EmpowerID restricts access to accounts and groups through the use of Management Roles. To view and work with accounts and groups users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
UI
...
– Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.
...
VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID.
...
ACT –Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.
...
Roles needed by users to view and edit account profile information
...
To manage the group assignments of user accounts, users need to have a combination of the following Management Role assignments
...
(based on the needed scope).
Expand | ||
---|---|---|
|
...
| |||||||||
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
title | Roles needed to view and initiate editing user account profiles belonging to the same locations as the people with the roles |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Profile-Edit
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.
...
|
...
|
...
|
...
|
...
|
...
|
...
|
WORKFLOW ACCESS
...
title | Roles needed to view and initiate editing the profiles of additional types of user accounts |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Profile-Edit
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Resource Manager Account Update
Initiator for the workflow
...
Active Directory User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Active Directory user accounts
...
VIS-Accounts-AD
...
Grants visibility for all Active Directory user accounts.
...
Visibility
...
AWS User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Amazon Web Services user accounts
...
VIS-Accounts-AWS
...
Grants visibility for all user accounts in any Amazon Web Services account store.
...
Visibility
...
Linux User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Linux user accounts
...
VIS-Accounts-Linux
...
Grants visibility for all Linux user accounts.
...
Visibility
...
Local Windows User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Local Windows Server user accounts
...
VIS-Accounts-LocalWindows
...
Grants visibility for all user accounts belonging to Local Windows Server account stores.
...
Visibility
...
Office 365 User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Office 365 user accounts
...
VIS-Accounts-O365
...
Grants visibility for all Office 365 / Azure AD user accounts.
...
Visibility
...
SAP User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see SAP user accounts
...
VIS-Accounts-SAP
...
Grants visibility for all SAP user accounts.
...
Visibility
...
title | Roles needed to view and initiate editing the profile information of all user accounts in any system under the All IT Systems location |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Profile-Edit
...
|
...
VIS-Accounts-MyLocations
...
Grants visibility for all user accounts in the same locations as the currently logged in user.
...
Visibility
...
title | Roles needed to view and initiate editing user account profiles belonging to the same organizations as the people with the roles |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Profile-Edit
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Resource Manager Account Update
Initiator for the workflow
...
VIS-Accounts-MyOrg
...
Grants visibility for all user accounts in the same organizations as the currently logged in user.
...
Visibility
|
Expand | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||
|
...
|
...
|
...
|
...
|
...
|
...
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Group Membership Grid
Viewer for the Group Membership Changes Grid
Viewer for the Resultant Membership Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
Update Account Group Membership
Initiator for the workflow
...
VIS-Accounts-All
...
Grants visibility for all accounts in any location.
...
Visibility
Roles needed to add and remove accounts to and from groups
To manage the group assignments of user accounts, users need to have a combination of the following Management Role assignments (based on the needed scope).
|
...
VIS-Accounts-All-IT-Systems
...
Grants visibility for all accounts under All IT Systems.
...
Visibility
...
title | Roles needed to view and initiate editing the profiles of all user accounts in the system |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Membership-Management
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.
|
Expand | ||
---|---|---|
|
...
|
...
| ||||||||||||
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
VIS-Groups-Generic-MyLocation
...
Grants visibility for all generic groups belonging to the same locations as the currently logged in user.
...
Visibility
...
ACT-Group-Membership-Management-Generic-MyLocations
...
Grants access to manage membership for generic groups belonging to the same locations as the currently logged in user.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
VIS-Groups-Security-MyLocations
...
Grants visibility for all security groups belonging to the same locations as the currently logged in user.
...
Visibility
...
ACT-Group-Membership-Management-Security-MyLocations
...
Grants access to manage membership for security groups belonging to the same locations as the currently logged in user.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
title | Roles needed by people to manage the group assignments of user accounts and groups in their organizations (without requiring approval) |
---|
Info |
---|
Accounts can only be added to groups that belong to the same domain. |
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
Account Roles Needed
...
UI-Account-Membership-Management
...
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
VIS-Accounts-MyOrg
...
Grants visibility for all user accounts in the same organizations as the currently logged in user.
...
Visibility
|
...
Grants access to manage membership for user accounts belonging to the same organizations as the currently logged in user.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Group Roles Needed
...
