Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID restricts access to PAM and PSM through the use of Management Roles. To work with PAM and PSM, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for PAM is UI-Computer-PAM-User-Full-Access. This role grants access to the user interfaces and workflows for requesting PSM access to computers.

  • VIS VISManagement Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for PAM is VIS-Computer-MyLocations. This role grants access to see computers that belong to the same location as the person with the role.

  • ACT ACTManagement Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An  An example of this type of role for PAM is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.

Roles needed to use

vaulted

credentials and access computers

To use vaulted credentials and access computers, users need to have be a combination member of one of the following below Management Role assignments Roles (based on the needed scope):

Expand
titleView Roles

Management Role

Access Granted

by Management Role

PAM User for All Creds and Computers (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

.
  • UI-IT-Shop-MS-Computer

-Shared-Credential-PAM
    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request

and use vaulted credentials and
    • PSM access to computers

.
  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-All

    • Grants access to check-out all shared credentials

  • ACT-Computer-Shared-Credential-Login-All

    • Grants access to use a shared credential to initiate a Privileged Session to any computer

  • VIS-Computer-

MyLocations

Grants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only.

VIS-Computer-MyOrg

Grants visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations.

VIS-Computer-All

Grants visibility for all inventoried computers. This role would be assigned if the person should have visibility for all computers.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.
  • All

    • Grants access to see all computers

  • VIS-Shared-Credential-All

    • Grants access to see all vaulted credentials

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers in My Locations (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""}
  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-MyLocations

    • Grants access to check-out shared credentials in the person’s locations

  • ACT-Computer-Shared-Credential-Login-MyLocations

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • VIS-Computer-MyLocations

    • Grants access to see computers in the person’s locations

  • VIS-Shared-Credential-

MyOrg
  • MyLocations

    • Grants

visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

VIS-Shared-Credential-All

Grants visibility for all vaulted credentials.

ACT-Shared-Credential-Use-All

Grants people with the role the ability to check out all shared credentials without requiring approval.

ACT-Shared-Credential-Use-MyLocations

Grants people with the role the ability to check out shared credentials in their locations without requiring approval.
    • access to see vaulted credentials in the person’s locations

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers in My Org (Role Bundle)

This Management is a role bundle that grants people with the role membership in the below Management Roles:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers in the person's organizations.</p>","javascript":"","css":""}
  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Use-MyOrg

    • Grants

people with the role the ability
    • access to check-out shared credentials in

their organization without requiring approval.
    • the person’s organizations

  • ACT-Computer-Shared-Credential-Login-

All
  • MyOrg

    • Grants

people with the role the ability to use
    • access to use a shared credential to initiate a Privileged Session to

any computer without requiring approval. ACT-Computer
    • computers in the person’s organizations

  • VIS-Computer-MyOrg

    • Grants access to see computers in the person’s organizations

  • VIS-Shared-Credential-

Login-LocalAdminGrants
  • MyOrg

    • Grants access to see vaulted credentials in the person’s organizations

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM User for Creds and Computers I Own

This Management is a role bundle that grants people with the role

the ability to use a shared credential to initiate a Privileged Session to any computer where the person is a member of the local admins group without requiring approval.

ACT-Computer-Shared-Credential-Login-MyLocations

Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer in person's locations without requiring approval.

ACT-Computer-Shared-Credential-Login-MyOrg

Grants people with the role the ability to

membership in the below Management Roles:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers the person owns.</p>","javascript":"","css":""}
  • UI-Shared-Credential-PAM-User-Self-Service

    • Grants access to the user interfaces and workflows to request and use vaulted credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Computer-PSM-User-Self-Service

    • Grants access to the user interfaces and workflows to request PSM access to computers

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • ACT-Shared-Credential-Login-Responsible

    • Grants access to use a shared credential to initiate a

Privileged Session
    • privileged session to

any computer in person's organization without requiring approval
    • the computer where the person is assigned as the responsible person

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

Roles needed to manage

vaulted

credentials

for

and computers

To manage vaulted credentials for and computers, users need to have be a combination member of one of the following below Management Role assignments Roles (based on the needed scope):

Expand
titleView Roles

Management Role

Access Granted

by Management RoleUI-Computer-

PAM Administrator for All Credentials and Computers

This Management is a role bundle that grants people with the role membership in the below Management Roles:

  • ACT-Shared-Credential-Object-Administration-All

    • Grants access to create, edit and delete all shared credentials

  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • VIS-Groups-LocalWindows

    • Grants access to see all Local Windows Server groups

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials

and their relationship to computer objects.
    • .

