EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.
...
| Expand |
|---|
| title | Administrator and EmpowerID Administrator |
|---|
|
| Operation | Enables any assigned actor to |
|---|
| Add<%Actor%>To<%ResourceRole%> | add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question. | | AddOperationToResourceTypeRole<%ResourceType%> | add operations to Access Levels for the Resource Type resource object. | | AddTo<%ResourceRole%> | grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type. | | AddTo<%ResourceRole%>InLocation | grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location. | | AddTo<%ResourceRole%>InRelativeResource | grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location. | | AssignResourceOrgZone | assign Resource Type resource objects to a location. | | CreateResourceTypeRole<%ResourceType%> | create a Resource Type Role for the Resource Type. | | Delete | delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type. | | DeleteResourceTypeRole<%ResourceType%> | delete a Resource Type Role for the Resource Type. | | EditResourceTypeRole<%ResourceType%> | edit a Resource Type Role for the Resource Type. | | Use | view the Resource Type resource object in EmpowerID. | | ManageAnyResourceRole | assign or unassign any EmpowerID Access Levels
| Info |
|---|
This operation is needed to grant or revoke direct assignments of Access Levels |
| | ManageAnyResourceRoleAssignmentByLocation | assign Access Levels by location for the Resource Type resource object. | Info |
|---|
This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval. By-location operations such as this affect all objects in or below the location for which the operation is approved. For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval. |
| | RevokeResourceOrgZone | remove Resource Type resource objects from a location. | | Remove<%Actor%>From<%ResourceRole%> | remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question. | | Remove<%Actor%>From<%ResourceRole%> | remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type. | | RemoveFrom<%ResourceRole%>InLocation | remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location. | | RemoveFrom<%ResourceRole%>InRelativeResource | remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location |
|
...
| Expand |
|---|
| title | Administrator and EmpowerID Administrator |
|---|
|
In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type. | Operation | Enables any assigned actor to |
|---|
| Request | request an Asset Catalog Item. | | UnassignFromAdministrator | remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type. |
|
| Expand |
|---|
|
This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed. | Operation | Enables any assigned actor to |
|---|
| Use | view an Access Request Catalog Item in EmpowerID. | | Request | request an Access Request Catalog Item. |
|
...
| Expand |
|---|
| title | EmpowerID Administrator |
|---|
|
In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type. | Operation | Enables any assigned actor to |
|---|
| Provision | provision an Attestation Policy object. | | Delete | delete an Attestation Policy object. | | Edit | edit an Attestation Policy object. | | Review | review an Attestation Policy. |
|
...
| Expand |
|---|
| title | Assign and Unassign to Business Role |
|---|
|
| Operation | Enables any assigned actor to |
|---|
| AssignOrgRoleOrgZone | assign a person to a Business Role and Location. | | AssignPersonOrgRoleOrgZone | assign a person to a Business Role and Location as a secondary Business Role and Location. | | Use | view a Business Role. | | RemovePersonOrgRoleOrgZone | unassign a person from a secondary Business Role and Location. | | SetPersonPrimaryBusinessRoleandLocation | set the primary Business Role and Location for a person. |
|
| Expand |
|---|
|
This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed. | Operation | Enables any assigned actor to |
|---|
| Edit | edit a Business Role. | | Use | view a Business Role. | | Update | update a Business Role. |
|
| Expand |
|---|
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed. | Operation | Enables any assigned actor to |
|---|
| AddOrgRoleOrgZoneToRelativeResourceRole | assign relative Access Levels to a Business Role and Location. | | AddOrgRoleOrgZoneToResourceRole | assign Access Levels directly to a Business Role and Location. | | AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation | assign Access Levels by location to a Business Role and Location. | | RemoveOrgRoleOrgZoneFromRelativeResourceRole | remove relative Access Levels from a Business Role and Location. | | RemoveOrgRoleOrgZoneFromResourceRole | remove Access Levels directly from a Business Role and Location. | | RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation | remove Access Levels scoped by location from a Business Role and Location. |
|
...
| Expand |
|---|
| title | Administrator and EmpowerID Administrator |
|---|
|
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed. | Operation | Enables any assigned actor to |
|---|
| DeleteComputer | delete a Computer object when running the DeleteComputer workflow. | | DeleteDirectory | delete a directory when running the DeleteDirectory workflow. | | DisableComputer | disable a Computer object when running the DisableComputer workflow. | | EditComputerAdvancedSettings | edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object. | | EditDescription | edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object. | | EnableComputer | enable a Computer object. | | EnableDisableComputerOperation | enable and/or disable a Computer object. | | MoveComputer | move a Computer object from one location to another. | | ProvisionComputer | provision a Computer object in EmpowerID. |
|
| Expand |
|---|
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type. | Operation | Enables any assigned actor to |
|---|
| PowershellMoveComputer | move a Computer object using Powershell commands. | | RestartComputer | restart a Computer object. | | RestartService | restart a service on an assigned Computer object. | | StopApplicationPool | stop an application pool on an assigned Computer object. | | StopProcess | stop a process on an assigned Computer object. | | StopService | stop a service on an assigned Computer object. |
|
| Expand |
|---|
|
The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type. |
|
|---|
| Operation | Enables any assigned actor to | | Use | view the Computer object in EmpowerID. | | ManageAnyResourceRole | assign or unassign any EmpowerID Access Levels for a Computer object.
| Info |
|---|
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users. |
|
|
...
| Expand |
|---|
|
This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations. |
| Expand |
|---|
| title | Send On Behalf in Outlook |
|---|
|
This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations. |
Group (Distribution, Security, Generic) Access Level Definitions
...
| Expand |
|---|
|
This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed. | Operation | Enables any assigned actor to |
|---|
| AddAccountToGroup | add an account to a group. | | Add<%Actor%>ToGroupMember | grant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question. | | AddToGroupMember | add People, Groups, or Business Role to the Member Access Level. | | Use | view a group. | | ManageAnyResourceRole | assign or unassign any EmpowerID Access Levels for a group.
| Info |
|---|
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users. |
| | ManageAnyResourceRoleAssignmentByLocation | assign or unassign any EmpowerID Access Levels for a group.
| Info |
|---|
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users. |
| | Remove<%Actor%>FromGroupMember | remove People, Groups, or Business Roles from the Member Access Level. |
|
...
| Expand |
|---|
| title | Access Level Assigner |
|---|
|
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed. | Operation | Enables any assigned actor to |
|---|
| ManageManagementRoleAssignments (Management Role Only) | add or remove Access Level Assignments to and from the Management Role. | | ManageManagementRoleDefinitionAssignments (Management Role Definitions Only) | add or remove Access Level Assignments to and from the Management Role Definition. |
|
...
| Expand |
|---|
|
This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed. | Operation | Enables any assigned actor to |
|---|
| Use | view an account. | | ManageAnyResourceRole | assign or unassign Access Levels for an account. | | ManageAnyResourceRoleAssignmentByLocation | assign Access Levels by location for an account. |
|
| Expand |
|---|
|
This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders. |
| Expand |
|---|
|
This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID. - AppendData
- ChangePermissions
- Delete
- DeleteSubdirectoriesAndFiles
- ExecuteFile
- ReadAttributes
- ReadData
- ReadExtendedAttributes
- ReadPermissions
- Synchronize
- TakeOwnership
- WriteAttributes
- WriteData
- WriteExtendedAttributes
|
...