Page Comparison

EmpowerID restricts access to accounts and groups through the use of Management Roles. To view and work with accounts and groups users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.
VIS — Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID.
ACT — Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID.

Roles needed by users to view and edit account profile information

To view and edit their basic account information, users need to have the following Management Role assignments:

Expand

title	Roles needed by people to view and initiate editing their user account profile information

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

Expand

title	Roles needed to view and initiate editing user account profiles belonging to the same locations as the people with the roles

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-MyLocations

Grants visibility for all user accounts in the same locations as the currently logged in user.

Visibility

Expand

title	Roles needed to view and initiate editing user account profiles belonging to the same organizations as the people with the roles

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-MyOrg

Grants visibility for all user accounts in the same organizations as the currently logged in user.

Visibility

Expand

title	Roles needed to view and initiate editing the profiles of additional types of user accounts

Management Role	Access Granted by Management Role	Role Type
UI-Account-Profile-Edit	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the Actions Accordion Viewer for the Advanced Tab Account Edit One Page Viewer for the page WORKFLOW ACCESS Resource Manager Account Update Initiator for the workflow
Active Directory User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Active Directory user accounts
VIS-Accounts-AD	Grants visibility for all Active Directory user accounts.	Visibility
AWS User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Amazon Web Services user accounts
VIS-Accounts-AWS	Grants visibility for all user accounts in any Amazon Web Services account store.	Visibility
Linux User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Linux user accounts
VIS-Accounts-Linux	Grants visibility for all Linux user accounts.	Visibility
Local Windows User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Local Windows Server user accounts
VIS-Accounts-LocalWindows	Grants visibility for all user accounts belonging to Local Windows Server account stores.	Visibility
Office 365 User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see Office 365 user accounts
VIS-Accounts-O365	Grants visibility for all Office 365 / Azure AD user accounts.	Visibility
SAP User Accounts — In addition to the UI-Account-Membership-Management Management Role, users need the following role to see SAP user accounts
VIS-Accounts-SAP	Grants visibility for all SAP user accounts.	Visibility

Expand

title	Roles needed to view and initiate editing the profile information of all user accounts in any system under the All IT Systems location

Management Role

Access Granted by Management Role

Role Type

UI-Account-Profile-Edit

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as the ability to edit profile attributes.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Resource Manager Account Update
- Initiator for the workflow

VIS-Accounts-All-IT-Systems

Grants visibility for all accounts under All IT Systems.

Visibility

Expand

title	Roles needed to view and initiate editing the profiles of all user accounts in the system

Management Role

Access Granted by Management Role

Role Type

UI-Account-Membership-Management

Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
Account View One Page
- Viewer for the page
- Viewer for the General Tab
- Viewer for the Group Membership Grid
- Viewer for the Group Membership Changes Grid
- Viewer for the Resultant Membership Grid

WORKFLOW ACCESS

Add Accounts to Groups
- Initiator for the workflow
Remove Service Principal from Groups
- Initiator for the workflow
Update Account Group Membership
- Initiator for the workflow

VIS-Accounts-All

Grants visibility for all accounts in any location.

Visibility

Roles needed to add and remove accounts to and from groups

To manage the group assignments of user accounts, users need to have a combination of the following Management Role assignments (based on the needed scope).

Expand

title	Roles needed by people to manage the group assignments of user accounts and groups in their locations (without requiring approval)

Info
Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type
Account Roles Needed
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
VIS-Accounts-MyLocations	Grants visibility for all user accounts in the same locations as the currently logged in user.	Visibility
ACT-Account-Membership-Management-MyLocations	Grants access to manage membership for user accounts belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Group Roles Needed
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow
VIS-Groups-Distribution-MyLocation	Grants visibility for all distribution groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Distribution-MyLocations	Grants access to manage membership for distribution groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Generic-MyLocation	Grants visibility for all generic groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Generic-MyLocations	Grants access to manage membership for generic groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Security-MyLocations	Grants visibility for all security groups belonging to the same locations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Security-MyLocations	Grants access to manage membership for security groups belonging to the same locations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Expand

title	Roles needed by people to manage the group assignments of user accounts and groups in their organizations (without requiring approval)

