Page Comparison

EmpowerID restricts access to the IT Shop through the use of Management Roles.

Tooltip and footnote macro

color	#00badd
description	Management Roles are user-defined containers holding collections of Access Levels that have been packaged together into responsibility or job-based bundles to allow for the quick and easy bulk assignments of resources to resource users in a way that matches their job function.
macroType	tooltip

To access the IT Shop, users need must be assigned to have the appropriate roles. Management Roles shown in the below tableare prefixed by their function in EmpowerID and include the following:

UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for Password Manager is UI-Person-Password-Self-Service. This role grants users access to the user interfaces and workflows for enrolling for self-service password reset and changing their own passwords.
VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for Password Manager is VIS-Person-Self. All users have this Management Role by default.
ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for Password Manager is ACT-Password-Self-Service. This role grants users access to change passwords, enroll for password self-service reset, and perform other password self-service operations.

Roles needed to

...

shop in the IT Shop

To access shop for eligible resources in the IT Shop, users need to have one of the below Management Role assignments (based on the needed scope):

Management Role

Description

Role Type

ACT-Person-Password-Self-Service

Grants users access to change password, enroll and other password self-service operations.

Activity

UI-Person-Password-Self-Service

Grants access to change password, enroll and other password self-service workflows and user interfaces.

Feature Set

IT Shop, My Tasks, and My Identity Self-Service Full Access

Grants full access for using the IT Shop, My Tasks, My Identity microservices

Role Bundle – Contains the below Management Roles

Dropdown macro

hardcodeWidth	338
backgroundColor	#fff
activeColor	#0052CC
width	53
hoverColor	#307FC1
tabType	no-icon
alignment	left

[{"label":"View Management Roles","id":"1","content":{"version":1,"type":"doc","content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"ACT-Person-Delegate-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"ACT-Person-SetAsApprover-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Azure-Admin-Role"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Computer"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-MyTasks-Participant-Full"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Management-Role"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Azure-License"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-MyIdentity-PermanentDelegations"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-MyIdentity-EmailNotification-Settings"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Business-Role"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Shared-Folder"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Application-Role"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Mailbox"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-MyIdentity-Full"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Common"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Risk"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Application-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Location-MyLocationsAndBelow"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Person-MyOrg"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-IT-Shop-MS-API"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Computer-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Management-Role-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-AzLocalRole-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Mailbox-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Groups-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-BusinessRequestType-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-MyTasks-MS-API"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-MyIdentity-MS-API"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Location-All-BusinessStructure"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-AzGlobalFunction-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-Shared-Credential-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-AzLocalFunction-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"UI-IT-Shop-MS-Azure-RBAC-Role"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"VIS-License-Pool-All"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"text","text":"Vis-OrgRoleOrgZone-ALL"}]}]}]},{"type":"paragraph","content":[]}]}}]

ACT-Person-Delegate-All
ACT-Person-SetAsApprover-All
UI-IT-Shop-MS-Azure-Admin-Role
UI-IT-Shop-MS-Computer
UI-MyTasks-Participant-Full
UI-IT-Shop-MS-Management-Role
UI-IT-Shop-MS-Azure-License
UI-MyIdentity-PermanentDelegations
UI-MyIdentity-EmailNotification-Settings
UI-IT-Shop-MS-Business-Role
UI-IT-Shop-MS-Shared-Folder
UI-IT-Shop-MS-Application-Role
UI-IT-Shop-MS-Mailbox
VIS-Application-All
VIS-Location-MyLocationsAndBelow
VIS-Person-MyOrg
VIS-IT-Shop-MS-API
VIS-Computer-All
VIS-Management-Role-All
VIS-AzLocalRole-All
VIS-Mailbox-All
VIS-Groups-All
VIS-BusinessRequestType-All
UI-MyIdentity-Full
VIS-MyTasks-MS-API
VIS-MyIdentity-MS-API
VIS-Location-All-BusinessStructure
UI-IT-Shop-MS-Common
UI-IT-Shop-MS-Risk
VIS-AzGlobalFunction-All

Management Role

Access Granted by Management Role

UI-IT-Shop-MS-Full-Access

Inherits the below Access Levels from the parent Management Role Definition:

Workflow Access

Initiator Access Level for following workflows:

UpdatePersonDirectAssignment
UpdatePersonBusinessRoles

Control (User Interface) Access

Viewer Access Level for the following controls:

Application Process Control
Business Roles TCode Control
Business Roles Owners Attribute Control
Business Roles Advanced Search Control
Business Roles Role Approvers Attribute Control
Application Roles Resource System Attribute Control
Business Roles Name Attribute Control
Target System Control
Application Roles TCode Control
Application Roles Advanced Search Control
Shop for Target Person Control
Business Functions Control
Business Roles Parent Business Roles Attribute Control
Application Roles Owners Attribute Control
Application Roles High Level Classification Attribute Control
Business Domains Control
Business Roles High Level Classification Attribute Control
Application Roles Name Attribute Name

Application Access

Viewer Access Level for the following applications:

IT Shop Microservice App
EmpowerID Web

Web Service Access

Executor Access Level for the following Web services:

All ITShop WebServices
AllRbacObjects
CartSubmissinoAPI.SubmitCart

Pages and Reports Access

Viewer Access Level for the following pages and reports:

Groups Page (IT Shop)
Business Roles Page (IT Shop)

VIS-IT-SHOP-MS-API

Grants visibility to the base Web services required by all users of the IT Shop microservice.

Web Service Access

Executor Access Level for the following Web services:

BusinessFunctionsAPI
BusinessFunctionsAPI.GetChildrenByOrgZoneType
BusinessFunctionsAPI.GetOrgZonesByOrgZoneTypeTypes
BusinessLocationsAPI.GetOrgZoneTypes
BusinessLocationsAPI.Search
BusinessRolesAPI
BusinessRolesAPI.CheckAssignmentStatus
BusinessRolesAPI.GetApplicationRoleTemplates
BusinessRolesAPI.GetAssignedAppRolesByPersonGUID
BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID
BusinessRolesAPI.GetOrgRole
BusinessRolesAPI.GetOrgRoles
BusinessRolesAPI.GetSingleOrgRole
CartSubmissionAPI
CartSubmissionAPI.SubmitCart
CheckForSODAPI
CheckForSODAPI.GetAssigneesForOrgRoleType
GlobalSettingsAPI
GlobalSettingsAPI.GetConfigSetting
GroupsAPI
GroupsAPI.CheckAssignmentStatus
GroupsAPI.GetAssignedAppRolesByPersonGUID
GroupsAPI.GetAssignedMembershipByOrgRolesOrgZoneID
GroupsAPI.GetGroups
GroupsAPI.GetSingleOrgRole
GroupsAPI.GetTargetSystemsFilterdata
LocalizationAPI
LocalizationAPI.CountryHelpText
LocalizationAPI.GetByResourceSet
ProtectedAppResourceAPI
ProtectedAppResourceAPI.AlllowedSsoApplications
ProtectedAppResourceAPI.GetChildrenByProtectedApplication

...

Versions Compared

Old Version 2

New Version 3

Key

Roles needed to

shop in the IT Shop