UI-Group-Membership-Management
...
Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Group Page
Viewer for the page
Viewer for the Dashboard Tab
Viewer for the All Groups Tab
Viewer for the Groups I Manage Tab
Group View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Membership Changes Tab
Viewer for the Group Members Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Update Group Account Membership
Initiator for the workflow
Add People to Groups
Initiator for the workflow
Update Person Group Membership
Initiator for the workflow
Temporary Group Membership
Initiator for the workflow
Add Groups to Group
Initiator for the workflow
Remove Groups from Group
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
...
VIS-Groups-Distribution-MyOrganizations
...
Grants visibility for all distribution groups belonging to the same organizations as the currently logged in user.
...
Visibility
...
ACT-Group-Membership-Management-Distribution-MyOrganizations
...
|
...
VIS-Groups-Generic-MyOrg
...
...
Visibility
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
Info |
---|
Accounts can only be added to groups that belong to the same domain. |
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Membership-Management
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Group Membership Grid
Viewer for the Group Membership Changes Grid
Viewer for the Resultant Membership Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
Update Account Group Membership
Initiator for the workflow
...
UI-Group-Membership-Management
...
Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Group Page
Viewer for the page
Viewer for the Dashboard Tab
Viewer for the All Groups Tab
Viewer for the Groups I Manage Tab
Group View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Membership Changes Tab
Viewer for the Group Members Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Update Group Account Membership
Initiator for the workflow
Add People to Groups
Initiator for the workflow
Update Person Group Membership
Initiator for the workflow
Temporary Group Membership
Initiator for the workflow
Add Groups to Group
Initiator for the workflow
Remove Groups from Group
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
...
Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts
...
VIS-Accounts-AD
...
Grants visibility for all Active Directory user accounts.
...
Visibility
...
VIS-Groups-All-AD
...
Grants visibility for all Active Directory groups.
...
Visibility
...
ACT-Account-Membership-Management-All-AD-Accounts
...
Grants access to manage group membership for all Active Directory user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-AD-Groups
...
Grants access to manage group membership for all Active Directory groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts.
...
VIS-Accounts-AWS
...
Grants visibility for all AWS user accounts.
...
Visibility
...
VIS-Groups-All-AWS
...
Grants visibility for all AWS groups.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including AWS user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-AWS-Groups
...
Grants access to manage group membership for all AWS groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts
...
VIS-Accounts-Linux
...
Grants visibility for all Linux user accounts.
...
Visibility
...
VIS-Groups-All
...
Grants visibility for all groups, including all groups in Linux systems.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Linux user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-Groups
...
Grants access to manage group membership for all groups, including Linux groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups
...
VIS-Accounts-LocalWindows
...
Grants visibility for all user accounts belonging to Local Windows Server account stores.
...
Visibility
...
VIS-Groups-All
...
Grants visibility for all groups, including all groups in Local Windows Server account stores.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Local Windows user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-Groups
...
Grants access to manage group membership for all groups, including Local Windows groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups
...
VIS-Accounts-O365
...
Grants visibility for all Office 365 / Azure AD user accounts.
...
Visibility
...
VIS-Groups-All-O365
...
Grants visibility for all Office 365 groups.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-O365-Groups
...
Grants access to manage group membership for all Office 365 groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups
...
VIS-Accounts-SAP
...
Grants visibility for all SAP user accounts.
...
Visibility
...
VIS-Groups-All-SAP
...
Grants visibility for all Office 365 groups.
...
Visibility
...
ACT-Account-Membership-Management-All-SAP-Accounts
...
Grants access to manage group membership for all SAP and ABAP user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-SAP-Groups
...
Grants access to manage membership for all SAP Roles and Profiles.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
Roles needed to create, update and delete accounts
To create, update and delete user accounts in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):
...
title | Roles needed by people to create, update and delete user accounts in their locations |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Object-Administration
...
Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Viewer for the Location Tree
Viewer for the Deleted Accounts Tab
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Viewer for the Deleted Accounts Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Create User Account
Initiator for the workflow
Disable User Account
Initiator for the workflow
Enable User Account
Initiator for the workflow
Delete Account
Initiator for the workflow
Restore Deleted Account
Initiator for the workflow
...