Info
Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type
Account Roles Needed
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
VIS-Accounts-MyOrg	Grants visibility for all user accounts in the same organizations as the currently logged in user.	Visibility
ACT-Account-Membership-Management-MyOrg	Grants access to manage membership for user accounts belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Group Roles Needed
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow
VIS-Groups-Distribution-MyOrganizations	Grants visibility for all distribution groups belonging to the same organizations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Distribution-MyOrganizations	Grants access to manage membership for distribution groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Generic-MyOrg	Grants visibility for all generic groups belonging to the same organizations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Generic-MyOrganizations	Grants access to manage membership for generic groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
VIS-Groups-Security-MyOrg	Grants visibility for all security groups belonging to the same organizations as the currently logged in user.	Visibility
ACT-Group-Membership-Management-Security-MyOrganizations	Grants access to manage membership for security groups belonging to the same organizations as the currently logged in user. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Expand

title	Roles needed to manage the group assignments of user accounts and other group types (without requiring approval)

Info
Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow

Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts
VIS-Accounts-AD	Grants visibility for all Active Directory user accounts.	Visibility
VIS-Groups-All-AD	Grants visibility for all Active Directory user accounts.	Visibility
ACT-Account-Membership-Management-All-AD-Accounts	Grants access to manage group membership for all Active Directory user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-AD-Groups	Grants access to manage group membership for all Active Directory groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts.
VIS-Accounts-AWS	Grants visibility for all AWS user accounts.	Visibility
VIS-Groups-All-AWS	Grants visibility for all AWS groups.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including AWS user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-AWS-Groups	Grants access to manage group membership for all AWS groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts
VIS-Accounts-Linux	Grants visibility for all Linux user accounts.	Visibility
VIS-Groups-All	Grants visibility for all groups, including all groups in Linux systems.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Linux user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-Groups	Grants access to manage group membership for all groups, including Linux groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups
VIS-Accounts-LocalWindows	Grants visibility for all user accounts belonging to Local Windows Server account stores.	Visibility
VIS-Groups-All	Grants visibility for all groups, including all groups in Local Windows Server account stores.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Local Windows user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-Groups	Grants access to manage group membership for all groups, including Local Windows groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups
VIS-Accounts-O365	Grants visibility for all Office 365 / Azure AD user accounts.	Visibility
VIS-Groups-All-O365	Grants visibility for all Office 365 groups.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-O365-Groups	Grants access to manage group membership for all Office 365 groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups
VIS-Accounts-SAP	Grants visibility for all SAP user accounts.	Visibility
VIS-Groups-All-SAP	Grants visibility for all Office 365 groups.	Visibility
ACT-Account-Membership-Management-All-SAP-Accounts	Grants access to manage group membership for all SAP and ABAP user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-SAP-Groups	Grants access to manage membership for all SAP Roles and Profiles. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Expand

title	Roles needed by people to manage the group assignments for all user accounts and groups (without requiring approval)

Info
Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type
Account Roles Needed
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
VIS-Accounts-All	Grants visibility for all user accounts.	Visibility
ACT-Account-Membership-Management-All-Accounts	Grants access to manage membership for all user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Group Roles Needed
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow
VIS-Groups-All	Grants visibility for all groups.	Visibility
ACT-Group-Membership-Management-All-Groups	Grants access to manage membership for all groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Expand

title	Roles needed to manage the group assignments of user accounts and other group types (without requiring approval)

Info
Accounts can only be added to groups that belong to the same domain.

