Page Comparison

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

...

Expand

title	Administrator and EmpowerID Administrator

Operation

Enables any assigned actor to

Add<%Actor%>To<%ResourceRole%>

add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.

AddOperationToResourceTypeRole<%ResourceType%>

add operations to Access Levels for the Resource Type resource object.

AddTo<%ResourceRole%>

grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.

AddTo<%ResourceRole%>InLocation

grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.

AddTo<%ResourceRole%>InRelativeResource

grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.

AssignResourceOrgZone

assign Resource Type resource objects to a location.

CreateResourceTypeRole<%ResourceType%>

create a Resource Type Role for the Resource Type.

Delete

delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.

DeleteResourceTypeRole<%ResourceType%>

delete a Resource Type Role for the Resource Type.

EditResourceTypeRole<%ResourceType%>

edit a Resource Type Role for the Resource Type.

Use

view the Resource Type resource object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

Info
This operation is needed to grant or revoke direct assignments of Access Levels

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

By-location operations such as this affect all objects in or below the location for which the operation is approved.

For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.

RevokeResourceOrgZone

remove Resource Type resource objects from a location.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.

RemoveFrom<%ResourceRole%>InLocation

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.

RemoveFrom<%ResourceRole%>InRelativeResource

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location

...

Expand

title	Administrator and EmpowerID Administrator

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

Operation	Enables any assigned actor to
Request	request an Asset Catalog Item.
UnassignFromAdministrator	remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.

Expand

title	Requestor

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

Operation	Enables any assigned actor to
Use	view an Access Request Catalog Item in EmpowerID.
Request	request an Access Request Catalog Item.

...

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

Operation	Enables any assigned actor to
Provision	provision an Attestation Policy object.
Delete	delete an Attestation Policy object.
Edit	edit an Attestation Policy object.
Review	review an Attestation Policy.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.

Operation	Enables any assigned actor to
AssignGroupOrgRoleOrgZone	assign a group to a Business Role and Location.
AssignOrgRoleOrgZone	assign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZone	assign a person to a Business Role and Location.
Insert	create a Business Role.
MoveBusinessRole	move the Business Role from one location to another.
RemoveGroupOrgRoleOrgZone	remove a group from a Business Role and Location.
RemovePersonOrgRoleOrgZone	unassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocation	assign the primary Business Role and Location for a person.
Update	edit a Business Role.

Expand

title	Assign and Unassign to Business Role

Operation	Enables any assigned actor to
AssignOrgRoleOrgZone	assign a person to a Business Role and Location.
AssignPersonOrgRoleOrgZone	assign a person to a Business Role and Location as a secondary Business Role and Location.
Use	view a Business Role.
RemovePersonOrgRoleOrgZone	unassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocation	set the primary Business Role and Location for a person.

Expand

title	Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

Operation	Enables any assigned actor to
Edit	edit a Business Role.
Use	view a Business Role.
Update	update a Business Role.

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation	Enables any assigned actor to
AddOrgRoleOrgZoneToRelativeResourceRole	assign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRole	assign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation	assign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRole	remove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRole	remove Access Levels directly from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation	remove Access Levels scoped by location from a Business Role and Location.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

Operation	Enables any assigned actor to
DeleteComputer	delete a Computer object when running the DeleteComputer workflow.
DeleteDirectory	delete a directory when running the DeleteDirectory workflow.
DisableComputer	disable a Computer object when running the DisableComputer workflow.
EditComputerAdvancedSettings	edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
EditDescription	edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
EnableComputer	enable a Computer object.
EnableDisableComputerOperation	enable and/or disable a Computer object.
MoveComputer	move a Computer object from one location to another.
ProvisionComputer	provision a Computer object in EmpowerID.

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

Operation	Enables any assigned actor to
PowershellMoveComputer	move a Computer object using Powershell PowerShell commands.
RestartComputer	restart a Computer object.
RestartService	restart a service on an assigned Computer object.
StopApplicationPool	stop an application pool on an assigned Computer object.
StopProcess	stop a process on an assigned Computer object.
StopService	stop a service on an assigned Computer object.

Expand

title	Co-Owner

The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.

