EmpowerID restricts access to the IT Shop and the resources and the visibility of resources in it through the use of Management Roles. To access the IT Shop and request resources, users must be assigned to the appropriate roles. The mechanism by which EmpowerID secures a workflow and the operations within that workflow is known as “Rights-Based Approval Routing” or RBAR. With RBAR, EmpowerID checks in real-time to see if the current person within a workflow process has the delegations needed to perform the operations associated with that process. If the person has the delegations, the process continues; if the person does not have the delegations, the process either exits or routes for approval to someone with the delegations needed to approve the operation. In EmpowerID, these delegations are controlled through the assignment of Access Levels. Before people can access a workflow or perform an operation within that workflow, they must have an Access Level assignment that allows them to do so. These assignments can be made directly to users or more commonly through membership in a Management Role that is configured with the Access Level.
Management Roles are prefixed by their function in EmpowerID and include the following:
UI — – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for the IT Shop is UI-IT-Shop-Full-Access. This role grants full access to the user interfaces and workflows for requesting access to resources as well as for managing resources.VIS —
VIS – Management Roles prefixed with VIS grant users the ability to see specific object types in EmpowerID. For users to see resources of a specific type in the IT Shop they need to have a VIS role for that resource type. An example of this type of role for the IT Shop is VIS-Computer-MyLocations. This role grants access to see computers that belong to same location as the person with the role. ACT —
ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for resource management in EmpowerID is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations
To access the Authorization Service Portal, users need to have the Management Roles shown in Table 2.
Roles needed to Access the IT Shop
...
Management Role | Access Granted by Management Role |
|---|
UI-IT-Shop-MS-LimitedFull-Access | Grants limited access to the IT Shop workflows and user interface to allow access requests. |
UI-IT-Shop-Full-Access | Grants full access to the IT Shop workflows and user interface to allow access requests and resource management. |
Roles needed to Request Access to Resources in the IT Shop
To shop for resources in the IT Shop, users need to have a combination of the following Management Role assignments (based on the needed scope). Roles needed are grouped by resource type.
| Expand |
|---|
|
VIS-Application-All — Grants users with the role the ability to see all applications and subcomponents and request access to those applications VIS-Applications-MyLocations — Grants users with the role the ability to see applications and their subcomponents in their locations and request access to those applications VIS-Application-MyOrganization — Grants users with the role the ability to see applications and their subcomponents in their organizations and request access to those applications
|
| Expand |
|---|
|
VIS-BusinessRole-All — Grants users with the role the ability to see all Business Roles and request access to those Business Roles VIS-BusinessRole-MyLocations — Grants users with the role the ability to see Business Roles in their locations and request access to those Business Roles VIS-BusinessRole-MyOrgs — Grants users with the role the ability to see Business Roles in their organizations and request access to those Business Roles
|
| Expand |
|---|
|
VIS-Computer-All — Grants users with the role the ability to see all computers and request access to those computers VIS-Computer-MyLocations — Grants users with the role the ability to see computers in their locations and request access to those computers VIS-Computer-MyOrg — Grants users with the role the ability to see computers in their organizations and request access to those computers VIS-Computer-WhereLocalAdmin — Grants users with the role the ability to see computers where they are members of the local admins group
|
| Expand |
|---|
|
VIS-Mailbox-All — Grants users with the role the ability to see all mailboxes and request access to those mailboxes VIS-Mailbox-MyLocations — Grants users with the role the ability to see mailboxes in their locations and request access to those mailboxes VIS-Mailbox-MyOrg — Grants users with the role the ability to see mailboxes in their organizations and request access to those mailboxes
|
| Expand |
|---|
|
VIS-Groups-All — Grants users with the role the ability to see all groups and request access to those groups VIS-Groups-All-AD— Grants users with the role the ability to see all AD groups and request access to those groups VIS-Groups-All-AWS — Grants users with the role the ability to see all AWS groups and request access to those groups VIS-Groups-All-IT-Systems — Grants users with the role the ability to see all groups under the All IT Systems location and request access to those groups VIS-Groups-All-O365 — Grants users with the role the ability to see all Office 365 groups and request access to those groups VIS-Groups-All-SAP — Grants users with the role the ability to see all SAP Roles and Profiles and request access to those roles and profiles VIS-Groups-Distribution-MyLocation — Grants users with the role the ability to see distribution groups in their locations and request access to those groups VIS-Groups-Distribution-MyOrg — Grants users with the role the ability to see distribution groups in their organizations and request access to those groups VIS-Groups-Generic-MyLocation — Grants users with the role the ability to see generic groups in their locations and request access to those groups VIS-Groups-Generic-MyOrg — Grants users with the role the ability to see generic groups in their organizations and request access to those groups VIS-Groups-Security-MyLocation — Grants users with the role the ability to see security groups in their locations and request access to those groups VIS-Groups-Security-MyOrg — Grants users with the role the ability to see security groups in their organizations and request access to those groups
|
| Expand |
|---|
|
VIS-Management-Role-All — Grants users with the role the ability to see all Management Roles and request access to those roles VIS-Management-Role-MyLocation — Grants users with the role the ability to see Management Roles in their locations and request access to those roles VIS-Management-Role-MyOrg — Grants users with the role the ability to see Management Roles in their organizations and request access to those roles
|
...
