EmpowerID provides role-based access control and identity management capabilities. It uses business roles, resource roles, and locations to automate provisioning and management of access based on roles and attributes. Workflows can be visually designed to automate approvals and common processes. The system integrates with various applications and directories to manage identities and entitlements across an organization's IT resources and systems.

1. Role-Based Access Control Overview

2. EmpowerID CapabilitiesEmpowerID’s Role-Based Identity and Entitlement Management answers the question, “who should have access to which IT resources based on their job function and location, and for how long?” and then enforcesthe results across all enterprise systems. With EmpowerID's Business Process Management (BPM) platform, organizations visually design business processes as workflows to automate the lifecycle of enterprise identities, roles, and resources.Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com2

3. Security ChallengesCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com3It should be easier to get access to the IT resources I need to workI want to delegate management but not lose controlHow can we report on who has access to what across all our systems

4. The “Make Like Bob” ProblemSecurity Based On a Moving TargetProtected ResourcesCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comYear NYear 2Day 1New Access GrantedNew Access Granted?Multiple sites and rolesSharePointWho are you????PO Approver?AD User: CMH OUX?Custom ApplicationsCRM LDAP UserSend AsBobSales Executive”??Payroll & Unix UserPerson?Full Access??Sales ShareConference Room 5401New Hire: Jim“Sales Executive”New Hire: Sarah“Sales Executive”

5. The Challenge with an AD Groups-only Approach?Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comAccess GrantedProtected Resources?GroupsMultiple sites and rolesJohn’s User Accounts?What can you access, when, and why?Who are you?SharePoint??PO ApproverHelpdesk Manager??No Reportable or Auditable Link?Custom ApplicationsMailbox Helpdesk ISend AsJohn??PersonFull AccessShared Mailbox???Conference Room 5401

6. Protected ResourcesEmpowerID enforces security across systemsCustom ApplicationWindows ServersSAPMicrosoft SharePoint WebTypes of Protected ResourcesActive Directory GroupGroupsWeb ResourcesMicrosoft Exchange MailboxEmpowerID is an authorization platform that can be extended to support any type of application and application resource. Protected systems containing resources are called “Resource Systems”. EmpowerID inventories Resource Systems and enforces permissions. Permissions Management=Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

7. Resource Rights and OperationsRights and EmpowerID OperationsCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comOperationsRightsEmpowerID Operations are specific tasks a user may perform or approve within an EmpowerID workflow or custom application. Granting EmpowerID Operations does not grant the user any capabilities within the native system.Rights are native permissions used by the application or operating system which manages security for the resource type in question. Granting these rights enables capabilities for users outside of EmpowerID in that system. Rights are continually monitored and enforced by EmpowerID.Example: Exchange MailboxExample Mailbox OperationsIncrease Quota

8. Decrease Quota

9. Edit SMTP

10. Enable OWA

11. Enable Calendar Auto-Accept

12. Edit Forwarding

13. Grant Send As

14. Grant Send On BehalfExample Mailbox RightsRead

15. Send As

16. Send On Behalf

17. Full Access7

18. Resource RolesLogical Bundles of Rights and OperationsCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comOperationsResource RoleDefinitionRightsIncrease Quota

19. Decrease Quota

20. Edit SMTP

21. NoneRecipient Admin IIncrease Quota

22. Decrease Quota

23. Edit SMTP

24. Enable OWA

25. Enable Calendar Auto-Accept

26. Edit Forwarding

27. Grant Send As

28. Grant Send On BehalfRecipient Admin IINone

29. None

30. Full AccessMailbox SupervisorResource Roles are convenient bundles of Rights and Operations specific for a type of resource and are used for delegation. Rights are permissions used in an external system that can be managed by EmpowerID. Operations are code-based actions protected by EmpowerID (usually in workflows).8

31. Access In EmpowerIDAll assignments types result in matching a Person to a Resource RoleResource: MailboxSend On BehalfAssigned To Resource RoleSend AsPersonFull AccessAll permissions management in EmpowerID occurs by some time of assignment that results in a Person being granted a Resource Role for a Resource.

32. Management Role DefinitionsDefinitions for Responsibility-based bundles of Resource RolesCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comResource Roles “Scoped By Location”Management Role DefinitionResource Roles“Direct Assigned”Viewer: Person @ %SpecifyLocation%

33. Viewer: Distribution Group @ %SpecifyLocation%

34. Password Self-Service User

35. …

36. Member: All Employees Group

37. Reader: SharePoint Home

38. Viewer: Workflow Catalog

39. …Standard EmployeeAdministrator: Person @ %SpecifyLocation%

40. Membership Manager: Distribution Group @ %SpecifyLocation%

41. Administrator: User Accounts @ %SpecifyLocation%

42. Administrator: Computers @ %SpecifyLocation%

43. Password Self-Service User

44. …

45. Member: All Employees Group

46. Reader: SharePoint Home

47. Contributor: IT SharePoint Site

48. Membership Manager: All Employees Group

49. Viewer: Workflow Catalog

50. Viewer: Group Manager Page

51. Initiator: Create Group Workflow

52. …IT HelpdeskManagement Roles are job or responsibility-based bundles of Resource Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.10

53. Management RolesResponsibility-based bundles of Resource RolesCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comResource Roles “Scoped By Location”ManagementRoleResource Roles“Direct Assigned”Viewer: Person @ NA Location and below