EmpowerID Operation

Enables any assigned actor to

Use

view the Computer object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a Computer object.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

Operation	Enables any assigned actor to
CreateAssetType	create an Asset Type when running the ProvisionCatalogRequest workflow.
EditCatalogRequest	edit a Catalog Request item when running the AssetCatalogItemEdit workflow.
ProvisionCatalogRequest	create a Catalog Request item when running the ProvisionCatalogRequest workflow.
RunPowerShellScript	run a PowerShell Script against resources in EmpowerID.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.

Operation	Enables any assigned actor to
AddEmailAddress	add a new email address to an existing user mailbox.
DeleteEmailAddress	delete an email address from an existing user mailbox.
DisableActiveSync	deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableAuto-AcceptCalendar	deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableMailbox	disable a mailbox by setting all quota values on the mailbox to 0.
DisableOWA	deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableRequireAuthenticatedSenders	deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableUseDefaultQuota	deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EditMailboxAlias	edit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditMailboxExtensionAttributes	edit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
EditMailboxNote	edit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditRoomCapacity	edit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditSendandReceiveLimits	edit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditAcceptFrom	edit the "Allowed" list for who may send email to a specific mailbox.
EditEmailAddress	edit an email address when running the EditExchangeMailboxAddress workflow.
EditExchangeMailbox	perform a general edit of a mailbox.
EditMailboxForwarding	edit who receives a copy of mail sent to a mailbox.
EditMailboxQuota	edit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditSMTPAddresses	edit the SMTP address for a mailbox.
EditRejectFrom	edit the "Allowed" list for who may not send email to a specific mailbox.
EnableRequireAuthenticatedSenders	select the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableActiveSync	select the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableAuto-AcceptCalendar	select the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableMailbox	enable a mailbox.
EnableOWA	select the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EnableUseDefaultQuota	select the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EnableAutoAccept	enable auto-accept for appointments on room or equipment mailboxes.
HideinGAL	select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
LinkAccountToMailbox	link a user account to a mailbox.
MoveMailbox	move a mailbox from one location to another.
ReActiviateMailbox	activate a deactivated mailbox.
RemoteDeviceWipe	wipe data from an Active Sync device the next time the device tries to sync with the server (usually a phone).
RestoreDeletedMailbox	restore a mailbox that has been deleted in EmpowerID.
SetMasterAccount	set the master account for a linked mailbox to an account in a trusted domain in another forest.
ShowinGAL	deselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
SuspendMailbox	set the quota values on a mailbox to 0.
ViewMailboxExtensionAttributes	view the Extension Attributes for a mailbox.
ViewMailboxFeatureAttributes	select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
ViewMailboxQuotaAttributes	view the Quota Attributes for a mailbox.
ViewMailboxSendandReceiveLimitsAttributes	view the Send and Receive Limits Attributes for a mailbox.
ViewDeviceStatus	view the status of an Active Sync device.

...

Expand

title	Send As in Outlook

This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Expand

title	Send On Behalf in Outlook

This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Group (Distribution, Security, Generic) Access Level Definitions

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Group Resource Types.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

EditADGroupNameAttributes

edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditExchangeSettings

edit the fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupAdvancedSettings

edit the fields in the Advanced Options section of the Advanced Tab on the Group Resource Management screen (Group Details form).

EditGroupDescriptionandNote

edit the Description and Note fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupExtensionAttributes

edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupType

edit the Group Type drop-down in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditAcceptFrom

edit the "Allowed" list for who may send email to a specific group.

EditRejectFrom

edit the "Denied" list for who may not send email to a specific group.

EditSMTPAddresses

edit the SMTP addresses for a group when running the EditSMTPAddresses workflow.

HideGroupinGAL

select the Hidden In GAL option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MailDisableGroup

disable mail for a group by deselecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MailEnableGroup

assign an email address to a group by selecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MoveComputer

move a computer from one location to another.

MoveGroup

move a group from one location to another.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ShowGroupinGAL

designate that a selected group be visible in the Global Address List when running the ShowDLInGAL workflow.

...