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • VIS-Location-All

    • Grants access to see all locations

  • VIS-Accounts-AD

    • Grants access to see all Active Directory accounts

  • UI-Computer-PAM-

User
  • Local-

Full
  • Identity-

Access
  • Administration

    • Grants access to the user interfaces and workflows for managing

computer objects for PSM.

VIS-Computer-MyLocations

Grants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only.
    • local computer users, group, IIS App Pools, and Windows services

  • ACT-Computer-Shared-Credential-Login-All

    • Grants access to use a shared credential to initiate a Privileged Session to any computer

  • VIS-Computer-

MyOrg
  • All

    • Grants

visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations.

VIS-Computer-All

Grants visibility for all inventoried computers. This role would be assigned if the Person should have visibility for all computers.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

VIS-Shared-Credential-MyOrg

Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.
    • access to see all computers

  • VIS-Groups-Linux

    • Grants access to see all Linux groups

  • VIS-Accounts-Linux

    • Grants access to see all Linux accounts

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IT Shop microservice app

  • VIS-Accounts-LocalWindows

    • Grants access to see all Local Windows Server User accounts

  • VIS-Shared-Credential-All

    • Grants

visibility for
    • access to see all vaulted credentials

.

ACT-Shared-Credential-Create-All

Grants people with the role the ability to create shared credentials anywhere.

ACT-Shared-Credential-Create-MyLocations

Grants people with the role the ability to create shared credentials in their locations.

ACT-Shared-Credential-Create-MyOrg

Grants people with the role the ability to create shared credentials in their organization.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to create, edit, and delete shared credentials anywhere.

ACT-Shared-Credential-Object-Administration-MyLocations

Grants people with the role the ability to create, edit, and delete shared credentials in their locations.
  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

PAM Administrator for Credentials and Computers in Person’s Locations

This Management is a role bundle that grants people with the role membership in the below Management Roles:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""}
  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials.

  • VIS-Location-MyLocationsAndBelow

    • Grants access to see locations in the person’s location and below

  • ACT-Computer-Shared-Credential-Login-MyLocations

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • UI-Computer-PAM-Local-Identity-Administration

    • Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services

  • ACT-Shared-Credential-Object-Administration-

MyOrg
  • MyLocations

    • Grants

people with the role the ability
    • access to create, edit

,
    • and delete shared credentials in

their organization.
    • the person’s locations

  • ACT

-Computer
  • -Shared-Credential-

Approver
  • Use-

All
  • MyLocations

    • Grants

people with the role the ability to approve PSM login request for any computer.

ACT-Computer-Shared-Credential-Approver-LocalAdmin

Grants people with the role the ability to approve PSM login requests for any computer where the person is a member of the local admins group.

ACT-Computer-Shared-Credential-Approver-MyLocations

Grants people with the role the ability to approve PSM login requests for any computer in their locations.
    • access to check-out shared credentials in the person’s locations

  • VIS-Computer-MyLocations

    • Grants access to see computers in the person’s locations

  • VIS-Shared-Credential-MyLocations

    • Grants access to see vaulted credentials in the person’s locations

  • ACT-Computer-

Shared
  • Object-

Credential
  • Administration-

Approver-MyOrg

Grants people with the role the ability to approve PSM login requests for any computer in person's organization

ACT-Computer-Shared-Credential-Approver-Responsible

Grants people with the role the ability to approve PSM login requests for any computer where the person is assigned as the responsible person.

Roles needed to manage non-computer vaulted credentials

To manage non-computer vaulted credentials for computers, users need to have a combination of the following Management Role assignments (based on the needed scope):

Management Role

Purpose of Management Role

UI-Shared-Credential-Object-Administration

Grants access to the user interfaces and workflows for managing shared credentials.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

VIS-Shared-Credential-MyOrg

Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

VIS-Shared-Credential-All

Grants visibility for all vaulted credentials.

