Configuring Dynamic Hierarchy Policies
If your company or organization always sets up groups or management roles based on Person or user account attributes (e.g., state/city, org chart hierarchy), Dynamic Hierarchy policies provide a way to specify the conditions allowing EmpowerID to automatically provision and/or deprovision specific groups or Management Role Definitions and Management Roles based on one or more Person attributes. Dynamic Hierarchies also dynamically manage the membership of those groups or Management Roles. You can then assign resources to the generated groups and/or Management Roles as needed and EmpowerID will grant those assignments to the people in those groups and roles. The topics in this section show you how.
Every implementation of a Dynamic Hierarchy policy has four steps.
- The first step is the Generation process, which finds what objects need to be created or deleted based on the settings applied to the policy. When an object is created, EmpowerID places that object in the Dynamic Hierarchy Provision Inbox queue.
- The second step is Membership Recalculation, where changes to group or management role memberships occurring as a result of a Dynamic Hierarchy policy are placed in the Dynamic Hierarchy Membership Inbox queue.
- The third step is the Provision process, which pulls the new objects from the Dynamic Hierarchy Membership Provision Inbox and provisions those objects in the appropriate system.
- The fourth step is the Set Membership process, which pulls the objects from the Dynamic Hierarchy Membership Inbox and pushes those changes to the external systems.