EmpowerID restricts access to PAM and PSM through the use of Management Roles. To work with PAM and PSM, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
UI — – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for PAM is UI-Computer-PAM-User-Full-Access. This role grants access to the user interfaces and workflows for requesting PSM access to computers.
VIS — VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for PAM is VIS-Computer-MyLocations. This role grants access to see computers that belong to the same location as the person with the role.
ACT — ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An An example of this type of role for PAM is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.
Roles needed to use
vaulted credentials and access computers
To use vaulted credentials and access computers, users need to have be a combination member of one of the following below Management Role assignments Roles (based on the needed scope):
Expand |
---|
|
Management Role | Access Granted |
---|
|
by Management Role |
---|
PAM User for All Creds and Computers (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: |
|
.-Shared-Credential-PAM and use vaulted credentials and .UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-All ACT-Computer-Shared-Credential-Login-All VIS-Computer-
|
|
MyLocationsGrants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only. | VIS-Computer-MyOrg | Grants visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations. |
VIS-Computer-All | Grants visibility for all inventoried computers. This role would be assigned if the person should have visibility for all computers. |
VIS-Shared-Credential-MyLocations | Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.All VIS-Shared-Credential-All IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
| PAM User for Creds and Computers in My Locations (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-MyLocations ACT-Computer-Shared-Credential-Login-MyLocations VIS-Computer-MyLocations VIS-Shared-Credential-
|
|
MyOrg visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.VIS-Shared-Credential-All | Grants visibility for all vaulted credentials. |
ACT-Shared-Credential-Use-All | Grants people with the role the ability to check out all shared credentials without requiring approval. |
ACT-Shared-Credential-Use-MyLocations | Grants people with the role the ability to check out shared credentials in their locations without requiring approval. | PAM User for Creds and Computers in My Org (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers in the person's organizations.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-MyOrg
|
|
people with the role the ability their organization without requiring approval.All people with the role the ability to use any computer without requiring approval. ACT-ComputerVIS-Computer-MyOrg VIS-Shared-Credential-
|
|
Login-LocalAdminGrants | PAM User for Creds and Computers I Own | This Management is a role bundle that grants people with the role |
|
the ability to use a shared credential to initiate a Privileged Session to any computer where the person is a member of the local admins group without requiring approval.ACT-Computer-Shared-Credential-Login-MyLocations | Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer in person's locations without requiring approval. |
ACT-Computer-Shared-Credential-Login-MyOrg | Grants people with the role the ability to membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers the person owns.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Login-Responsible
|
|
Privileged Session any computer in person's organization without requiring approvalRoles needed to manage
vaulted credentials
for and computers
To manage vaulted credentials for and computers, users need to have be a combination member of one of the following below Management Role assignments Roles (based on the needed scope):
Expand |
---|
|
Management Role | Access Granted |
---|
|
by Management RoleUI-Computer- |
---|
PAM Administrator for All Credentials and Computers | This Management is a role bundle that grants people with the role membership in the below Management Roles: |
|
and their relationship to computer objects.UserFullAccess computer objects for PSM.VIS-Computer-MyLocations | Grants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only.MyOrg visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations.VIS-Computer-All | Grants visibility for all inventoried computers. This role would be assigned if the Person should have visibility for all computers. |
VIS-Shared-Credential-MyLocations | Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only. |
VIS-Shared-Credential-MyOrg | Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.VIS-Groups-Linux VIS-Accounts-Linux UI-IT-Shop-MS-Shared-Credential VIS-Accounts-LocalWindows VIS-Shared-Credential-All
|
|
visibility for .ACT-Shared-Credential-Create-All | Grants people with the role the ability to create shared credentials anywhere. |
ACT-Shared-Credential-Create-MyLocations | Grants people with the role the ability to create shared credentials in their locations. |
ACT-Shared-Credential-Create-MyOrg | Grants people with the role the ability to create shared credentials in their organization. |
ACT-Shared-Credential-Object-Administration-All | Grants people with the role the ability to create, edit, and delete shared credentials anywhere. |