Expand

title	Membership Manager

This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

Operation

Enables any assigned actor to

AddAccountToGroup

add an account to a group.

Add<%Actor%>ToGroupMember

grant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.

AddToGroupMember

add People, Groups, or Business Role to the Member Access Level.

Use

view a group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign or unassign any EmpowerID Access Levels for a group.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

Remove<%Actor%>FromGroupMember

remove People, Groups, or Business Roles from the Member Access Level.

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Groups has the following additional operations allowed.

Operation

Enables any assigned actor to

AddGroupToRelativeResourceRole

assign relative Access Levels to a Distribution Group.

AddGroupToResourceRole

assign Access Levels directly to a Distribution Group.

AddGroupToResourceRoleAssignmentByLocation

assign Access Levels by location to a Distribution Group.

Use

view a Distribution Group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the group.

Info
This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by-location Access Level assignment; otherwise the operation will route for approval.

RemoveGroupFromRelativeResourceRole

remove relative Access Levels from a Distribution Group.

RemoveGroupFromResourceRole

remove Access Levels directly from a Distribution Group.

RemoveGroupFromResourceRoleAssignmentByLocation

remove Access Levels scoped by location from a Distribution Group.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Location Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AssignGroupOrgRoleOrgZone

assign a group to a Business Role and Location.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleZone

assign a person to a Business Role and Location.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

RemoveGroupOrgRoleOrgZone

remove a group from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRole

directly remove Access Levels from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation

remove Access Levels from a Business Role and Location scoped by location.

RemovePersonOrgRoleOrgZone

unassign a person from a secondary Business Role and Location.

SetPersonPrimaryBusinessRoleandLocation

set the primary Business Role and Location for a person.

Update

edit a location.

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Location Resource Type.

Operation	Enables any assigned actor to
CreateOU	create an AD OU.
EditOU	edit an AD OU.
MoveBusinessLocation	move a business location to another location.
ProvisionPartner	create a partner location.

...

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation	Enables any assigned actor to
AddOrgRoleOrgZoneToRelativeResourceRole	assign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRole	assign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation	assign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRole	remove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRole	directly remove Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation	remove Access Levels from a Business Role and Location scoped by location.

...

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ManageManagementRoleAssignments

manage the Access Level Assignments of the Management Role.

ManageManagementRoleDefinitionAssignments (Management Role Definition Only)

add or remove Access Level Assignments to and from the Management Role Definition.

...

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

Operation	Enables any assigned actor to
ManageManagementRoleAssignments (Management Role Only)	add or remove Access Level Assignments to and from the Management Role.
ManageManagementRoleDefinitionAssignments (Management Role Definitions Only)	add or remove Access Level Assignments to and from the Management Role Definition.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowPasswordOperations

select the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowSyncAttributes

select the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

ClaimAccount

claim an orphaned account.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps.

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

DenyLogin

deselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

DenyPasswordOperations

deselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

DenySyncAttributes

deselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

DisablePerson

disable a Person object.

EditPersonAboutAttribute

edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonDemographics

update information on the Edit Person Demographics screen for a Person object.

EditPersonExtensionAttributes

edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.

EditPersonMustChangePasswordonNextLogin

select the Must Change Password option on the Person Edit form for the Person object.

EditPersonNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonOrganizationAttributes

edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

EditPersonMultiOperations

edit all attributes of a Person object.

EnablePerson

enable a Person object.

Enroll

enroll a Person object in the Password Reset Center.

JoinAccountToPerson

join an orphaned account to a Person object.

Login

login to EmpowerID.

Read

view a Person object.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for a Person object.

RestoreDeletedPerson

restore a deleted Person object.

SelfServiceChangePassword

change their password.

SelfServiceResetPassword

reset their password.

SetPasswordManagerPolicy

select the Password Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

SetPersonPrimaryBusinessRoleandLocation

set the Primary Business Role and Location for a Person object.

SetProfileManagerPolicy

select the Profile Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

Terminate

terminate a Person object.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

UnClaimSSOApplicationAccount

remove a selected SSO Application account from their Person object, removing their ability to SSO into that account from EmpowerID.

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

Unenroll

unenroll a Person object from the Password Reset Center.