Management Role	Access Granted by Management Role	Role Type
UI-Account-Membership-Management	Grants access to the user interfaces and workflows for viewing basic information about user accounts, as well as for initiating account group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Account Page Viewer for the page Account View One Page Viewer for the page Viewer for the General Tab Viewer for the Group Membership Grid Viewer for the Group Membership Changes Grid Viewer for the Resultant Membership Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow Update Account Group Membership Initiator for the workflow
UI-Group-Membership-Management	Grants people access to the user interfaces and workflows for viewing basic information about groups, as well as for initiating group membership management workflows.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Dashboard Tab Viewer for the All Groups Tab Viewer for the Groups I Manage Tab Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Group Members Grid WORKFLOW ACCESS Add Accounts to Groups Initiator for the workflow Update Group Account Membership Initiator for the workflow Add People to Groups Initiator for the workflow Update Person Group Membership Initiator for the workflow Temporary Group Membership Initiator for the workflow Add Groups to Group Initiator for the workflow Remove Groups from Group Initiator for the workflow Remove Service Principal from Groups Initiator for the workflow

Active Directory User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to see manage Active Directory group membership for Active Directory user accounts
VIS-Accounts-AD	Grants visibility for all Active Directory user accounts.	Visibility
VIS-Groups-All-AD	Grants visibility for all Active Directory groups.	Visibility
ACT-Account-Membership-Management-All-AD-Accounts	Grants access to manage group membership for all Active Directory user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-AD-Groups	Grants access to manage group membership for all Active Directory groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
AWS User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage AWS group memberships for AWS user accounts.
VIS-Accounts-AWS	Grants visibility for all AWS user accounts.	Visibility
VIS-Groups-All-AWS	Grants visibility for all AWS groups.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including AWS user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-AWS-Groups	Grants access to manage group membership for all AWS groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Linux User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage Linux group memberships for Linux user accounts
VIS-Accounts-Linux	Grants visibility for all Linux user accounts.	Visibility
VIS-Groups-All	Grants visibility for all groups, including all groups in Linux systems.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Linux user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-Groups	Grants access to manage group membership for all groups, including Linux groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Local Windows User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Local Windows Server user accounts and groups
VIS-Accounts-LocalWindows	Grants visibility for all user accounts belonging to Local Windows Server account stores.	Visibility
VIS-Groups-All	Grants visibility for all groups, including all groups in Local Windows Server account stores.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Local Windows user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-Groups	Grants access to manage group membership for all groups, including Local Windows groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
Office 365 User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for Office 365 user accounts and groups
VIS-Accounts-O365	Grants visibility for all Office 365 / Azure AD user accounts.	Visibility
VIS-Groups-All-O365	Grants visibility for all Office 365 groups.	Visibility
ACT-Account-Membership-Management-All	Grants access to manage group membership for all user accounts, including Office 365 / Azure AD user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-O365-Groups	Grants access to manage group membership for all Office 365 groups. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
SAP User Accounts and Groups — In addition to the UI-Account-Membership-Management and UI-Group-Membership-Management Management Roles, users need the following roles to manage group memberships for SAP user accounts and groups
VIS-Accounts-SAP	Grants visibility for all SAP user accounts.	Visibility
VIS-Groups-All-SAP	Grants visibility for all Office 365 groups.	Visibility
ACT-Account-Membership-Management-All-SAP-Accounts	Grants access to manage group membership for all SAP and ABAP user accounts. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity
ACT-Group-Membership-Management-All-SAP-Groups	Grants access to manage membership for all SAP Roles and Profiles. If this role is not included, the change to group membership routes for approval to someone who can approve the request.	Activity

Roles needed to create, update and delete accounts

To create, update and delete user accounts in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):

Expand

title	Roles needed by people to create, update and delete user accounts in their locations

Management Role

Access Granted by Management Role

Role Type

UI-Account-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the Deleted Accounts Tab
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
- Viewer for the Deleted Accounts Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Create User Account
- Initiator for the workflow
Disable User Account
- Initiator for the workflow
Enable User Account
- Initiator for the workflow
Delete Account
- Initiator for the workflow
Restore Deleted Account
- Initiator for the workflow

VIS-Accounts-MyLocations

Grants visibility for all accounts in the same locations as the currently logged in user.

Visibility

ACT-Account-Object-Administration-MyLocations

Grants access to create, edit and delete all accounts in the same location as the currently logged in user.