54. Viewer: Distribution Group @ NA Location and below

55. Password Manager User: Self

56. …

57. Member: All NA Employees Group

58. Viewer: Workflow Catalog

59. …Standard Employee (North America)Administrator: Person @ NA Location and below

60. Membership Manager: Distribution Group @ NA Location and below

61. Administrator: User Accounts @ NA Location and below

62. Administrator: Computers @ NA Location and below

63. Password Manager User: Self

64. …

65. Member: All NA Employees Group

66. Membership Manager: All NA Employees Group

67. Viewer: Workflow Catalog

68. Viewer: Group Manager Page

69. Initiator: Create Group Workflow

70. …IT Helpdesk (North America)Management Roles are job or responsibility-based bundles of Resource Roles and Resource Type Roles to allow quick and consistent delegation of IT access needed to perform job responsibilities.11

71. Management Role InheritanceManagement Roles inherit Resource Roles assigned to their definitionsIT HelpdeskManagement Role DefinitionIT Helpdesk (North America)Management Roles (Children)IT Helpdesk (Asia)IT Helpdesk (Europe)Management Roles inherit Resource Role assignments from their definition and then include any assignments to the Management Role itself. The inheritance can only be 1 level deep from a definition to a Management Role. Management Roles cannot be children of other Management Roles or have more than 1 parent.

72. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitions

73. Management Role OverviewManagement Roles inherit Resource Roles assigned to their definitionsManagement Role DefinitionIT Helpdesk (North America)IT Helpdesk (Asia)IT Helpdesk (Europe)

74. LocationsRepresent Logical and Actual Directory HierarchiesPhysical “Mapped” TreesLogical TreesInheritance of DelegationsLocation of a ResourceEmpowerID supports both Logical and Physical trees within a single Location tree structure. Resources belong to their physical Location implicitly and can be assigned to any number of logical Locations to scope delegation assignments.

75. Resource Role AssignmentsResource Role assignments are “scoped” by resource LocationAssignment ScopeResource RoleAssigneeRecipient Admin IDelegationsRecipient Admin IIJohn SmithResource Role assignments are limited or “scoped” by assigning the Resource Role only for Resources in or below a specific EmpowerID Location.

76. Assignees and ScopesResource Roles Assignees and Scope OptionsAssignment ScopeResource RoleAssigneeConference Room1Mailbox SupervisorSingle ResourceJohn SmithRecipient Admin IIDomain A: “Helpdesk Admins” groupLocation showing inheritanceRecipient Admin IIEmpowerID Business Role: Helpdesk Employees in SydneyResource Role Assignments can be made to specific People, to Groups, or to EmpowerID Business Role / Locations. In each case, any Person matching the criteria will receive the delegations specified by the Resource Role for all resources within the scope of the delegation.

77. Polyarchical RBACFlexible Business Roles scoped By LocationPrimary Business Role: Contractor in SydneySecondary Business Role: IT Admin in SydneyJohn SmithAn EmpowerID Person can have any number of dynamically or manually assigned Business Roles each scoped by Location. The Person will receive the cumulative RBAC assignments and policies directly assigned or via inheritance.Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

78. RBAC MappingMap Physical Directory Locations to Logical Locations19Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.comEmpowerID Business Role and Location mappings allows existing physical directory Locations and roles to be mapped to a logical management structure. e.g. Multiple AD or LDAP directory containers for “London” can be visually mapped to a single logical EmpowerID “London” Location for unified management and delegation.

79. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com20Resource EntitlementsRole-Based Resource Provisioning and DeprovisioningResource Entitlements for Contractors in New YorkEmpowerID Resource Entitlements are policies that automate provisioning, moving, disabling, and deprovisioning resources automatically based upon user Role and Location changes. These automate the initial provisioning of resources when a new Person is created as well as their ongoing management.Resource Entitlements for Standard Employees in Sydney

80. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com21Policy-Based Attribute ValuesRole-Based Attribute AssignmentPolicy-Based Attributes for Contractors in New YorkEmpowerID policy-based attribute values are policies that automate the maintenance of any directory values that can be defined by Role and Location. Any attribute value of a Person can be assigned by policy and maintained automatically when Role or Location changes. Attribute values will update connected directories based upon attribute flow rules.Policy-Based Attributes for Standard Employees in Sydney

81. A New Breed Of Identity ManagementFrom Code to Visual Process Management EmpowerID WF ProcessTraditional Identity ManagementCopyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com

82. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com23Secure Business Processes DesignWorkflow Studio: Visual Process DesignerEmpowerID BPM Studio is a drag and drop design environment for secure process automation. What You See Is What You Get user interface designers generate code free user interfaces.

83. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com24Workflow OperationsAutomatic Role-Based Authorization and ApprovalsEntitlement management and authorization system built-in – workflows automatically routed for approval using Rights-Based Approval Routing(RBAR)

84. Wizards convert PowerShell Commandlets or custom code into secure workflow Operations.MetadirectoryManagement of a Person and Their User AccountsMetadirectory Person.NET ApplicationsAuthenticationJohn SmithAuthenticationAccount StoresDirectories containing a Person’s user accounts managed by EmpowerIDSAPLDAPActive DirectoryPayrollLOB AppsEmpowerID continually inventories and monitors Accounts Stores for changes. New user accounts are discovered and processed through a workflow to evaluate if they should be “Joined” to an existing Person, “Ignored”, or a new Person should be “Provisioned”. Copyright © 2010. empowerID is a trademark of The Dot Net Factory, LLC. |www.empowerid.com