UnjoinAccountFromPerson

unjoin an account from a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewStreetAddressAttribute

view the Address section on the Edit Person Demographics screen.

ViewAboutPersonAttributes

view the About Person section on the Person Tab of the Resource Management Screen for a Person object.

ViewAddressandPhoneNumbers

view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.

ViewAdvancedPersonAttributes

view the Advanced Tab of the Resource Management Screen for a Person object.

ViewExtensionAtttributes

view the Extension Tab of the Resource Management Screen for a Person object.

ViewNameInformation

view the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

ViewOrganizationAttributes

view the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

...

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed:

Operation	Enables any assigned actor to
AddPersonToRelativeResourceRole	assign relative Access Levels to a Person object.
AddPersonToResourceRole	assign Access Levels directly to a Person object.
AddPersonToResourceRoleAssignmentByLocation	assign Access Levels scoped by location to a Person object.
RemovePersonFromRelativeResourceRole	remove relative Access Levels from a Person object.
RemovePersonFromResourceRole	remove resources directly from a Person object.
RemovePersonFromResourceRoleAssignmentsByLocation	remove Access Levels scoped by location from a Person object.

...

Expand

title	EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation	Enables any assigned actor to
AddAttributeStatement	add an attribute statement to a SAML SSO Connection object.
AddEncryptingStatement	add an encrypting statement to a SAML SSO Connection object.
AddSigningCertificate	add a signing certificate to a SAML SSO Connection object.
Create	create a new SAML SSO Connection object.
CreateSAMLSingleSignOnAudienceAssociation	create a new Audience Association for a SAML SSO Connection object.
CreateSAMLSingleSignOnCertificatesAssociations	add a certificate to a SAML SSO Connection object.
CreateSAMLSingleSignOnSubjectConfirmationAssociation	add a Subject Confirmation to a SAML SSO Connection object.
CreateSSOConnection	create a new SAML SSO Connection object.
DeleteSAMLSSOConnection	delete a SAML SSO Connection object.
EditAssertionConsumerServiceURLforPartnership	edit the ACS URL for a SAML SSO Connection (SP) object.
EditAssertionEncryptionAlgorithm	edit the Assertion Encryption Method for a SAML SSO Connection object.
EditAttributeEncryptionAlgorithm	edit the Attribute Encryption Method for a SAML SSO Connection object.
EditAudienceRestrictions	edit the Audience Restriction properties for a SAML SSO Connection object.
EditConnectionAccountStore	edit the account store created for a SAML SSO Connection object.
EditConnectionAuthenticationRequest	edit the type of authentication request for a SAML SSO Connection object.
EditConnectionNameAttributes	edit the Name and Display Names for a SAML SSO Connection object.
EditIDPURL	edit the IDP URL for a SAML SSO Connection (IdP) object.
EditIssuerName	edit the Issuer field for a SAML SSO Connection object.
EditIssuerQualifierSettings	edit the Issuer Qualifier Settings for a SAML SSO Connection object.
EditLoginWFACSURL	edit the Login Workflow ACS URL field for a SAML SSO Connection object.
EditLogoImage	edit the Logo Image field for a SAML SSO Connection object.
EditNameIdentifierFormatType	edit the Name Identifier Format type for a SAML SSO Connection object.
EditNameIdentifierMethod	edit the Name Identifier Method for a SAML SSO Connection object.
EditRequestWorkflow	edit the Request Workflow associated with a SAML SSO Connection object, if any.
EditSAMLNameQualifierForPartnership	edit the Name Qualifier field for a SAML SSO Connection object.
EditSAMLSingleSignOnDomain	edit the domain used for a SAML SSO Connection object.
EditSAMLSPNameQualifierforPartnership	edit the SP Name Qualifier field for a SAML SSO Connection object.
EditSignatureAlgorithm	edit the Signature Algorithm used with a SAML SSO Connection object.
EditSingleLogoutSettings	edit the Single Logout settings for a SAML SSO Connection object.
EditTargetURL	edit the Target IDP/SP URL for a SAML SSO Connection object.
RemoveAttributeStatement	remove an Attribute Statement from a SAML SSO Connection object.
RemoveEncryptingCertificate	remove an Encrypting Certificate from a SAML SSO Connection object.
RemoveSigningCertificate	remove a Signing Certificate from a SAML SSO Connection object.