VIS-Accounts-MyLocations
...
Grants visibility for all accounts in the same locations as the currently logged in user.
...
Visibility
...
ACT-Account-Object-Administration-MyLocations
...
Grants access to create, edit and delete all accounts in the same location as the currently logged in user.
...
Activity
...
title | Roles needed by people to create, update and delete user accounts in their organizations |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Object-Administration
...
Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Viewer for the Location Tree
Viewer for the Deleted Accounts Tab
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Viewer for the Deleted Accounts Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Create User Account
Initiator for the workflow
Disable User Account
Initiator for the workflow
Enable User Account
Initiator for the workflow
Delete Account
Initiator for the workflow
Restore Deleted Account
Initiator for the workflow
...
VIS-Accounts-MyOrg
...
Grants visibility for all accounts in the same organizations as the currently logged in user.
...
Visibility
...
ACT-Account-Object-Administration-MyOrg
...
Grants access to create, edit and delete all accounts in the same location as the currently logged in user.
...
Activity
...
title | Roles needed to create, update and delete accounts in specific systems |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Object-Administration
...
Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Viewer for the Location Tree
Viewer for the Deleted Accounts Tab
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Viewer for the Deleted Accounts Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Create User Account
Initiator for the workflow
Disable User Account
Initiator for the workflow
Enable User Account
Initiator for the workflow
Delete Account
Initiator for the workflow
Restore Deleted Account
Initiator for the workflow
...
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AD user accounts. VIS-Accounts-AD — Grants visibility for all Active Directory user accounts. ACT-Account-Object-Administration-AD — Grants access to create, edit, and delete all Active Directory accounts. |
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AWS user accounts. VIS-Accounts-AWS— Grants visibility for all AWS user accounts. ACT-Account-Object-Administration-AWS— Grants access to create, edit, and delete all AWS accounts. |
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Linux user accounts. VIS-Accounts-Linux — Grants visibility for all Linux user accounts. ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Linux systems. |
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Local Windows user accounts. VIS-Accounts-LocalWindows — Grants visibility for all Local Windows user accounts. ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Local Windows systems. |
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Office 365 user accounts. VIS-Accounts-O365 — Grants visibility for all Office 365/Azure user accounts. ACT-Account-Object-Administration-O365 — Grants access to create, edit, and delete accounts in Office 365. |
Expand | ||
---|---|---|
| ||
In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete SAP user accounts. VIS-Accounts-SAP — Grants visibility for all SAP user accounts. ACT-Account-Object-Administration-SAP — Grants access to create, edit, and delete accounts in SAP ABAP. |
...
title | Roles needed to create, update and delete accounts in any system |
---|
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Object-Administration
...
Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Viewer for the Location Tree
Viewer for the Deleted Accounts Tab
Account View One Page
Viewer for the page
Viewer for the Actions Accordion
Viewer for the Advanced Tab
Viewer for the Deleted Accounts Tab
Account Edit One Page
Viewer for the page
WORKFLOW ACCESS
Create User Account
Initiator for the workflow
Disable User Account
Initiator for the workflow
Enable User Account
Initiator for the workflow
Delete Account
Initiator for the workflow
Restore Deleted Account
Initiator for the workflow
...
VIS-Accounts-All
...
Grants visibility for all accounts.
...
Visibility
...
ACT-Account-Object-Administration-All
...
|
...
title | Roles needed to manage the group assignments of user accounts and other group types (without requiring approval) |
---|
Info |
---|
Accounts can only be added to groups that belong to the same domain. |
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
UI-Account-Membership-Management
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Group Membership Grid
Viewer for the Group Membership Changes Grid
Viewer for the Resultant Membership Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
Update Account Group Membership
Initiator for the workflow
...
UI-Group-Membership-Management
...
Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Group Page
Viewer for the page
Viewer for the Dashboard Tab
Viewer for the All Groups Tab
Viewer for the Groups I Manage Tab
Group View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Membership Changes Tab
Viewer for the Group Members Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Update Group Account Membership
Initiator for the workflow
Add People to Groups
Initiator for the workflow
Update Person Group Membership
Initiator for the workflow
Temporary Group Membership
Initiator for the workflow
Add Groups to Group
Initiator for the workflow
Remove Groups from Group
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
...
Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts
...