Activity

Expand

title	Roles needed by people to create, update and delete user accounts in their organizations

Management Role

Access Granted by Management Role

Role Type

UI-Account-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the Deleted Accounts Tab
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
- Viewer for the Deleted Accounts Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Create User Account
- Initiator for the workflow
Disable User Account
- Initiator for the workflow
Enable User Account
- Initiator for the workflow
Delete Account
- Initiator for the workflow
Restore Deleted Account
- Initiator for the workflow

VIS-Accounts-MyOrg

Grants visibility for all accounts in the same organizations as the currently logged in user.

Visibility

ACT-Account-Object-Administration-MyOrg

Grants access to create, edit and delete all accounts in the same location as the currently logged in user.

Activity

Expand

title	Roles needed to create, update and delete accounts in specific systems

Management Role

Access Granted by Management Role

Role Type

UI-Account-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the Deleted Accounts Tab
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
- Viewer for the Deleted Accounts Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Create User Account
- Initiator for the workflow
Disable User Account
- Initiator for the workflow
Enable User Account
- Initiator for the workflow
Delete Account
- Initiator for the workflow
Restore Deleted Account
- Initiator for the workflow

Expand

title	Active Directory User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AD user accounts.

VIS-Accounts-AD — Grants visibility for all Active Directory user accounts.

ACT-Account-Object-Administration-AD — Grants access to create, edit, and delete all Active Directory accounts.

Expand

title	AWS User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete AWS user accounts.

VIS-Accounts-AWS— Grants visibility for all AWS user accounts.

ACT-Account-Object-Administration-AWS— Grants access to create, edit, and delete all AWS accounts.

Expand

title	Linux User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Linux user accounts.

VIS-Accounts-Linux — Grants visibility for all Linux user accounts.

ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Linux systems.

Expand

title	Local Windows User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Local Windows user accounts.

VIS-Accounts-LocalWindows — Grants visibility for all Local Windows user accounts.

ACT-Account-Object-Administration-All — Grants access to create, edit, and delete all user accounts, including accounts in Local Windows systems.

Expand

title	Office 365 User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete Office 365 user accounts.

VIS-Accounts-O365 — Grants visibility for all Office 365/Azure user accounts.

ACT-Account-Object-Administration-O365 — Grants access to create, edit, and delete accounts in Office 365.

Expand

title	SAP User Accounts

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete SAP user accounts.

VIS-Accounts-SAP — Grants visibility for all SAP user accounts.

ACT-Account-Object-Administration-SAP — Grants access to create, edit, and delete accounts in SAP ABAP.

Expand

title	Roles needed to create, update and delete accounts in any system

Management Role

Access Granted by Management Role

Role Type

UI-Account-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Account Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the Deleted Accounts Tab
Account View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Advanced Tab
- Viewer for the Deleted Accounts Tab
Account Edit One Page
- Viewer for the page

WORKFLOW ACCESS

Create User Account
- Initiator for the workflow
Disable User Account
- Initiator for the workflow
Enable User Account
- Initiator for the workflow
Delete Account
- Initiator for the workflow
Restore Deleted Account
- Initiator for the workflow

VIS-Accounts-All

Grants visibility for all accounts.

Visibility

ACT-Account-Object-Administration-All

Grants access to create, edit and delete all accounts.

Activity

Roles needed to create, update and delete groups

To create, update and delete groups in EmpowerID, people need to have a combination of the following Management Role assignments (based on the needed scope):

Expand

title	Roles needed by people to create, update and delete groups in their locations

