EmpowerID Products and Solutions
- Learning Center
Welcome to the Learning Center
EmpowerID includes an advanced authorization policy engine that allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible RBAC and ABAC rules. This “resultant access” information is then either consumed or “pulled” by systems that support leveraging an external authorization engine to make access decisions or “pushed” down onto systems that don’t.
Examples of systems supporting the “Pull” model are applications that can leverage SAML or WS-Trust Identity and Claims Providers or applications supporting the Microsoft .NET Membership and Role Provider. These would include applications like Microsoft SharePoint 2010/2013, SaaS applications, and internally-developed corporate applications. EmpowerID itself falls into the category of a system supporting “pull” or external authorization.
Unfortunately, the majority of an enterprise’s systems do not yet support external authorization. For these systems, access is defined and controlled within each application’s security database or via ACLs. EmpowerID supports a “push” model for such cases in which the RBAC engine allows organizations to dynamically define who has access to these resources. The EmpowerID sync engine then enforces these policies by translating them into native system permissions or roles, pushing down the changes onto these systems. Additionally, the systems are monitored for permission changes so the EmpowerID engine can detect changes and roll them back when set up to do so. Examples of systems that require the “push” model are Windows Shared Folders, Group membership, Exchange mailboxes, custom database application roles and permissions, and directory ACLs.
Powerful RBAC policies leverage EmpowerID’s multi-tiered model to pre-calculate access to all known enterprise applications and resources based on an organization’s structure, a person’s job function, and all directly assigned access. These rules allow information from authoritative systems to drive changes in application access and provisioning policies.
ABAC policies on the other hand, provide more fine-grained on-the-fly decisions regarding a user’s access level and the actions they are authorized to perform. ABAC rules benefit from the ability to analyze contextual “in the moment” information to make decisions without the overhead and maintenance of an RBAC structure. However, ABAC rules are more limited in their use of an organization’s structural information as they must real-time decisions and cannot wait for complex analyses or pre-compilation of hierarchical information from multiple sources. The EmpowerID authorization engine is a hybrid of the RBAC and ABAC models, leveraging the best of each. It offers RBAC authorization to leverage diverse information sources for automating role-based access control and ABAC authorization, which further refines RBAC access with fine-grained controls.