Manage Partner Delegations Overview

If your organization has partners that need to access your system to manage the IT resources you have allocated to them (such as onboarding employees, adding people to groups, creating new user accounts, etc.), you can create special EmpowerID locations, known as "Organization" locations, for those partners and assign to the people within those locations one or more of the "Partner" Management Roles EmpowerID provides out of the box. Combining these locations and Management Roles with a Business Role and Location assignment, allows you to give partners the ability to fully manage their domain without exposing to them your IT infrastructure. In this way, you can have multiple partners conducting business within your enterprise without those partners having an awareness of one another or of the resources internal to your organization. We discuss in further detail below how each of these aspects of the partner relationship work together.

Partner Management Roles


As mentioned above, EmpowerID provides "Partner" Management Roles out of the box. These roles are the Partner Admin Management Role and the Partner User Management Role. Each is configured with Access Levels for a subset of resources commensurate with the role. The Partner Admin Management Role give assignees administrative capabilities over aspects of their domain, with the Partner User Management Role gives assignees the ability to perform basic actions, such as searching for people, requesting access to resources and initiating several workflows.

Partner Admins have both Management Roles. Additionally, all partners receive the Self-Service User Management Role.

Partner Admin Management Role

This Management Role gives assignees of the role the ability to manage the people and resources in their partner locations.