Management Role	Access Granted by Management Role	Role Type
UI-Group-Object-Administration	Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Location Tree Viewer for the All Groups Tab Viewer for the Deleted Tab Group View One Page Viewer for the page Viewer for the Actions Accordion Viewer for the Owners Grid Viewer for the Advanced Tab Viewer for the Advanced Tab Membership Changes Accordion Viewer for the Advanced Tab Accept Reject Mail Accordion Edit Group Page Viewer for the page Create Group Page Viewer for the page Create Group Simple Page Viewer for the page Group Resource Type Dropdown Item Viewer for the control WEB SERVICE ACCESS Group View Executor for the service Group Account View Executor for the service Group Account History View Executor for the service WORKFLOW ACCESS Create Group Initiator for the workflow Move Group Initiator for the workflow Resource Manager Edit Group Initiator for the workflow Update Resource Locations Initiator for the workflow Update Resource Tags Initiator for the workflow Update Owner Assignee Initiator for the workflow Update Person Catalog Category Requestable Entitlements Initiator for the workflow Restore Deleted Groups Bulk Initiator for the workflow
VIS-Groups-Distribution-MyLocation	Grants visibility for distribution groups in the same locations as the currently logged in user.	Visibility
VIS-Groups-Generic-MyLocation	Grants visibility for generic groups in the same locations as the currently logged in user.	Visibility
VIS-Groups-Security-MyLocation	Grants visibility for security groups in the same locations as the currently logged in user.	Visibility
ACT-Group-Object-Administration-MyLocations	Grants access to create, edit and delete groups in the same location as the currently logged in user.	Activity

Expand

title	Roles needed by people to create, update and delete groups in their organizations

Management Role	Access Granted by Management Role	Role Type
UI-Group-Object-Administration	Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.	Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS Find Group Page Viewer for the page Viewer for the Location Tree Viewer for the All Groups Tab Viewer for the Deleted Tab Group View One Page Viewer for the page Viewer for the Actions Accordion Viewer for the Owners Grid Viewer for the Advanced Tab Viewer for the Advanced Tab Membership Changes Accordion Viewer for the Advanced Tab Accept Reject Mail Accordion Edit Group Page Viewer for the page Create Group Page Viewer for the page Create Group Simple Page Viewer for the page Group Resource Type Dropdown Item Viewer for the control WEB SERVICE ACCESS Group View Executor for the service Group Account View Executor for the service Group Account History View Executor for the service WORKFLOW ACCESS Create Group Initiator for the workflow Move Group Initiator for the workflow Resource Manager Edit Group Initiator for the workflow Update Resource Locations Initiator for the workflow Update Resource Tags Initiator for the workflow Update Owner Assignee Initiator for the workflow Update Person Catalog Category Requestable Entitlements Initiator for the workflow Restore Deleted Groups Bulk Initiator for the workflow
VIS-Groups-Distribution-MyOrg	Grants visibility for distribution groups in the same organizations as the currently logged in user.	Visibility
VIS-Groups-Generic-MyOrg	Grants visibility for generic groups in the same organizations as the currently logged in user.	Visibility
VIS-Groups-Security-MyOrg	Grants visibility for security groups in the same organizations as the currently logged in user.	Visibility
ACT-Group-Object-Administration-MyOrg	Grants access to create, edit and delete groups in the same organizations as the currently logged in user.	Activity

Expand

title	Roles needed to create, update and delete groups in specific systems

Management Role

Access Granted by Management Role

Role Type

UI-Group-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Group Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the All Groups Tab
- Viewer for the Deleted Tab
Group View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Owners Grid
- Viewer for the Advanced Tab
- Viewer for the Advanced Tab Membership Changes Accordion
- Viewer for the Advanced Tab Accept Reject Mail Accordion
Edit Group Page
- Viewer for the page
Create Group Page
- Viewer for the page
Create Group Simple Page
- Viewer for the page
Group Resource Type Dropdown Item
- Viewer for the control

WEB SERVICE ACCESS

Group View
- Executor for the service
Group Account View
- Executor for the service
Group Account History View
- Executor for the service

WORKFLOW ACCESS

Create Group
- Initiator for the workflow
Move Group
- Initiator for the workflow
Resource Manager Edit Group
- Initiator for the workflow
Update Resource Locations
- Initiator for the workflow
Update Resource Tags
- Initiator for the workflow
Update Owner Assignee
- Initiator for the workflow
Update Person Catalog Category Requestable Entitlements
- Initiator for the workflow
Restore Deleted Groups Bulk
- Initiator for the workflow

Expand

title	Active Directory Groups

In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete AD groups.

VIS-Groups-All-AD — Grants visibility for all Active Directory groups.

