Granting Access using Target RBAC Containers

Target RBAC Containers allow you to grant users access to resources without requiring you to know the location of those resources. This is useful when delegating access to resources scattered across an enterprise. When you make this type of access assignment, you scope the assignment to all resources of a specific type within the Target RBAC Container. EmpowerID includes a number of Target RBAC Containers, with each container targeting a specific resource type. To view information about these types, expand the below drop-down.

  • Target RBAC Container Definitions
    • Belonging to which Management Role - Scopes the Access Level assignment to all people who are members of the target or selected Management Role, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those people. An example would be assigning the Administrator Access Level for the Self-Service User Limited Access Management Role to the Enterprise IT Administrator Management Role. In the example, Person is the resource type, the people who are members of the Self-Service User Limited Access Management Role are the resources, and the Enterprise IT Administrator Management Role is the actor. With this type of Access Level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any person with the Self-Service User Limited Access Management Role.
    • Belonging to which Group - Scopes the Access Level assignment to all user accounts or EmpowerID Persons who are members of the target or selected group, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those user accounts or people. An example would be assigning the Password Manager Access Level for all user accounts in the BK-2107 group to an EmpowerID Person named "John Abreu." In this example, user account is the resource type, the user accounts belonging to the group are the resources, and the EmpoweID Person John Abreu is the actor. With this type of Access Level assignment, John Abreu can perform Password Manager operations against any of the user accounts in the BK-2107 group.
    • Belonging to which Query-Based Collection - Scopes the Access Level assignment to all resources that belong to the target or selected Query-Based Collection, giving the actor receiving the assignment the ability to perform the operations of the Access Level against those resources. An example would be assigning the Administrator Access Level for all user accounts in the AD Accounts Never Logged In Query-Based Collection to the Enterprise IT Administrator Management Role. In this example, user account is the resource type, the user accounts in the Query-Based Collection are the resources, and the Enterprise IT Administrator Management Role is the actor. With this type of Access level assignment, any person with the Enterprise IT Administrator Management Role can perform Administrator operations against any of the user accounts belonging to the Query-Based Collection.

This topic demonstrates how to use Target RBAC Containers for access assignments by assigning a specific level of access against all people who are members of a target Management Role to another Management Role (the actor). In this way, anyone belonging to the "acting" Management Role can perform the operations associated with the access level against all people belonging to the target Management Role.

To grant access to resources using Target RBAC Containers

  1. From the Navigation Sidebar, navigate to the Delegations management page by expanding Identities and clicking Manage Delegations.
  2. Select the Actor Delegations tab.
  3. Select Management Role from the To which type of actor do you wish to assign access? drop-down, type the name of the Management Role to whom you are delegating access in the Which Management Role needs access? field and then click the tile for that Management Role.
  4. Select Belonging to which Management Role from the Assign direct to resource or other method drop-down.
  5. Click the Add Access Assignments (+) button located in the grid header.
  6. In the Select the resource(s) to grant access to dialog that appears, do the following:
    1. From the Resource Type drop-down, select the resource type for the appropriate resources contained in the Target RBAC Container. In our example, since we selected Belonging to which Management Role as the Target RBAC Container, we can only select Person from the drop-down. This is because Management Roles are collections of people.
    2. Type the name of the target that contains the resources for which you want to give the assignee access and then click the tile for that target to select it. In our example, we are assigning a Management Role access to the resources in another Management Role (the target Management Role).
    3. Select the Access Level you want to grant from the Access Level drop-down. In our example, we are selecting the Administrator Access Level.
    4. Optionally, if you want to limit the access to a specified period of time, tick Time Constraint and select the appropriate dates from the Access Begins and Access Ends fields. Please note that clicking these fields opens a Calendar control for selecting the dates.
    5. Click Save to add the assignment to the shopping cart.
  7. Repeat step 5 above for each type of access assignment you want to make for the target.
  8. When you have finished adding access assignments, click the Shopping Cart at the top of the page, type a reason for the assignment and then click Submit.
  9. Once the workflow processes the request, if no approval is needed, you should see the assignment(s) in the grid.