Enterprise User Management | Role Based Groups

Enterprise User Management 5.0

Define the rules, define the groups, Enterprise User Management does the rest.™

Role Based Groups

Traditional Access Control Administration Models
Traditional Access Control Administration Models (such as Microsoft Active Directory) are based on specifying access at the object or object container and the administrator must go to the object to query and specify access to the object. These models require constant administrator involvement to translate the organizational authorization policy into permissions on objects where each object has a list of access permissions that is granted to various users and groups within an organization.

Active Directory administrators know how difficult it is to realize the effective permissions that all users and groups have on a protected resource which is further complicated by inheritance and its exceptions.

When organizations implement a traditional administration model, they inherit all of the shortcomings of such a model including added demands on application developers, difficulty in scaling the application outside the organization and ongoing administrative burdens. In many cases the model also affects application performance, design and function.

Enterprise User Management - Role Based Security Automation
The Enterprise User Management system is designed to help organizations make the leap to a services oriented architecture and enable applications that can be accessed over the web by internal and external users worldwide. It integrates and automates user account creation and management with existingdirectories and systems.

The Enterprise User Management system’s role-based access control simplifies access control administration and allows permissions to be managed in terms of user roles such as job, function etc., where a group corresponds to one or more roles that can be held by any person. Groups are defined by administrators and the business based on a combination of one or more roles that defines the group. Group membership at any given point in time is determined by the active roles of a user. Using this method group membership is automated and is updated as users change jobs or functions.

The Enterprise User Management also implements fully automated groups where the groups themselves do not need to be defined - created or deleted. Such groups are commonly implemented through integration with the company’s HR system, where the Enterprise User Management scans the profiles of all employees’ attributes such as Division, Department, Job Title, Job Grade, Location etc. and determines the list of current groups based on the combination of attributes held by all active members. Administrators and the business managers need only define the permissions associated with these groups.

For example, when sales managers are hired, they are assigned the Sales Manager role and instantly have all required permissions for that job. When they leave the position of sales manager, they are removed from the Sales Manager role and no longer have Sales Manager access. Since the role allows access to be granted in terms of a company's organizational model, it is more intuitive and natural for administrators to specify access control.

The Enterprise User Management system translates a user’s role membership to application permissions. In most environments, once the role permissions are established, changes to roles permissions will be rare, compared to changes in assignments to the role.

To summarize, with the Enterprise User Management system the business can automate the creation of groups, group membership, user accounts and role membership. Administrators need only manage permissions for groups (which are defined as a combination of one or more roles). That’s why we call this role based security automation.