Assignment Type Resource Type Access Level Resource Assignment Description For Resources Below
Person Relative Resource Person All Access (EmpowerID Admin) N/A Assignment to any Person as All Access (EmpowerID Admin) that matches this criteria: People in organizations I belong to. EmpowerIDAdmininstrator
PeopleInMyOrganization
Person Relative Resource User Account All Access (EmpowerID Admin) N/A Assignment to any User Account as All Access (EmpowerID Admin) that matches this criteria: Accounts in organizations I belong to. EmpowerIDAdmininstrator
AccountsInMyOrganization
Person Relative Resource Group (Security) All Access (EmpowerID Admin) N/A Assignment to any Group(Security) as All Access (EmpowerID Admin) that matches this criteria: Security Groups in organizations I belong to. EmpowerIDAdmininstrator
SecurityGroupsInMyOrganization
Person Relative Resource Group (Distribution) All Access (EmpowerID Admin) N/A Assignment to any Group(Distribution) as All Access (EmpowerID Admin) that matches this criteria: Distribution Groups in organizations I belong to. EmpowerIDAdmininstrator
DistributionGroupsInMyOrganization
Person Relative Resource Group (Generic) All Access (EmpowerID Admin) N/A Assignment to any Group(Generic) as All Access (EmpowerID Admin) that matches this criteria: Generic Groups in organizations I belong to. EmpowerIDAdmininstrator
GenericGroupsInMyOrganization
Direct Pages and Reports Viewer Edit Group Page Direct assignment to the Edit Group page as Viewer N/A
Direct Pages and Reports Viewer View Person Page Direct assignment to the View Person Page as Viewer N/A
Direct Pages and Reports Viewer View Account Page Direct assignment to the View Account page as Viewer N/A
Direct Pages and Reports Viewer View Group Page Direct assignment to the View Group page as Viewer N/A
Direct Workflow Initiator TemporaryGroupMembership Direct assignment to the TemporaryGroupMembership workflow as Initiator N/A
Direct Pages and Reports Viewer Create Person Simple Direct assignment to the Create Person Simple page as Viewer N/A
Direct Pages and Reports Viewer Person Onboarding Direct assignment to the Person Onboarding page as Viewer N/A
Direct Workflow Initiator UpdatePersonAssets Direct assignment to the UpdatePersonAssets workflow as Initiator N/A
Direct Workflow Initiator UpdateAssignments Direct assignment to the UpdateAssignments workflow as Initiator N/A
Direct Control (User Interface) Viewer Global Person Search Box Direct assignment to Global Person Search Box as Viewer N/A
Direct Pages and Reports Viewer Reset Password Page Direct assignment to the Reset Password page as Viewer N/A
Direct Control (User Interface) Viewer Shopping Cart Direct assignment to the Shopping Cart as Viewer N/A
Direct Pages and Reports Viewer Edit Person Page Direct assignment to the Edit Person page as Viewer N/A
Direct Pages and Reports Viewer Edit Account Page Direct assignment to the Edit Account page as Viewer N/A
Direct Pages and Reports Viewer Find Group Page Direct assignment to the Find Group page as Viewer N/A
Direct Workflow Initiator UpdateResourceLocations Direct assignment to the UpdateResourceLocations workflow as Initiator N/A
Direct Workflow Initiator UpdatePersonBusinessRoles Direct assignment to the UpdatePersonBusinessRoles workflow as Initiator N/A
Direct Workflow Initiator UpdatePersonRelationships Direct assignment to the UpdatePersonRelationships workflow as Initiator N/A
Direct Workflow Initiator UpdateGroupAccountMembership Direct assignment to the UpdateGroupAccountMembership workflow as Initiator N/A
Direct Workflow Initiator PersonPhotoApproval Direct assignment to the PersonPhotoApproval workflow as Initiator N/A
Direct Workflow Initiator UpdateResourceTags Direct assignment to the UpdateResourceTags workflow as Initiator N/A
Direct Workflow Initiator CreatePerson Direct assignment to the CreatePerson workflow as Initiator N/A
Direct Control (User Interface) Viewer Group Resource Type Drop-down Item Direct assignment to the Group Resource Type drop-down item as Viewer N/A
Direct Workflow Initiator DeleteMultiplePeopleWF Direct assignment to the DeleteMultiplePeopleWF workflow as Initiator N/A
Direct Workflow Initiator DisableMultiplePeopleWf Direct assignment to the DisableMultiplePeopleWf workflow as Initiator N/A
Direct Workflow Initiator EditPersonPhotoApproval Direct assignment to the EditPersonPhotoApproval workflow as Initiator N/A
Direct Pages and Reports Viewer SSO Applications Page Direct assignment to the SSO Applications page as Viewer N/A
Direct Pages and Reports Viewer Find Group Page Direct assignment to the Find Group page as Viewer N/A
Direct Workflow Initiator UpdatePersonGroupMembership Direct assignment to the UpdatePersonGroupMembership workflow as Initiator N/A
Direct Pages and Reports Viewer Find User Account Page Direct assignment to the Find User Account page as Viewer N/A
Direct Workflow Initiator ChangePrimaryOrgRoleOrgZone Direct assignment to the ChangePrimaryORgRoleOrgZone workflow as Initiator N/A
Direct Workflow Initiator HelpdeskPasswordReset Direct assignment to the HelpdeskPasswordReset workflow as Initiator N/A
Direct Workflow Initiator HelpdeskAccountUnlock Direct assignment to the HelpdeskAccountUnlock workflow as Initiator N/A
Direct Workflow Initiator ResourceManagerEditGroup Direct assignment to the ResourceManagerEditGroup workflow as Initiator N/A
Direct Workflow Initiator PersonEditNonResourceManager Direct assignment to the PersonEditNonResourceManager workflow as Initiator N/A
Direct Control (User Interface) Viewer Account Resource Type Drop-down Item Direct assignment to the Account Resource Type drop-down item as Viewer N/A
Direct Control (User Interface) Viewer Person Resource Type Drop-down Item Direct assignment to the Person Resource Type drop-down item as Viewer N/A

Partner User Management Role

This Management Role gives assignees of the role access to the resources in their partner locations.

