EmpowerID's IAM Shop Permission Levels facilitate access management for resources like applications, shared folders, and computers. Users can select these permission levels, like "Local Admin", "Power User", or "Backup Operator" when requesting access via the IAM Shop. For successful permission assignment, administrators need to assign IAM Shop Permission Levels to computers and map them to corresponding groups with those permissions. Keep in mind that these permission levels are just labels and must be accurately mapped to grant permissions. This article will outline the process of assigning and mapping IAM Shop Permission Levels to computers within EmpowerID.
...
Organizations can configure requestable permissions for inventoried computers, enabling users to request specific permissions when connecting to these computers via Privileged Session Management (PSM). These permissions, called "IAM Shop Permission Levels," play a crucial role in maintaining a secure IT environment. They grant users distinct permissions during computer sessions and reinforce security by adhering to the principle of least privilege, revoking permissions immediately after the session ends.
To successfully assign IAM Shop Permission Levels, administrators must:
Assign IAM Shop Permission Levels to computers.
Map permission levels to corresponding groups on the actual computer that grant those native permissions.
For example, to allow users to connect as a local admin, map the permission level to a "local admin" group on the computer.
| Note |
|---|
For effective assignment of IAM Shop Permission Levels, computers must be connected to EmpowerID as Local Windows Server account stores. This connection allows EmpowerID to inventory users and groups on the computer, essential for mapping permission levels to local groups on that machine. Note that permission levels are merely labels and require accurate mapping to grant permissions. |
| Info |
|---|
EmpowerID includes default IAM Shop Permission Levels for computers, such as "Local Admin" and "Domain Admin." However, to tailor you can create custom permission levels tailored to your specific needs, you have the option to create and label custom IAM Shop Permission Levels. If you're interested in this customization, please see Create IAM Shop Permission Levelsorganization's needs. For more information on customization, please see Create IAM Shop Permission Levels. |
Organizations can configure the requestable permissions for inventoried computers to give users the ability to request those permissions when connecting to those computers via Privileged Session Management (PSM). These permissions, known as “IAM Shop Permission Levels,” are fundamental to creating a secure IT environment and serve a dual purpose: providing distinct permissions while in a computer session and reinforcing the overall security posture by adhering to the principle of least privilege by removing those permissions from users immediately after their session ends. For successful permission assignment, administrators need to Assign IAM Shop Permission Levels to computers and map them to groups on the actual computer that grant those permissions natively. For example, if you wanted to allow users to connect to a computer as a local admin, you need to map the permission level to a “local admin” group on the computer.
How to assign IAM Shop Permission Levels to Computers
...