In addition to inventorying accounts in connected account stores, creating EmpowerID identities for those accounts, and fully managing the attributes of those identities, EmpowerID has the ability to use those identities to control access to the resources in native resource systems, like Microsoft Exchange. This ability is known as "Enforcement and Resource Role Reconciliation or Projection" and is a feature of the EmpowerID RBAC model. This model consists of processes capable of determining the net resultant access to resources each EmpowerID Person should have based on their Access Level assignments. This resultant access includes any native resource system rights granted by virtue of those Resource Role assignments. EmpowerID delivers these rights to your native resource systems to allow users capabilities in those systems outside of EmpowerID. This means that if "Bob" is assigned an Access Level that grants him a "Full Control" right for a specific Exchange mailbox, "Bob" will be able to open and use that mailbox from directly within Microsoft Outlook.
EmpowerID controls this type of access by creating special domain local groups known as "Resource Role Groups" or "EmpowerID Groups" for each type of Access Level assignment with native rights that occurs in EmpowerID. EmpowerID then controls who can be a member of each Resource Role Group based on whether or not they have been granted an appropriate Resource Role assignment. The number and type of groups created is highly optimized to avoid the possibility of token bloat. These assignment types and how EmpowerID responds to them within the context of Resource Role Groups is as follows:
When Enforcement and Resource Role Reconciliation is enabled for an Active Directory account store with resource systems, EmpowerID begins the process of permissions enforcement by looking for any Access Levels that have been defined with at least one right, flagged as enabled, and directly assigned to at least one person with an account that can be added to a domain local group. If EmpowerID finds Access Levels meeting these criteria, the EmpowerID Worker Role marks the Access Level as "Queued for Projection" and creates a new Resource Role Group in Active Directory with all possible accounts added to its membership. Once the Resource Role Group is created, the Worker Role marks the Access Level as "Queued for Enforcement" and stores the domain local group information in the Access Level.
Once an Access Level is marked as "Queued for Enforcement," the EmpowerID Worker Role calls the Enforcement Job to grant and/or revoke permissions within the native resource system for each member of the Resource Role Group as appropriate. At the next iteration of the Inventory Job, EmpowerID retrieves the permissions of the Resource Role Groups in Active Directory and writes them to the Windows Principal ResourceType table of the Identity Warehouse. These values are then used during the next iteration of the Enforcement and Projection process.
This can be depicted in the following way:
For EmpowerID to manage native permissions for a resource system in this way, the Rights Enforcement for Resource Role Groups setting for the resource system must be set to allow enforcement, and at least one EmpowerID server must be running the EmpowerID Worker Role Windows service with the Resource Role Reconciliation and Rights Enforcement jobs enabled on that server. Rights Enforcement for Resource Role Groups can be configured in one of the following four ways:
When Projection with Enforcement or Projection with Strict Enforcement is selected, EmpowerID ensures the native rights granted to your users reflect your security policies. Through a process of continual comparison, the EmpowerID Worker Role measures the rights and membership of any Resource Role Group in your Active Directory with those rights and memberships in the EmpowerID Identity Warehouse. If changes are found, EmpowerID will immediately revert the group back to its previous condition until it can verify that the changes to the group occurred via a change to the delegations of an Access Level assignment. If EmpowerID finds this to be the case, the Worker Role marks the Access Level as "Ready for Projection" and adjusts the group membership in Active Directory accordingly.