Assignment Type Resource Type Access Level Resource Assignment Description
Direct Workflow Initiator UnclaimBusinessProcessTask Direct assignment to the UnclaimBusinessProcessTask as Initiator
Direct Workflow Initiator AddBusinessProcessTaskComment Direct assignment to the AddBusinessProcessTaskComment as Initiator
Direct Pages and Reports Viewer View Self Page Direct assignment to the View Self Page as Viewer
Direct Pages and Reports Viewer Request Center Tasks To Do Direct assignment to Request Center Tasks To Do as Viewer
Direct Pages and Reports Viewer Request Center Tasks Done Direct assignment to Request Center Tasks Done as Viewer
Direct Pages and Reports Viewer Request Center Requests My Open Direct assignment to Request Center Requests My Open as Viewer
Direct Pages and Reports Viewer Request Center Requests My Complete Direct assignment to Request Center Requests My Complete as Viewer
Direct Workflow Initiator TerminateWorkflow Direct assignment to the TerminateWorkflow workflow as Initiator
Direct Pages and Reports Viewer SSO Applications Page Direct assignment to the SSO Applications page as Viewer
Direct Workflow Initiator PersonPhotoApproval Direct assignment to the PersonPhotoApproval workflow as Initiator
Direct Pages and Reports Viewer Edit Self Page Direct assignment to the Edit Self page as Viewer
Direct Workflow Initiator RequestDecisions Direct assignment to the RequestDecisions workflow as Initiator
Direct Workflow Initiator SetBusinessProcessTaskDelegate Direct assignment to the SetBusinessProcessTaskDelegate workflow as Initiator
Direct Workflow Initiator RemoveBusinessProcessTaskDelegate Direct assignment to the RemoveBusinessProcessTaskDelegate workflow as Initiator
Direct Workflow Initiator ClaimBusinessProcessTask Direct assignment to the ClaimBusinessProcessTask workflow as Initiator
Direct Workflow Initiator PersonEditNonResourceManager Direct assignment to the PersonEditResourceManager workflow as Initiator
Direct Control (User Interface) Viewer Person Resource Type Drop-down Item Direct assignment to the Person Resource Type Drop-down Item as Viewer

Organization Locations


Organization locations are special location types that differ from other EmpowerID locations in that the relative "In My Organizations" Access Levels, such as the "People In My Organizations" Access Level granted to the Partner Admin Management Role, have no effect if assigned to people in other location types.

Technically speaking, the RBAC compiler has a special calculation for each person’s Organizations, which is all the OrgZones in or below an OrgZone marked as type Organization.

When people are assigned to an Organization location via a Business Role and Location assignment, the RBAC compiler determines their relative access and limits them as actors to those resources in their Organization location and any Organization locations below theirs in the Organization tree. They cannot act on resources above their location (see the below image and discussion). This limitation, however, does not apply to people as resources. As resources, people belong to all Organization locations in the tree, including the parent. This allows people in top-level Organization locations to act on those below them.

Visually this can be represented as follows:

In the image, the triangle represents the partner organization in it's entirety. Within the organization, there is a top-level parent Organization location and a person belonging to that location with the "User Admin" Business Role (depicted by the figure outlined in green). As this person belongs to the root location, the RBAC compilation of "People in her Organizations" includes the people in the root as well as all the people in the locations below the root. Thus, she can manage all users in the partner organization (represented by the green arrows).

In addition to the User Admin at the root or top-level Organization location, there is a person with the User Admin Business Role (depicted by the figure outlined in blue) at a sub Organization location. As this person belongs to a location below the parent, the RBAC compilation of "People in his Organizations" includes only those people in his sub Organization location and below. Thus, he can manage all users in those locations, but not any of those in the locations above his (represented by the blue arrow). And because he is also a resource, he can be managed by the User Admin at the parent location. This structure allows partner organizations to have sub-Organization locations with their own self-contained management capabilities that can be altered as needed by those in the top-level Organization.

EmpowerID includes a default Organization location under which all partner Organizations should be created. This Organization location is the Partner Organization location. We demonstrate this in the Managing Partner Delegations topic.

Partner Business Roles


As mentioned in the above discussion, managing the access of your partners involves another component, the Business Role. In the EmpowerID RBAC model, Business Roles and locations intersect to provide scope in access assignments. All people must have a Business Role and all resources must belong to a location. In partner delegations, the EmpowerID RBAC compiler uses partner Business Role and Location assignments to determine the relative access to resources the people in those Business Roles and Locations have.By default, EmpowerID includes two partner Business Role and Locations, the Partner Admin in Partners and Partner in Partners Business Role and Locations. These Business Roles and Locations are assigned to the Partner Admin and Partner User Management Roles, respectively. This means that any person assigned to those Business Role and Locations receive the Access Levels granted to those Management Roles. We demonstrate how this works in the Managing Partner Delegations topic.