VIS-Accounts-AD
...
Grants visibility for all Active Directory user accounts.
...
Visibility
...
VIS-Groups-All-AD
...
Grants visibility for all Active Directory user accounts.
...
Visibility
...
ACT-Account-Membership-Management-All-AD-Accounts
...
Grants access to manage group membership for all Active Directory user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-AD-Groups
...
Grants access to manage group membership for all Active Directory groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts.
...
VIS-Accounts-AWS
...
Grants visibility for all AWS user accounts.
...
Visibility
...
VIS-Groups-All-AWS
...
Grants visibility for all AWS groups.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including AWS user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-AWS-Groups
...
Grants access to manage group membership for all AWS groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts
...
VIS-Accounts-Linux
...
Grants visibility for all Linux user accounts.
...
Visibility
...
VIS-Groups-All
...
Grants visibility for all groups, including all groups in Linux systems.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Linux user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-Groups
...
Grants access to manage group membership for all groups, including Linux groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups
...
VIS-Accounts-LocalWindows
...
Grants visibility for all user accounts belonging to Local Windows Server account stores.
...
Visibility
...
VIS-Groups-All
...
Grants visibility for all groups, including all groups in Local Windows Server account stores.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Local Windows user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-Groups
...
Grants access to manage group membership for all groups, including Local Windows groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups
...
VIS-Accounts-O365
...
Grants visibility for all Office 365 / Azure AD user accounts.
...
Visibility
...
VIS-Groups-All-O365
...
Grants visibility for all Office 365 groups.
...
Visibility
...
ACT-Account-Membership-Management-All
...
Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-O365-Groups
...
Grants access to manage group membership for all Office 365 groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups
...
VIS-Accounts-SAP
...
Grants visibility for all SAP user accounts.
...
Visibility
...
VIS-Groups-All-SAP
...
Grants visibility for all Office 365 groups.
...
Visibility
...
ACT-Account-Membership-Management-All-SAP-Accounts
...
Grants access to manage group membership for all SAP and ABAP user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
ACT-Group-Membership-Management-All-SAP-Groups
...
Grants access to manage membership for all SAP Roles and Profiles.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
title | Roles needed by people to manage the group assignments for all user accounts and groups (without requiring approval) |
---|
Info |
---|
Accounts can only be added to groups that belong to the same domain. |
...
Management Role
...
Access Granted by Management Role
...
Role Type
...
Account Roles Needed
...
UI-Account-Membership-Management
...
Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Account Page
Viewer for the page
Account View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Group Membership Grid
Viewer for the Group Membership Changes Grid
Viewer for the Resultant Membership Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
Update Account Group Membership
Initiator for the workflow
...
VIS-Accounts-All
...
Grants visibility for all user accounts.
...
Visibility
...
ACT-Account-Membership-Management-All-Accounts
...
Grants access to manage membership for all user accounts.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
Group Roles Needed
...
UI-Group-Membership-Management
...
Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.
Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Group Page
Viewer for the page
Viewer for the Dashboard Tab
Viewer for the All Groups Tab
Viewer for the Groups I Manage Tab
Group View One Page
Viewer for the page
Viewer for the General Tab
Viewer for the Membership Changes Tab
Viewer for the Group Members Grid
WORKFLOW ACCESS
Add Accounts to Groups
Initiator for the workflow
Update Group Account Membership
Initiator for the workflow
Add People to Groups
Initiator for the workflow
Update Person Group Membership
Initiator for the workflow
Temporary Group Membership
Initiator for the workflow
Add Groups to Group
Initiator for the workflow
Remove Groups from Group
Initiator for the workflow
Remove Service Principal from Groups
Initiator for the workflow
...
VIS-Groups-All
...
Grants visibility for all groups.
...
Visibility
...
ACT-Group-Membership-Management-All-Groups
...
Grants access to manage membership for all groups.
If this role is not included, the change to group membership routes for approval to someone who can approve the request.
...
Activity
...
title | Roles needed to manage the group assignments of user accounts and other group types (without requiring approval) |
---|
|
Roles needed to create, update and delete groups
To create, update and delete groups in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|
Expand | |||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||
|
IN THIS ARTICLE
...
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
|
...
style | float: left; position: fixed; |
---|
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|