EmpowerID restricts access to PAM and PSM through the use of Management Roles. To work with PAM and PSM, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for PAM is UI-Computer-PAM-User-Full-Access. This role grants access to the user interfaces and workflows for requesting PSM access to computers.
VIS – Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for PAM is VIS-Computer-MyLocations. This role grants access to see computers that belong to the same location as the person with the role.
ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for PAM is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.
Roles needed to use credentials and access computers
To use vaulted credentials and access computers, users need to be a member of one of the below Management Roles (based on the needed scope):
Expand |
---|
|
Management Role | Access Granted |
---|
PAM User for All Creds and Computers (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-All ACT-Computer-Shared-Credential-Login-All VIS-Computer-All VIS-Shared-Credential-All IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
| PAM User for Creds and Computers in My Locations (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-MyLocations ACT-Computer-Shared-Credential-Login-MyLocations VIS-Computer-MyLocations VIS-Shared-Credential-MyLocations IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
| PAM User for Creds and Computers in My Org (Role Bundle) | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers in the person's organizations.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Use-MyOrg ACT-Computer-Shared-Credential-Login-MyOrg VIS-Computer-MyOrg VIS-Shared-Credential-MyOrg IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
| PAM User for Creds and Computers I Own | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and \r\n computers the person owns.</p>","javascript":"","css":""} |
---|
| |
UI-Shared-Credential-PAM-User-Self-Service UI-IT-Shop-MS-Computer UI-Computer-PSM-User-Self-Service UI-IT-Shop-MS-Shared-Credential ACT-Shared-Credential-Login-Responsible IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
|
|
Roles needed to manage credentials and computers
To manage credentials and computers, users need to be a member of one of the below Management Roles (based on the needed scope):
Expand |
---|
|
Management Role | Access Granted |
---|
PAM Administrator for All Credentials and Computers | This Management is a role bundle that grants people with the role membership in the below Management Roles: ACT-Shared-Credential-Object-Administration-All UI-IT-Shop-MS-Computer VIS-Groups-LocalWindows UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI)) UI-IT-Shop-MS-Shared-Credential VIS-Location-All VIS-Accounts-AD UI-Computer-PAM-Local-Identity-Administration Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services
ACT-Computer-Shared-Credential-Login-All VIS-Computer-All VIS-Groups-Linux VIS-Accounts-Linux UI-IT-Shop-MS-Shared-Credential VIS-Accounts-LocalWindows VIS-Shared-Credential-All IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
| PAM Administrator for Credentials and Computers in Person’s Locations | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's locations.</p>","javascript":"","css":""} |
---|
| |
UI-IT-Shop-MS-Computer UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI)) VIS-Location-MyLocationsAndBelow ACT-Computer-Shared-Credential-Login-MyLocations UI-Computer-PAM-Local-Identity-Administration Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services
ACT-Shared-Credential-Object-Administration-MyLocations ACT-Shared-Credential-Use-MyLocations VIS-Computer-MyLocations VIS-Shared-Credential-MyLocations ACT-Computer-Object-Administration-MyLocations UI-Computer-PSM-User-Full-Access UI-IT-Shop-MS-Shared-Credential IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types
|
|
...
| PAM Administrator for Credentials and Computers in Person’s Organization | This Management is a role bundle that grants people with the role membership in the below Management Roles: Easy html macro |
---|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-info\">All access is scoped to credentials and computers \r\n in the person's organization.</p>","javascript":"","css":""} |
---|
| |
UI-IT-Shop-MS-Computer UI-Shared-Credential-PAM-User-Full-Access (Feature Set (UI)) VIS-Location-MyLocationsAndBelow ACT-Computer-Shared-Credential-Use-MyOrg UI-Computer-PAM-Local-Identity-Administration Grants access to the user interfaces and workflows for managing local computer users, group, IIS App Pools, and Windows services
UI-Computer-PSM-User-Full-Access ACT-Computer-Shared-Credential-Assigner-MyOrganization UI-IT-Shop-MS-Shared-Credential VIS-Shared-Credential-MyOrg VIS-Computer-MyOrg IAM Shop, My Tasks, and My Identity Self-Service Basic UI Access Only - no resource types ACT-Computer-Shared-Credential-Login-MyOrg ACT-Shared-Credential-Object-Administration-MyOrg ACT-Computer-Object-Administration-MyOrg
|
|
Roles needed to administer PAM Settings
To use PAM credentials and computers, users need to be a member of the below Management Role:
Expand |
---|
|
Management Role | Purpose of Management Role |
---|
PAM Settings Admin | Grants access to user interfaces and workflows for managing Privileged Access Settings and Policies. |
|
...
style | float:left; position:fixed; |
---|
id | articleNav |
---|
IN THIS ARTICLE
...
Insert excerpt |
---|
| IL:External Stylesheet |
---|
| IL:External Stylesheet |
---|
nopanel | true |
---|
|
Insert excerpt |
---|
| IL:External Stylesheet |
---|
| IL:External Stylesheet |
---|
nopanel | true |
---|
|