About role-based access control in ClearID - ClearID

Genetec ClearID™ User Guide
Applies to
ClearID
Last updated
2024-04-09
Content type
Guides > User guides
Language
English
Product
ClearID

Role-based access control uses identities with various attributes to automatically manage access control. Defining provisioning policies ensures that people in your organization always have up-to-date access permission levels. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access when their identity attributes are changed.

Role-based provisioning policies can be used to automatically assign or revoke access in different situations:
  • Grant or revoke access based on employees locations.
  • Grant or revoke access based on specific roles or job titles in the organization, or who they report to.
  • Grant access to a zone only if people have specific training or certifications.
  • Grant or revoke access based on a list of custom attributes synchronized from an external source.
NOTE: Many other scenarios might also be possible depending on your requirements and current setup. You can also manually add, modify, or remove access at any time.

What is an identity?

In Genetec ClearID™, an identity represents a person and defines what they can do across various platforms, security systems, business systems, and functions. Each identity has one or more access control badges (credentials) and is linked to a cardholder in Synergis™. ​For example, these credentials could be a Windows user (Active Directory), an employee (Human Resources and Payroll), a sales person (CRM and Quoting Tool), and a cardholder (Physical Security).
A cardholder Physical security An employee Employee roles A windows user Microsoft Active Directory An identity interacts across many security and business systems and functions
​An identity is much more than the profile of a cardholder, it is a unique digital profile. The identity represents a person that either has an access control badge, uses the self-service portal, or both.
NOTE: In ClearID, a visitor or a temporary badge holder is not an identity.
  • An identity is a person who has a permanent badge assigned to them.
  • A visitor is a person who has a paper badge or a temporary badge credential assigned to them.
  • A contractor can be either an identity or a visitor. When a contractor is defined as a visitor, they receive a one-day HID card entered as a visitor in ClearID.
Access is typically permanent for employees, semi-permanent for contractors, and temporary for guests.

Identity attributes

In Genetec ClearID™, attributes are the traits or characteristics that make up an identity. Examples of attributes include department, location, role, seniority, pay grade, training certifications, and security clearance.

Role based access control relies on policies (provisioning rules) that automatically assign rights to identities (people) based on attributes (traits or characteristics).

In Genetec ClearID™, a role manager is an identity that has authority over who is assigned to a role. A role manager can add people to and remove people from a role. They are also responsible for role access review approvals.

The life cycle of an identity

In ClearID, the entire life cycle of an identity can be automatically managed.

The following diagram illustrates the life cycle of an identity when a provisioning policy is activated:
Transfers, visits, status changes, promotions, and access requests trigger synchronization A status change revokes access and credentials to ensure compliance and security Based on attributes, access for the identity is provisioned and credentials are assigned New identity is created when an employee is hired, a visitor or contractor is invited 4. Revoke access 3. Manage identity evolution 2. Provision access 1. Identity is created