single Resources or By Location Collection of Resources: “Scope” Resource Role Actor Editor ? Direct to a Single Resource Any Actor Type Administrator By Location with Inheritance Resource Role assignments are limited or “scoped” by assigning the Resource Role only for a single Resource or for all Resources in or below a specific EmpowerID Location.
36. LocationsRepresent Logical and Actual Resource System Hierarchies Physical “Resource System” Trees Logical Trees Inheritance of Delegations Location of a Resource The Dot Net Workflow metadirectory supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.
40. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitions IT Helpdesk Management Role Definition IT Helpdesk (North America) Management Roles (Children) IT Helpdesk (Asia) IT Helpdesk (Europe) Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.
61. …IT Helpdesk Management Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 17
79. …IT Helpdesk (North America) Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities. 18