VIS-Location-All-Business-Locations

Grants visibility for all locations under All Business Locations.

VIS-Location-MyLocationsAndAbove

Grants visibility for the Person's locations and above.

VIS-Location-MyLocationsAndBelow

Grants visibility for the Person's locations and below.

VIS-Location-All

Grants visibility for all locations in the location trees related to managing shared credentials.

ACT-Shared-Credential-Create-All

Grants people with the role the ability to create a shared credential anywhere.

ACT-Shared-Credential-Create-MyLocations

Grants people with the role the ability to create a shared credential in their locations.

ACT-Shared-Credential-Create-MyOrg

Grants people with the role the ability to create a shared credential in their organization.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to create, edit, and delete shared credentials anywhere.

ACT-Shared-Credential-Object-Administration-MyLocations

Grants people with the role the ability to create, edit, and delete shared credentials in their locations.

ACT-Shared-Credential-Object-Administration-MyOrg

Grants people with the role the ability to create, edit, and delete shared credentials in their organization.

ACT-Shared-Credential-Approver-All

Grants people with the role the ability to approve checkout request for all credentials.

ACT-Shared-Credential-Approver-MyLocations

Grants people with the role the ability to  approve checkout request for credentials in person's locations.

ACT-Shared-Credential-Approver-MyOrg

Grants people with the role the ability to approve checkout requests for any computer in their locations.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to to create, edit, and delete all shared credentials.
  • MyLocations

    • Grants access to create, edit, and delete computers in the person’s locations

  • UI-Computer-PSM-User-Full-Access

    • Grants access to the user interfaces and workflows for managing computer objects for PSM

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

  • ACT-Computer-Shared-Credential-Assigner-MyLocations

    • Grants access to assign and unassign shared credentials to computers in the person's locations

PAM Administrator for Credentials and Computers in Person’s Organization

This Management is a role bundle that grants people with the role membership in the below Management Roles:

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's organization.</p>","javascript":"","css":""}
  • UI-IT-Shop-MS-Computer

    • Grants access to shop for access to servers in the IAM Shop microservice app

  • UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI))

    • Grants access to the user interfaces and workflows for managing shared credentials.

  • VIS-Location-MyLocationsAndBelow

    • Grants access to see locations in the person’s location and below

  • ACT-Computer-Shared-Credential-Use-MyOrg

    • Grants access to use a shared credential to initiate a Privileged Session to computers in the person’s locations

  • UI-Computer-PAM-Local-Identity-Administration

    • Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services

  • UI-Computer-PSM-User-Full-Access

    • Grants access to the user interfaces and workflows for managing computer objects for PSM

  • ACT-Computer-Shared-Credential-Assigner-MyOrganization

    • Grants access to assign and unassign shared credentials to computers in the person's organization

  • UI-IT-Shop-MS-Shared-Credential

    • Grants access to shop for Shared Credentials in the IAM Shop microservice app

  • VIS-Shared-Credential-MyOrg

    • Grants access to see vaulted credentials in the person’s organization

  • VIS-Computer-MyOrg

    • Grants access to see computers in the person’s organization

  • IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types

    • Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type.

  • ACT-Computer-Shared-Credential-Login-MyOrg

    • Grants access to use a shared credential to initiate a Privileged Session to any computer in person's organization

  • ACT-Shared-Credential-Object-Administration-MyOrg

    • Grants

people with the role the ability to create
    • access to create, edit

,
    • and delete shared credentials in

person's
    • the person’s organization

.
  • ACT-

Shared
  • Computer-

Credential-
  • Object-Administration-

MyLocations
  • MyOrg

    • Grants

people with the role the ability to
    • access to create, edit, and delete

shared credentials in person's locations.
    • computers in the person’s organization

Roles needed

to manage Privileged Access PoliciesTo manage Privileged Access policies

to administer PAM Settings

To use PAM credentials and computers, users need to have the following be a member of the below Management Role assignment:

Expand
titleView Role

Management Role

Purpose of Management Role

UI-Admin-Privileged-Access

PAM Settings Admin

Grants access to user interfaces and workflows for managing Privileged Access Settings and Policies.

Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
maxLevelstyle4none
styleprintablenonefalse

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue