Lifecycle Role and Location Configuration and Processing

Overview

Automated role and location assignment within EmpowerID systematically manages the assignment of business roles and locations to identities using detailed organizational data from external systems, such as HR databases. The process begins after initial identity provisioning, where accounts are imported into EmpowerID and identities are created from these accounts.

Key to this automation is the creation of external organizational roles (External Org Roles) and external organizational locations (External Org Zones), either by directly inventorying from structured data within external systems or dynamically deriving this information from attributes in user account records, such as job titles, job codes, divisions, and departments.

EmpowerID uses this externally derived data to create detailed mappings—relationships that define precisely how external roles and locations correlate to internal EmpowerID business roles and locations. The system accomplishes this correlation through specialized mapping interfaces and configurable dynamic hierarchy policies, allowing precise and customizable role and location assignments.

Multiple automated server jobs then handle these mappings, continually evaluating and updating identities' roles and locations based on changes in the source data. EmpowerID ensures timely and accurate role assignments by first proposing necessary changes through a compiler job, followed by executing these changes through a dedicated processor job.

This comprehensive automation not only streamlines identity management but also supports detailed troubleshooting and monitoring, ensuring consistency and accuracy in organizational role and location assignments throughout an identity's lifecycle.

Key Components

External Org Roles and Zones

EmpowerID creates External Organizational Roles (External Org Roles) and External Organizational Zones (External Org Zones) through either direct inventorying from external system structures or dynamically deriving them from account position-related attributes such as job codes or job titles for roles, and divisions, departments, or regions for locations.

Each account within EmpowerID is associated with an Account External Org Role Org Zone record, establishing the direct relationship between the individual account and its external role and location derived from the external system's data. This association precisely reflects the individual's positional context within the external organization.

Further, these external roles and locations are correlated to internal EmpowerID business roles and locations via mapping records:

• External Org Role Mapping: Connects external roles (e.g., job titles or job codes from HR data) to internal EmpowerID business roles, enabling clear, automated role assignments.
• External Org Zone Mapping: Links external locations (e.g., divisions or departments) to internal EmpowerID business locations, supporting accurate automated location assignments.

These mappings facilitate seamless transitions from external organizational data to internal role and location structures, allowing identities in EmpowerID to be automatically and accurately placed in their correct organizational context. This setup provides both efficiency and flexibility, enabling detailed administrative control and straightforward troubleshooting through clearly defined and accessible relationships and mappings.

Role and Location Mapping

The Role and Location Mapper in EmpowerID provides administrators with the ability to manually map external roles and locations to internal business roles and locations. The mapper is particularly useful in situations where the external organizational structure is highly complex or detailed, and a simplified internal structure is desired.

Administrators use the mapper interface by:

• Selecting external roles or locations from a detailed list derived from external sources (e.g., HR data).
• Associating these external selections with the appropriate internal business roles or locations.
• Confirming and saving these mappings, ensuring EmpowerID knows exactly how to interpret and apply external data for internal assignments.

This mapper supports many-to-one mappings, allowing multiple external roles (such as different executive titles—CFO, CEO, COO) to be grouped under a single internal business role (such as "Executive"). This greatly reduces complexity within EmpowerID, making it easier to manage access rights, security assignments, and lifecycle processes based on clear and maintainable role definitions.

Administrators can also verify current mappings, identify unmapped roles or locations, and quickly rectify any mapping issues to ensure continuity and accuracy in role and location assignments. The Role and Location Mapper is thus an essential tool for maintaining clear alignment between external organizational structures and internal EmpowerID management policies.

Deriving Role and Location Data and Dynamic Hierarchy Policies

EmpowerID supports two primary methods for deriving external role and location data:

Inventory from External Structure Data:

Some HR systems and external data sources maintain structured organizational hierarchies that can be directly inventoried by EmpowerID. This direct inventorying process imports organizational structure data into EmpowerID, automatically creating external organizational roles and zones.

Dynamic Hierarchy Policies:

For external systems lacking structured organizational hierarchies, EmpowerID utilizes Dynamic Hierarchy Policies. These policies dynamically derive external roles and locations from attributes in account records, such as job titles, divisions, and departments.

This process involves several automated backend jobs:

1. Dynamic Hierarchy Generation Job: Scans account records, identifies new roles and locations based on configured attributes, and generates transactions for creating external roles and locations.
2. Dynamic Hierarchy Provision Inbox Processor: Processes transactions created by the Generation Job, physically creating new external roles and locations within EmpowerID.
3. Dynamic Hierarchy Membership Recalculation Job: Evaluates account data to determine appropriate role and location memberships, generating account-to-role/location membership records.
4. Dynamic Hierarchy Membership Inbox Processor: Processes membership records, associating accounts to their corresponding external roles and locations.

Dynamic hierarchy policies are configurable to accommodate different organizational structures, supporting up to three hierarchy levels. Administrators define:

• Attributes used for roles and location hierarchy levels.
• Scheduling intervals for generation and membership recalculations.
• Delays for removing outdated assignments to avoid conflicts.
• Automatic cleanup of empty roles and locations to maintain data hygiene.
• Custom naming conventions for clarity and organizational standards.

Procedural Walkthrough: Configuring Dynamic Hierarchy Policies

Configuring Dynamic Hierarchy Policies within EmpowerID enables automated generation of external organizational roles and locations based on attributes from user account data. This detailed procedural guide utilizes explicit steps and narrative insights from practical EmpowerID scenarios to guide administrators through comprehensive policy configuration.

Step-by-Step Configuration with Detailed Explanation

1. Access the Dynamic Hierarchy Policy Interface:

   • Navigate within EmpowerID to the Dynamic Hierarchies menu.
   • Select Policies.
   • Click the + button to create a new Dynamic Hierarchy Policy.

2. Select Dynamic Hierarchy Type:

   • Choose Account Attribute External Roles and Locations as your dynamic hierarchy type. This setting enables deriving external roles and locations directly from user account attributes.

3. Define the Account Store:

   • Identify and select the specific account store (such as your HR system or a flat file import) from which user accounts will be evaluated for generating roles and locations. This selection ensures the correct source for attribute evaluation.

4. Set Hierarchy Generation Scheduling:

   • Configure scheduling frequency for hierarchy generation. Initially, setting this to a short interval, such as every five minutes, can expedite initial processing. After successful verification and stabilization, adjust this frequency to align with organizational change rates (typically daily or weekly).

5. Set Membership Recalculation Scheduling:

   • Configure membership recalculation scheduling. Membership recalculations often occur more frequently than the hierarchy generation itself since personnel may frequently move between roles and locations. Regular recalculations (e.g., hourly or every few hours) help maintain accurate assignments.

6. Configure Hierarchy Levels and Attributes:

   • You may define up to three hierarchy levels for both roles and locations:

     • Roles: Choose account attributes like job titles, job codes, or any custom attributes relevant to your organization's role structure.
     • Locations: Select account attributes such as division, department, or region. A common configuration could include Division as the parent level and Department as a child level.

   • Each hierarchy level directly corresponds to unique attribute values in your account records. During processing, EmpowerID generates distinct external organizational roles and locations for each unique attribute value discovered in these configured levels.

7. Enable Advanced Processing Options:

   • Claim Matching Roles and Locations:

     • EmpowerID can automatically associate new roles and locations with existing ones if matching attribute values already exist in the system, minimizing duplicates.

   • Role Assignment Removal Delay:

     • Implement a delay (e.g., 20 minutes) to remove outdated role assignments. This precaution prevents temporary assignment conflicts during the brief window when a person’s role changes, ensuring continuous and accurate role and location assignment.

   • Empty Roles and Locations Cleanup:

     • Enable automatic deletion of roles and locations that become empty, maintaining system cleanliness and data integrity.

8. Configure Naming Conventions (Optional):

   • Apply custom naming conventions for newly generated roles and locations, ensuring they match your organization's existing standards and are easily identifiable.

9. Save and Activate the Policy:

   • Once fully configured, save your Dynamic Hierarchy Policy. EmpowerID will immediately begin evaluating account data according to your configuration, generating the external roles and locations accordingly.

Monitoring and Troubleshooting

After activating your policy, monitor and troubleshoot effectively by:

• Inspecting Dynamic Hierarchy Inbox:

  • Review records generated by the Dynamic Hierarchy Generation and Membership Recalculation jobs to confirm correct identification of new roles and locations and accurate account assignments.

• Validating Generated Structures:

  • Examine newly created roles and locations within the EmpowerID interface under External Roles and Locations to confirm correctness and completeness.

• Confirming Account-to-Role/Location Assignments:

  • Regularly review the Account External Org Role Org Zone records to validate accurate mapping of accounts to external roles and locations, promptly identifying and rectifying any discrepancies.

• Optimizing Scheduling:

  • Following initial runs and validation, adjust scheduling intervals of hierarchy generation and recalculations to match organizational dynamics and practical requirements.

This expanded configuration guide ensures administrators clearly understand the policy setup and effectively utilize EmpowerID’s powerful automated processes, significantly enhancing role and location accuracy, operational efficiency, and identity lifecycle governance.

Role and Location Processing and Business Role and Location Settings

EmpowerID's role and location assignments rely heavily on two critical automated components: the Role and Location Compiler and the Role and Location Processor. These two components function in tandem with configuration settings defined within the account store.

Initially, identities are assigned a default business role and location (e.g., "Standard Employee" and "Temporary Location") when first created to ensure immediate assignment. The Role and Location Compiler subsequently evaluates these initial assignments against external role and location mappings derived from configured dynamic hierarchy policies. It identifies discrepancies between the existing assignment and the appropriate mapped assignment based on external account attributes and mapping records.

Once discrepancies are identified, the compiler generates proposed changes into an inbox table known as the Role and Location Recompiler Inbox. Each inbox record explicitly describes the necessary adjustments—clearly indicating previous and new assignments for each identity.

The Role and Location Processor then processes these inbox records, systematically executing the required changes. This processor updates identity assignments from temporary defaults to their accurate business roles and locations as defined by external mappings.

Critical to this process are the Business Role and Location Settings configured at the account store level:

• Allow Business Role and Location Re-evaluation: Enables EmpowerID to evaluate and adjust role/location assignments based on account data.
• Auto-provisioning of Roles and Locations: Automatically creates EmpowerID business roles and locations from external source data if enabled.
• Default Assignments for Unmapped Accounts: Defines fallback roles and locations, preventing assignment gaps if mappings are missing or incomplete.

These settings provide robust control, ensuring accurate and efficient role and location management, while facilitating straightforward troubleshooting and adjustments.