Creating Visibility Restriction Policies

Visibility Restriction policies are policies that you can create to limit the ability of policy holders to view resources in EmpowerID. These policies are like RBAC delegations in that you can assign them to any EmpowerID Actor. Once assigned to an actor, any Person belonging to that actor receives the policy. For example, if your organization uses the services of contractors, you could create a Visibility Restriction policy that only allows contractors to see other contractors within the organization, and apply that policy to a group or Management Role designated for Contractors. Then, when a contractor logs in, that contractor will only be able to see other contractors.

This topic demonstrates how to create Visibility Restriction policies and is divided into the following activities:

To create a Visibility Restriction policy

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to Delegations Management page by expanding Identities and clicking Manage Delegations.
  2. From the Delegations Management page, click the Visibility Restriction Policies tab.
  3. This opens the Create a Visibility Restriction Policy form.

  4. From the Assign Policy To drop-down, select the Actor type to whom you want to apply the policy. Actor types include the following:
    • Person - If you select this Actor type, the policy will be applied to a specific person.
    • Group - If you select this Actor type, the policy will be applied to a specific group. Each person who is a member of the group will receive the policy.
    • Business Role and Location - If you select this Actor type, the policy will be applied to a specific Business Role and Location. Each person who belongs to the Business Role and Location will receive the policy.
    • Management Role - If you select this Actor type, the policy will be applied to a specific Management Role. Each person who is a member of the role will receive the policy.
    • Management Role Definition - If you select this Actor type, the policy will be applied to a specific Management Role Definition. Each Management Role that is a child of the definition will receive the policy.
    • Query-Based Collection (SetGroup) - If you select this Actor type, the policy will be applied to a specific Business Role and Location. Each person who is a member of the collection will receive the policy.

    In our example, we are assigning the policy to a group.

  5. Type the name of the specific actor to whom the policy is to be assigned in the Assignee field and then click the tile that appears for that actor. This field is bound to the value of the Assign Policy To drop-down, so you can only input an actor matching the selected Actor type. For example, if you selected Group from the Assign Policy To drop-down, then you can only search for and input a group in the Assignee field.
  6. In our example, we are assigning the policy to the Contractors group.

  7. Select the object type you want to restrict from the Object Type To Restrict drop-down. For example, if you want to restrict the ability to see people, you select Person.
  8. In our example, we are restricting the ability of group members to see people.

  9. From the Assignment Type drop-down, define the scope for the policy by selecting the select the appropriate type for it. When selecting the assignment type, you have the following options:
    • Person Relative Resource - Policy holders can see only those objects relative to their own person. For example if you are creating a policy that limits the ability to see computers and select this as the assignment type, and you then assign the policy to "Bob" who is located in "Boston," when Bob logs in he will only be able to see the computers located in Boston.
    • Direct - Policy holders can only see a specific resource object of a specific type, such as "Computer X" or "Person Y."
    • Scoped At Location - Policy holders can only see the specific resource objects of a specific type in a specific location, such as all computers or all people in Boston.
    • Target Group - Policy holders can only see specified resource objects belonging to a specific group. For example, if you are creating a policy that limits the ability to see people and select this assignment type, people with the policy will only be able to see those people belonging to the target group.
    • Target Management Role - Policy holders can only see specified resource objects belonging to a specific Management Role. For example, if you are creating a policy that limits the ability to see people and select this assignment type, people with the policy will only be able to see those people belonging to the target Management Role.
    • Target Query-Based Collection - Policy holders can only see specified resource objects belonging to a specific Query-Based Collection. For example, if you are creating a policy that limits the ability to see people and select this assignment type, people with the policy will only be able to see those people belonging to the target collection.

    In our example, we are selecting Target Group.

  10. In the Enter a <Resource Object> Name to Search, Person Relative Resource or Can See All Below field do one of the following, depending on the field shown on the form.
    The field that is shown changes based on the Assignment Type selected in step 7 above.
    • Enter a <Resource Object> Name to Search - Type the name of the specific resource object for which you are creating the policy and then Click the tile for that object to select it.
    • Person Relative Resource - Select the relative resource for the restricted resource object type, such as People in Person's Location or Accounts in Person's Location. For example, if you are creating a policy that limits the ability to see accounts and the Assignment Type is Person Relative Resource, by selecting Accounts in Person's Location , any person with the policy will only be able to see the accounts located in their location.
    • Can See All Below - Click the Select a Location link, and in the Location Selector that appears, search for and select a location and then click Save to close the Location Selector.

    In our example, we selected Target Group in step 7, so we searched for and selected the specific group we wanted to target.

  11. Type a numeric value from 1 to 100 in the Priority field. This value sets the priority the Visibility Restriction policy should be given if users have more than one policy. The lower the number, the higher the priority.
  12. Leave the Mode value set to Default.
  13. At this point, the Create a Visibility Restriction Policy form should look similar to the following image (with variations for the selected options). In the image, we are creating a Visibility Restriction policy that restricts the ability of anyone who is a member of the Contractors group from seeing people outside of that group.

  14. Click Save.

To test the Visibility Restriction policy

  1. Log out of the EmpowerID Web application and log back in as a person assigned the policy. For example, if you created a Visibility Restriction policy and assigned it to a group, log in as a person who is a member of that group.
  2. From the Home page of the Web application, search for any resource object restricted by the policy. For example, if you created a Visibility Restriction policy that restricts the ability to see people, search for people. In our example, we created just such a policy, so we navigated to the White Pages.
  3. You should only be able to see those objects for which the policy was created. In our example, we have logged in as a person who is a member of the Contractors group. And because we created a Visibility Restriction policy that restricts the ability of anyone who is a member of the Contractors group to see anyone outside of that group, we can only see those people in the organization who belong to the group.