Versions Compared

Old Version 3

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 4

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

...

Expand
titleAdministrator and EmpowerID Administrator


OperationEnables any assigned actor to
Add<%Actor%>To<%ResourceRole%>add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
AddOperationToResourceTypeRole<%ResourceType%>add operations to Access Levels for the Resource Type resource object.
AddTo<%ResourceRole%>grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
AddTo<%ResourceRole%>InLocationgrant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
AddTo<%ResourceRole%>InRelativeResourcegrant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
AssignResourceOrgZoneassign Resource Type resource objects to a location.
CreateResourceTypeRole<%ResourceType%>create a Resource Type Role for the Resource Type.
Deletedelete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
DeleteResourceTypeRole<%ResourceType%>delete a Resource Type Role for the Resource Type.
EditResourceTypeRole<%ResourceType%>edit a Resource Type Role for the Resource Type.
Useview the Resource Type resource object in EmpowerID.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

Info

This operation is needed to grant or revoke direct assignments of Access Levels


ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

By-location operations such as this affect all objects in or below the location for which the operation is approved.

For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously,  including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.


RevokeResourceOrgZoneremove Resource Type resource objects from a location.
Remove<%Actor%>From<%ResourceRole%>remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
Remove<%Actor%>From<%ResourceRole%>remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
RemoveFrom<%ResourceRole%>InLocationremove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
RemoveFrom<%ResourceRole%>InRelativeResourceremove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location


...

Expand
titleAdministrator and EmpowerID Administrator

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

OperationEnables any assigned actor to 
Requestrequest an Asset Catalog Item.
UnassignFromAdministratorremove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.



Expand
titleRequestor

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview an Access Request Catalog Item in EmpowerID.
Requestrequest an Access Request Catalog Item.


...

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

OperationEnables any assigned actor to 
Provisionprovision an Attestation Policy object.
Deletedelete an Attestation Policy object.
Editedit an Attestation Policy object.
Reviewreview an Attestation Policy.


...

Expand
titleAssign and Unassign to Business Role


OperationEnables any assigned actor to 
AssignOrgRoleOrgZoneassign a person to a Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
Useview a Business Role.
RemovePersonOrgRoleOrgZoneunassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocationset the primary Business Role and Location for a person.



Expand
titleEditor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Editedit a Business Role.
Useview a Business Role.
Updateupdate a Business Role.



Expand

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

OperationEnables any assigned actor to 
AddOrgRoleOrgZoneToRelativeResourceRoleassign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleassign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocationassign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRoleremove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleremove Access Levels directly from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocationremove Access Levels scoped by location from a Business Role and Location.


...

Expand
titleAdministrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

OperationEnables any assigned actor to 
DeleteComputerdelete a Computer object when running the DeleteComputer workflow.
DeleteDirectorydelete a directory when running the DeleteDirectory workflow.
DisableComputerdisable a Computer object when running the DisableComputer workflow.
EditComputerAdvancedSettingsedit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
EditDescriptionedit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
EnableComputerenable a Computer object.
EnableDisableComputerOperationenable and/or disable a Computer object.
MoveComputermove a Computer object from one location to another.
ProvisionComputerprovision a Computer object in EmpowerID.



Expand

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

OperationEnables any assigned actor to 
PowershellMoveComputermove a Computer object using Powershell commands.
RestartComputerrestart a Computer object.
RestartServicerestart a service on an assigned Computer object.
StopApplicationPoolstop an application pool on an assigned Computer object.
StopProcessstop a process on an assigned Computer object.
StopServicestop a service on an assigned Computer object.



Expand
titleCo-Owner

The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.



OperationEnables any assigned actor to 
Useview the Computer object in EmpowerID.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a Computer object. 


Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.



...

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

OperationEnables any assigned actor to 
CreateAssetTypecreate an Asset Type when running the ProvisionCatalogRequest workflow.
EditCatalogRequestedit a Catalog Request item when running the AssetCatalogItemEdit workflow.
ProvisionCatalogRequestcreate a Catalog Request item when running the ProvisionCatalogRequest workflow.
RunPowerShellScriptrun a PowerShell Script against resources in EmpowerID.



Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.

OperationEnables any assigned actor to 
ProvisionSharePointSitecreate a SharePoint Site.



Expand
titleUser

This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview the resource in EmpowerID.


Exchange Mailbox

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.

OperationEnables any assigned actor to 
AddEmailAddressadd a new email address to an existing user mailbox.
DeleteEmailAddressdelete an email address from an existing user mailbox.
DisableActiveSyncdeselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableAuto-AcceptCalendardeselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableMailboxdisable a mailbox by setting all quota values on the mailbox to 0.
DisableOWAdeselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableRequireAuthenticatedSendersdeselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableUseDefaultQuotadeselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EditMailboxAliasedit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditMailboxExtensionAttributesedit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
EditMailboxNoteedit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditRoomCapacityedit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditSendandReceiveLimitsedit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditAcceptFromedit the "Allowed" list for who may send email to a specific mailbox.
EditEmailAddressedit an email address when running the EditExchangeMailboxAddress workflow.
EditExchangeMailboxperform a general edit of a mailbox.
EditMailboxForwardingedit who receives a copy of mail sent to a mailbox.
EditMailboxQuotaedit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditSMTPAddressesedit the SMTP address for a mailbox.
EditRejectFromedit the "Allowed" list for who may not send email to a specific mailbox.
EnableRequireAuthenticatedSendersselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableActiveSyncselect the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableAuto-AcceptCalendarselect the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableMailboxenable a mailbox.
EnableOWAselect the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EnableUseDefaultQuotaselect the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EnableAutoAcceptenable auto-accept for appointments on room or equipment mailboxes.
HideinGALselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
LinkAccountToMailboxlink a user account to a mailbox.
MoveMailboxmove a mailbox from one location to another.
ReActiviateMailboxactivate a deactivated mailbox.
RemoteDeviceWipewipe data from an Active Sync device the next time the device tries to sync with the server (usually a phone).
RestoreDeletedMailboxrestore a mailbox that has been deleted in EmpowerID.
SetMasterAccountset the master account for a linked mailbox to an account in a trusted domain in another forest.
ShowinGALdeselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
SuspendMailboxset the quota values on a mailbox to 0.
ViewMailboxExtensionAttributesview the Extension Attributes for a mailbox.
ViewMailboxFeatureAttributesselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
ViewMailboxQuotaAttributesview the Quota Attributes for a mailbox.
ViewMailboxSendandReceiveLimitsAttributesview the Send and Receive Limits Attributes for a mailbox.
ViewDeviceStatusview the status of an Active Sync device.


...

Expand
titleSend As in Outlook

This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.


Expand
titleSend On Behalf in Outlook

This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.


Group (Distribution, Security, Generic) Access Level Definitions

...

Expand
titleMembership Manager

This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

OperationEnables any assigned actor to
AddAccountToGroupadd an account to a group.
Add<%Actor%>ToGroupMembergrant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.
AddToGroupMember

add People, Groups, or Business Role to the Member Access Level.

Useview a group.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 


Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.


ManageAnyResourceRoleAssignmentByLocation

assign or unassign any EmpowerID Access Levels for a group. 


Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.


Remove<%Actor%>FromGroupMemberremove People, Groups, or Business Roles from the Member Access Level.


...

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

OperationEnables any assigned actor to
ManageManagementRoleAssignments (Management Role Only)add or remove Access Level Assignments to and from the Management Role.
ManageManagementRoleDefinitionAssignments (Management Role Definitions Only)add or remove Access Level Assignments to and from the Management Role Definition.


...

Expand
titleCo-Owner

This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

OperationEnables any assigned actor to
Useview an account.
ManageAnyResourceRoleassign or unassign Access Levels for an account.
ManageAnyResourceRoleAssignmentByLocationassign Access Levels by location for an account.



Expand
titleDeny All

This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.


Expand
titleFull Control

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • AppendData
  • ChangePermissions
  • Delete
  • DeleteSubdirectoriesAndFiles
  • ExecuteFile
  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions
  • Synchronize
  • TakeOwnership
  • WriteAttributes
  • WriteData
  • WriteExtendedAttributes

...