...
VIS-Shared-Credential-All — Grants users with the role the ability to see all Shared Credentials and request access to those credentials
...
VIS-Shared-Credential-MyLocation — Grants users with the role the ability to see Shared Credentials in their locations and request access to those credentials
...
Inherits the below Access Levels from the parent Management Role Definition: Workflow Access Initiator Access Level for following workflows: Control (User Interface) Access Viewer Access Level for the following controls: Application Process Control Business Roles TCode Control Business Roles Owners Attribute Control Business Roles Advanced Search Control Business Roles Role Approvers Attribute Control Application Roles Resource System Attribute Control Business Roles Name Attribute Control Target System Control Application Roles TCode Control Application Roles Advanced Search Control Shop for Target Person Control Business Functions Control Business Roles Parent Business Roles Attribute Control Application Roles Owners Attribute Control Application Roles High Level Classification Attribute Control Business Domains Control Business Roles High Level Classification Attribute Control Application Roles Name Attribute Name
Application Access Viewer Access Level for the following applications: IT Shop Microservice App EmpowerID Web
Web Service Access Executor Access Level for the following Web services: Pages and Reports Access Viewer Access Level for the following pages and reports: |
VIS-IT-SHOP-MS-API | Grants visibility to the base Web services required by all users of the IT Shop microservice. Web Service Access Executor Access Level for the following Web services: BusinessFunctionsAPI BusinessFunctionsAPI.GetChildrenByOrgZoneType BusinessFunctionsAPI.GetOrgZonesByOrgZoneTypeTypes BusinessLocationsAPI.GetOrgZoneTypes BusinessLocationsAPI.Search BusinessRolesAPI BusinessRolesAPI.CheckAssignmentStatus BusinessRolesAPI.GetApplicationRoleTemplates BusinessRolesAPI.GetAssignedAppRolesByPersonGUID BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID BusinessRolesAPI.GetOrgRole BusinessRolesAPI.GetOrgRoles BusinessRolesAPI.GetSingleOrgRole CartSubmissionAPI CartSubmissionAPI.SubmitCart CheckForSODAPI CheckForSODAPI.GetAssigneesForOrgRoleType GlobalSettingsAPI GlobalSettingsAPI.GetConfigSetting GroupsAPI GroupsAPI.CheckAssignmentStatus GroupsAPI.GetAssignedAppRolesByPersonGUID GroupsAPI.GetAssignedMembershipByOrgRolesOrgZoneID GroupsAPI.GetGroups GroupsAPI.GetSingleOrgRole GroupsAPI.GetTargetSystemsFilterdata LocalizationAPI LocalizationAPI.CountryHelpText LocalizationAPI.GetByResourceSet ProtectedAppResourceAPI ProtectedAppResourceAPI.AlllowedSsoApplications ProtectedAppResourceAPI.GetChildrenByProtectedApplication
|
| Insert excerpt |
|---|
| IL:External Stylesheet |
|---|
| IL:External Stylesheet |
|---|
| nopanel | true |
|---|
|