...

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Separation of Duties Resource Type.

Operation	Enables any assigned actor to
Delete	delete a specific Separation of Duties (SoD) policy.
Edit	edit a specific SoD policy.
EditTag	edit the tag associated with a specific SoD policy.
Provision	create a new SoD policy.
Review	review violations to a SoD policy.

...

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Set Group Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation	Enables any assigned actor to
AddSetGroupToResourceRole	assign Access Levels directly to a Set Group.
AddSetGroupToResourceRoleAssignmentByLocation	assign Access Levels scoped by location to a Set Group.
RemoveSetGroupFromResourceRole	remove Access Levels directly from a Set Group.
RemovSetGroupFromResourceRoleAssignmentsByLocation	remove Access Levels scoped by location from a Set Group.

...

Expand

title	EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operations

Enables any assigned actor to

AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

Create

create a new SSO Application object.

Edit

edit an SSO Application object.

Delete

delete an SSO Application object.

EditTag

edit the tag associated with an SSO Application object.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

...

Expand

title	EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation

Enables any assigned actor to

Create

create a new SSO Application Definition object.

Edit

edit an SSO Application Definition object.

Delete

delete an SSO Application Definition object.

EditTag

edit the tag associated with an SSO Application Definition object.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Account Details Screen.

ChangePassword

change the password of a user account.

ClaimAccount

claim an orphaned account.

CreateUserHomeFolder

create a home folder.

DisableUser

disable a user account from the Password Options section of the Account Tab on the Account Details Screen.

EditTerminalServicesAccess

select or clear the Allow this user permissions to log on to Terminal Services option in the Account Details screen on the Remote Desktop tab's Profile section.

EditTerminalServicesProfile

edit the Profile Path for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountHomeFolder

edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountProfile

edit the Profile settings for an account from the Profile Tab of the Account Details Screen.

EditUserAdvancedSettings

edit the settings applied to the Prevent Deletion in EmpowerID and Hide in EmpowerID settings for accounts from the Advanced Tab of the Account Details Screen.

EditUserExpiration

set the expiration date for an account in Active Directory.

EditUserExtensionAttributes

edit the user extension attributes from the Extension Tab of the Account Details Screen.

EditUserNameAttributes

edit the user name attributes from the Account Name Information section of the Account Tab on the Account Details Screen.

EditUserOrganizationAttributes

edit the Organization Information section for an account from the Organization Tab of the Account Details Screen.

EditUserPasswordOptions

edit the Password Options settings for an account from the Account Tab of the Account Details Screen.

EditUserTerminalServicesEnvironment

edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.

EditUserTerminalServicesHomeDrive

edit the Terminal Services Home Drive setting for an account from the Profile section of the Remote DesktopTab on the Account Details Screen.

EditUserTerminalServicesRemoteControl

edit the Terminal Services Remote Control settings for an account from Remote Control section of the Remote Desktop Tab on the Account Details Screen.

EditUserTerminalServicesSession

edit the Terminal Services Session settings for an account from Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.

EnableRequireSmartCardLogon

set the Require SmartCard Logon option for an account from the Password Options section of the Account Tab on the Account Details Screen.

EnableUser

enable a disabled account from the Password Options section of the Account Tab on the Account Details Screen.

JoinAccountToPerson

join an orphaned account to a Person object.

MailDisable

remove the Mail-enabled flag from an account.

MailDisableAccount

remove the Mail-enabled flag from an account.

MailEnable

set an account as mail-enabled, making it available in the Exchange GAL.

MailEnableAccount

set an account as mail-enabled, making it available in the Exchange GAL.

MoveAccount

move an account from one location to another.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for an account.

RestoreDeletedAccount

restore a deleted account.

RestoreDeletedMailbox

restore a mailbox that has been deleted from an account.

SetAccountManager

select the AD line manager for an account.

SetAllowDialIn

set the Allow Dialin option for an account from the Password Options section on the Account Tab of the Account Details Screen.

UnlockUser

unlock an account that is locked in Active Directory.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewAddressandPhoneNumberAttributes

view the Address and Phone Numbers section on the Organization Tab of the Account Details Screen.

ViewAdvancedAttributeInformation

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewExtensionAtttributes

view the Extension Attributes section on the Extension Tab of the Account Details Screen.

ViewOrganizationInformationAttributes

view the Organization Information section on the Organization Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

ViewProfileOptionAttributes

view the Profile Options section on the Profile Tab of the Account Details Screen.

ViewRemoteDesktopAttributes

view the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopEnvironmentAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopProfileAttributes

view the Profile section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopRemoteControlAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopSessionandTimeOutSettings

view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the User Account Resource Types.

Operation	Enables any assigned actor to
UnjoinAccountFromPerson	unlink an account from an EmpowerID Person.
ViewEmployeeIDs	view the EmployeeID attribute for an EmpowerID Person's AD user account.

...

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation	Enables any assigned actor to
AddAccountToResourceRole	assign Access Levels directly to an account.
RemoveAccountFromResourceRole	remove resources directly from an account.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Windows Shared Folder Resource Type.

Operation	Enables any assigned actor to
RegisterExistingShare	register a share in EmpowerID that exists on a computer managed by EmpowerID.

Expand

title	Co-Owner

This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

Operation	Enables any assigned actor to
Use	view an account.
ManageAnyResourceRole	assign or unassign Access Levels for an account.
ManageAnyResourceRoleAssignmentByLocation	assign Access Levels by location for an account.

Expand

title	Deny All

This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.

Expand

title	Full Control

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

AppendData
ChangePermissions
Delete
DeleteSubdirectoriesAndFiles
ExecuteFile
ReadAttributes
ReadData
ReadExtendedAttributes
ReadPermissions
Synchronize
TakeOwnership
WriteAttributes
WriteData
WriteExtendedAttributes

...

Expand

title	EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Windows Shared Folder Resource Type.

Operation	Enables any assigned actor to
RevokeResourceOrgZone	remove a printer from a location.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Workflow Resource Type.

Operation	Enables any assigned actor to
EditRequestWorkflow	edit a workflow when running the Right-Click Edit workflow.
Initiate	initiate a workflow.

...

Expand

title	EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation	Enables any assigned actor to
CreateSSOConnection	create a new WS-Federation SSO Connection object.
CreateWSFederationSingleSignOnConnectionOperation	create a new operation for a WS-Federation Single Sign On Connection object.
DeleteWSFederationSingleSignOnConnection	delete a WS-Federation SSO Connection object.
DeleteWSFederationSingleSignOnConnectionOperation	delete an operation from a WS-Federation Single Sign On Connection object.
EditAccountStore	edit the account store that is associated with a WS-Federation SSO Connection object.
EditAssertionConsumerServiceURLforPartnership	edit the ACS URL for a WS-Federation SSO Connection (SP) object.
EditCertificatesforPartnership	edit the certificates for a WS-Federation SSO Connection object.
EditDescription	edit the Description field for a WS-Federation SSO Connection object.
EditEncryptionCertificate	edit the encryption certificate used for a WS-Federation SSO Connection object.
EditEncryptionEnabled	select or clear encryption for a WS-Federation SSO Connection object.
EditHomeRealm	change the edit the certificates for a WS-Federation SSO Connection object.
EditLogoImage	edit the Logo Image field for a WS-Federation SSO Connection object.
EditMaptoAccountClaimType	edit the Map to Account Claim Type field for a WS-Federation SSO Connection object.
EditNameQualifierforPartnership	edit the Name Qualifier field for a WS-Federation SSO Connection object.
EditOrganization	edit the Organization for a WS-Federation SSO Connection object.
EditSigningCertificate	edit the Signing Certificate used with a WS-Federation SSO Connection object.
EditURLforPartnership	edit the URL for a WS-Federation SSO Connection object.

Insert excerpt

	IL:External Stylesheet - v1
	IL:External Stylesheet - v1
nopanel	true

Versions Compared

Old Version 1

New Version 2

Key

Group (Distribution, Security, Generic) Access Level Definitions