EmpowerID restricts access to people through the use of Management Roles. To work with people users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:
UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for people is UI-Person-Object-Administration. This role grants access to the user interfaces and workflows for managing Person objects.
VIS — Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for people is VIS-Person-MyLocations. This role grants access to see people that belong to same location as the person with the role.
ACT — Management Roles prefixed wtih ACT grant users the ability to manage specific objects in EmpowerID. An example of this type of role for people is ACT-Person-Role-Assignment-All. This role grants users with the role the ability to assign and unassign people to and from roles.
Roles
Needed to See PeopleTo see themselves and other people within EmpowerIDneeded to view self profile
To view their basic profile information, users need to have a combination of the following Management Role assignments (based on the needed scope):
Expand |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
|
VISUI-Person-Profile-Self-Service | Grants |
|
visibility for their own Person. Can view basic information about themselves.Visibility | VIS-Person-MyLocations | Grants visibility for all people in a person's locations. Can view basic information about people belonging to the same locations. This role would be assigned if the person should have visibility for people in their locations only. | Visibility |
VIS-Person-MyOrg | Grants visibility for people in a person's organizations. Can view basic information about people belonging to the same organizations. This role would be assigned if the person should have visibility for all people in their organizations. | Visibility |
VIS-Person-MyDirectReports | Grants visibility for all direct reports of the person with the role. Can view basic information about their direct reports. This role would be assigned if the person should have visibility for their direct reports. | Visibility |
VIS-People-All | Grants visibility for all people in the system. Can view basic information about all people in the system. This role would be assigned if the person should have visibility for all people. | Visibility |
Roles Needed to Manage People’s Profile Informationpeople access to the user interfaces and workflows for managing their own profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSView Self Page Edit Self Person Page
WORKFLOW ACCESS | VIS-Person-Self | Grants people visibility to see their own person. Granted by default to all people. | Visibility | ACT-Person-Profile-Self-Service | Grants people the ability to edit their profile attributes. | Activity | Profile Self-Service | Grants people the ability to edit their own profile attributes. Can be used in place of the above three Management Roles assignments. | Role Bundle — Contains the below Management Roles |
|
Roles needed to manage profiles
To manage the profile information of people, users need to have a combination of the following Management Role assignments (based on the needed scope):
Management Role | Expand |
---|
title | Roles needed by people to manage the profiles of their direct reports |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Profile- |
|
Self-ServiceEdit | Grants people access to the user interfaces and workflows for |
|
managing their own editing people’s profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS |
|
View Self Find Person Page View One Person Page
|
|
PageGeneral Self Photo Edit ControlWORKFLOW ACCESS
Profile Manager Workflow
Initiator for the workflow Workflow WorkflowUI | VIS-Person-MyDirectReports | Grants visibility for all direct reports of the person with the role. Can view basic information about their direct reports. | Visibility | ACT-Person-Profile-Edit-DirectReports | Grants |
|
people access user interfaces and workflows for editing people’s .Feature Set — Inherits the below Access Levels from the parent Management Role Definition:
PAGES AND CONTROLS ACCESS
Find Person for their Direct Reports | Activity |
|
Expand |
---|
title | Roles needed by people to manage the profiles of people in their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Profile-Edit | Grants people access to the user interfaces and workflows for editing people’s profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESS |
|
Workflow WorkflowSelf people to the View Person Page for their person.Visibility | VIS-Person-MyLocations | Grants visibility for all people in a person's locations. Can view basic information about people belonging to the same locations. | Visibility |
|
VISMyOrg visibility for people in a person's organizations. Can view basic information about people the ability to edit the profile attributes for all people in their locations. | Activity |
|
Expand |
---|
title | Roles needed to manage the profile information of users belonging to the same organizations |
---|
|
. Visibility | VIS-Person-MyDirectReports | Grants visibility for all direct reports of the person with the role. Can view basic information about their direct reports. | Visibility |
VIS-People-All | Grants visibility for all people in the system. Can view basic information about all people in the system. | Visibility |
Profile Self-Service | Grants people the ability to edit their own profile attributes. | Role Bundle — Contains the below Management Roles
VIS-Person-Self
ACT-Person-Profile-Self-Service
UI-Person-Person-Profile-Self-Serviceas the people with the roles |
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Profile-Edit | Grants people access to the user interfaces and workflows for editing people’s profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS
WORKFLOW ACCESS | VIS-Person-MyOrg | Grants visibility for people in a person's organizations. Can view basic information about people belonging to the same organizations. | Visibility | ACT-Person-Profile-Edit- |