ACT-Shared-Credential-Object-Administration-MyLocations | Grants people with the role the ability to create, edit, and delete shared credentials in their locations. | PAM Administrator for Credentials and Computers in Person’s Locations | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""} |
---|
| |
UI-IT-Shop-MS-Computer UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI)) VIS-Location-MyLocationsAndBelow ACT-Computer-Shared-Credential-Login-MyLocations UI-Computer-PAM-Local-Identity-Administration Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services
ACT-Shared-Credential-Object-Administration-
|
|
MyOrg people with the role the ability , their organization.-ComputerApproverAll people with the role the ability to approve PSM login request for any computer.ACT-Computer-Shared-Credential-Approver-LocalAdmin | Grants people with the role the ability to approve PSM login requests for any computer where the person is a member of the local admins group. |
ACT-Computer-Shared-Credential-Approver-MyLocations | Grants people with the role the ability to approve PSM login requests for any computer in their locations.SharedCredentialApprover-MyOrgGrants people with the role the ability to approve PSM login requests for any computer in person's organization | ACT-Computer-Shared-Credential-Approver-Responsible | Grants people with the role the ability to approve PSM login requests for any computer where the person is assigned as the responsible person. |
Roles needed to manage non-computer vaulted credentials
To manage non-computer vaulted credentials for computers, users need to have a combination of the following Management Role assignments (based on the needed scope):
Management Role | Purpose of Management Role |
---|
UI-Shared-Credential-Object-Administration | Grants access to the user interfaces and workflows for managing shared credentials. |
VIS-Shared-Credential-MyLocations | Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only. |
VIS-Shared-Credential-MyOrg | Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations. |
VIS-Shared-Credential-All | Grants visibility for all vaulted credentials. |
VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations. |
VIS-Location-MyLocationsAndAbove | Grants visibility for the Person's locations and above. |
VIS-Location-MyLocationsAndBelow | Grants visibility for the Person's locations and below. |
VIS-Location-All | Grants visibility for all locations in the location trees related to managing shared credentials. |
ACT-Shared-Credential-Create-All | Grants people with the role the ability to create a shared credential anywhere. |
ACT-Shared-Credential-Create-MyLocations | Grants people with the role the ability to create a shared credential in their locations. |
ACT-Shared-Credential-Create-MyOrg | Grants people with the role the ability to create a shared credential in their organization. |
ACT-Shared-Credential-Object-Administration-All | Grants people with the role the ability to create, edit, and delete shared credentials anywhere. |
ACT-Shared-Credential-Object-Administration-MyLocations | Grants people with the role the ability to create, edit, and delete shared credentials in their locations. |
ACT-Shared-Credential-Object-Administration-MyOrg | Grants people with the role the ability to create, edit, and delete shared credentials in their organization. |
ACT-Shared-Credential-Approver-All | Grants people with the role the ability to approve checkout request for all credentials. |
ACT-Shared-Credential-Approver-MyLocations | Grants people with the role the ability to approve checkout request for credentials in person's locations. |
ACT-Shared-Credential-Approver-MyOrg | Grants people with the role the ability to approve checkout requests for any computer in their locations. |
ACT-Shared-Credential-Object-Administration-All | Grants people with the role the ability to to create, edit, and delete all shared credentials.MyLocations UI-Computer-PSM-User-Full-Access UI-IT-Shop-MS-Shared-Credential IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types ACT-Computer-Shared-Credential-Assigner-MyLocations
| PAM Administrator for Credentials and Computers in Person’s Organization | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's organization.</p>","javascript":"","css":""} |
---|
| |
UI-IT-Shop-MS-Computer UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI)) VIS-Location-MyLocationsAndBelow ACT-Computer-Shared-Credential-Use-MyOrg UI-Computer-PAM-Local-Identity-Administration Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services
UI-Computer-PSM-User-Full-Access ACT-Computer-Shared-Credential-Assigner-MyOrganization UI-IT-Shop-MS-Shared-Credential VIS-Shared-Credential-MyOrg VIS-Computer-MyOrg IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types ACT-Computer-Shared-Credential-Login-MyOrg ACT-Shared-Credential-Object-Administration-MyOrg
|
|
people with the role the ability to create, person's .SharedCredential-MyLocations people with the role the ability to shared credentials in person's locations.Roles needed
to manage Privileged Access PoliciesTo manage Privileged Access policiesto administer PAM Settings
To use PAM credentials and computers, users need to have the following be a member of the below Management Role assignment:
Expand |
---|
|
Management Role | Purpose of Management Role |
---|
|
UI-Admin-Privileged-AccessPAM Settings Admin | Grants access to user interfaces and workflows for managing Privileged Access Settings and Policies. |
|