EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.
...
Expand | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||
|
Asset Catalog Item
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.
|
Attestation Policy
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.
|
Business Role
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.
|
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.
|
Computer
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.
|
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
This Access Level Definition allows the actor assigned the Access Level to create, enable, disable, move and delete assigned Computer objects in EmpowerID and has the following operations set to allowed.
|
EmpowerID System
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.
|
Expand | ||||
---|---|---|---|---|
| ||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.
|
Expand | ||||
---|---|---|---|---|
| ||||
This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.
|
Exchange Mailbox
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.
|
Expand | ||
---|---|---|
| ||
This Access Level Definition grants native Full Access permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations. |
...
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to manage mailboxes in EmpowerID and has the following operations set to allowed.
|
Expand | ||
---|---|---|
| ||
This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations. |
Expand | ||
---|---|---|
| ||
This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations. |
Group (Distribution, Security, Generic) Access Level Definitions
Expand | ||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Group Resource Types.
|
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
This Access Level grants the person assigned the Access Level owner status for a Group and has the following operations allowed.
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.
|
Expand | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Groups has the following additional operations allowed.
|
Location
Expand | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Location Resource Type.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Location Resource Type.
|
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign People to and from locations in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to edit locations in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.
|
Management Role and EmpowerID Management Role Definition
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
This Access Level Definition gives the actor assigned the Access Level the ability to create, edit, and delete Management Roles, but does not grant them the ability to manage assignments to Management Roles or RBAC delegations. The Administrator Access Level Definition for the Management Role and Management Role Definition Resource Types has the following operations set to allowed.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This Access Level Definition grants the actor assigned the Access Level the ability to manage the Access Levels of the Management Role and Management Role Definition and has the following operations set to allowed.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.
|
Person
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.
|
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign people to and from Business Role and Locations in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to edit Person objects in EmpowerID and has the following operations set to allowed:
|
Expand | ||||
---|---|---|---|---|
| ||||
This Access Level Definition grants the actor assigned the Access Level the ability to login to EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities for Person objects in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to provision, terminate, and change Business Role and Locations for Person objects in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed:
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
This Access Level Definition grants users assigned the Access Level the ability to enroll for password self-service and reset passwords for their users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.
|
SAML SSO Connection
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.
|
Separation of Duties
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Separation of Duties Resource Type.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This Access Level grants the actor assigned the Access Level the ability to review violations to Separation of Duties policies and has the following operations allowed:
|
Set Group
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Set Group Resource Type.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.
|
SSO Application
Expand | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
This Access Level grants the actor assigned the Access Level the ability to claim an account for an SSO Application that has been configured in EmpowerID. This Access Level has the following operations allowed.
|
SSO Application Definition
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.
|
SharePoint (Document, Folder, and List)
...
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the User Account Resource Types.
|
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
This Access Level Definition grants owner status for an account and has the following operations set to allowed.
|
Expand | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to edit an account in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.
|
Windows Shared Folder
Expand | ||||
---|---|---|---|---|
| ||||
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Windows Shared Folder Resource Type.
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.
|
Expand | ||
---|---|---|
| ||
This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders. |
Expand | ||
---|---|---|
| ||
This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.
|
...
Expand | ||||
---|---|---|---|---|
| ||||
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Windows Shared Folder Resource Type.
|
Expand | ||
---|---|---|
| ||
This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.
|
...
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Workflow Resource Type.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This Access Level Definition grants the actor assigned the Access Level the ability to see and initiate workflows in EmpowerID and has the following operations set to allowed.
|
WS-Federation SSO Connection
Expand | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||
In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|