ACT-Group-Object-Administration-AD — Grants access to create, edit, and delete all Active Directory groups.

Expand

title	AWS Groups

In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in AWS.

VIS-Groups-All-AWS— Grants visibility for all AWS groups.

ACT-Group-Object-Administration-AWS— Grants access to create, edit, and delete all AWS groups.

Expand

title	Azure Groups

In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in Azure.

VIS-Groups-All-Azure— Grants visibility for all Azure groups.

ACT-Group-Object-Administration-All — Grants access to create, edit, and delete all groups, including groups in Azure.

Expand

title	Office 365 Groups

In addition to the UI-Group-Object Administration Management Role, users need the following roles to create, update and delete groups in Office 365.

VIS-Accounts-O365 — Grants visibility for all Office 365 groups.

ACT-Account-Object-Administration-O365 — Grants access to create, edit, and delete accounts in Office 365.

Expand

title	SAP Groups

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete SAP roles and profiles.

VIS-Groups-SAP — Grants visibility for all SAP roles and profiles.

ACT-Group-Object-Administration-All— Grants access to create, edit, and delete all groups, including those in SAP.

Expand

title	Groups Under All IT Systems

In addition to the UI-Account-Object Administration Management Role, users need the following roles to create, update and delete group under the All IT Systems location.

VIS-Groups-All-IT-Systems— Grants visibility for all groups under the All IT Systems location.

ACT-Group-Object-Administration-All— Grants access to create, edit, and delete all groups, including those under the All IT Systems location.

Expand

title	Roles needed to create, update and delete groups in any system

Management Role

Access Granted by Management Role

Role Type

UI-Group-Object-Administration

Grants access to the user interfaces and workflows for creating, updating and deleting user accounts.

Feature Set — Inherits the below Access Levels from the parent Management Role Definition:

PAGES AND CONTROLS ACCESS

Find Group Page
- Viewer for the page
- Viewer for the Location Tree
- Viewer for the All Groups Tab
- Viewer for the Deleted Tab
Group View One Page
- Viewer for the page
- Viewer for the Actions Accordion
- Viewer for the Owners Grid
- Viewer for the Advanced Tab
- Viewer for the Advanced Tab Membership Changes Accordion
- Viewer for the Advanced Tab Accept Reject Mail Accordion
Edit Group Page
- Viewer for the page
Create Group Page
- Viewer for the page
Create Group Simple Page
- Viewer for the page
Group Resource Type Dropdown Item
- Viewer for the control

WEB SERVICE ACCESS

Group View
- Executor for the service
Group Account View
- Executor for the service
Group Account History View
- Executor for the service

WORKFLOW ACCESS

Create Group
- Initiator for the workflow
Move Group
- Initiator for the workflow
Resource Manager Edit Group
- Initiator for the workflow
Update Resource Locations
- Initiator for the workflow
Update Resource Tags
- Initiator for the workflow
Update Owner Assignee
- Initiator for the workflow
Update Person Catalog Category Requestable Entitlements
- Initiator for the workflow
Restore Deleted Groups Bulk
- Initiator for the workflow

VIS-Groups-All

Grants visibility for all groups.

Visibility

ACT-Group-Object-Administration-All

Grants access to create, edit and delete all groups anywhere.

Activity

Div

style	float: left; position: fixed;

IN THIS ARTICLE

Table of Contents

minLevel	2
maxLevel	3
style	none
printable	false

Insert excerpt

	IL:External Stylesheet - v1
	IL:External Stylesheet - v1
nopanel	true

Page Comparison

Versions Compared

Old Version 2

New Version Current

Key

Roles needed by users to view and edit account profile information

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

Roles needed to add and remove accounts to and from groups

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

Roles needed to create, update and delete accounts

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WORKFLOW ACCESS

Roles needed to create, update and delete groups

PAGES AND CONTROLS ACCESS

WEB SERVICE ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WEB SERVICE ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WEB SERVICE ACCESS

WORKFLOW ACCESS

PAGES AND CONTROLS ACCESS

WEB SERVICE ACCESS

WORKFLOW ACCESS