|
AllMyOrg | Grants the ability to edit the profile attributes for all people in |
|
the systemtheir organizations. | Activity |
|
ACT-Person-Profile-Edit-Customers | Grants the ability to edit the profile attributes for all people below the Customers location. | Activity |
ACT Expand |
---|
title | Roles needed to manage the profile information of partners and customers |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Profile-Edit |
|
-DirectReports the ability edit the user interfaces and workflows for editing people’s profile attributes |
|
for their Direct ReportsActivity | ACT-Person-Profile-Edit-MyLocations | Grants the ability to edit the profile attributes for all people in their locations. | Activity |
ACT-Person-Profile-Edit-MyOrg | Grants the ability to edit the profile attributes for all people in their organizations. | Activity |
ACT. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS
WORKFLOW ACCESS | VIS-People-All | Grants visibility for all people in the system. | Visibility | ACT-Person-Profile-Edit- |
|
PartnersCustomers | Grants the ability to edit the profile attributes for all people below the |
|
Partners Customers location. | Activity | ACT-Person-Profile- |
|
SelfService people their the profile attributes for all people below the Partners location. | Activity |
|
Roles Needed to Manage the Management Role Assignments of People
To manage the Management Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):title | Roles needed to manage the profile information of all people |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI- |
|
ManagementRoleMembership-ManagementEdit | Grants people access to the user interfaces and workflows for |
|
managing the membership of Management Rolesediting people’s profile attributes. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS |
|
Person Find Management Role Viewer for the Roles, Accounts and Login Security accordion
Viewer for the Advanced Attributes Editable Lists
Viewer for the All Roles Tab
Management Role View One Viewer for the General Tab More Info AccordionViewer for the People Members of Management Role Grid
Resultant Resource Locations Page
Update Management Role Assignments WorkflowUpdate Management Role Assignments WorkflowPersonMyLocationsAll | Grants visibility for all people in |
|
a person's locations. The role is needed when responsible for assigning roles to people in the person’s locationsVISMyOrg visibility for people in a person's organizations. The role is needed when responsible for assigning roles to the ability to edit the profile attributes for all people in the |
|
person’s organizationsRoles Needed to Manage the Business Role Assignments of People
To manage the Business Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):
Management Role | Purpose of Visibility | VIS-Person-MyDirectReports | Grants visibility for all direct reports of the person with the role. The role is needed when responsible for assigning roles to direct reports. | Visibility |
VIS-People-All | Grants visibility for all people in the system. The role is needed when responsible for assigning roles to any person in the system. | Visibility |
VIS-Management-Role-MyLocations | Grants access to the View pages for Management Roles in a person's locations. The role is needed when responsible for assigning roles that are in the person’s locations. | Visibility |
VIS-Management-Role-MyOrg | Grants access to the View pages for people in a person's organizations. The role is needed when responsible for assigning roles that are in the person’s organizations. | Visibility |
VIS-Management-Role-All | Grants access to the View pages for all people in the system. The role is needed when responsible for assigning roles in any location. | Visibility |
ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all management roles. | Activity |
ACT-Management-Role-Membership-Management-Azure-License-Manager | Grants access to manage membership for all management roles for the Azure License Manager Application | Activity |
ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for management roles in person's locations. | Activity |
ACT-Management-Role-Membership-Management-MyOrg | Grants access to manage membership for management roles in person's organization. | Activity |
ACT-Management-Role-Membership-Management-Partners | Grants access to manage membership for management roles in or below the Partners location. | Activity |
Roles needed to manage Management Role assignments
To manage the Management Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):
Expand |
---|
title | Roles needed by people to manage the Management Role assignments of people and roles in their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Management-Role-Membership-Management | Grants access to the user interfaces and workflows for managing the membership of Management Roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Roles, Accounts and Login Security accordion Viewer for the Advanced Attributes Editable Lists
Find Management Role Page Management Role View One Page Viewer for the page Viewer for the General Tab Viewer for the More Info Accordion Viewer for the People Members of Management Role Grid
Resultant Resource Locations Page
WORKFLOW ACCESS | VIS-Person-MyLocations | Grants visibility for all people in a person's locations. The role is needed when responsible for assigning roles to people in the person’s locations. | Visibility | VIS-Management-Role-MyLocations | Grants visibility for all Management Roles belonging to the same locations. | Visibility | ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for management roles in person's locations. | Activity |
|
Expand |
---|
title | Roles needed by people to manage the Management Role assignments of people and roles in their organizations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI- |
|
PersonManagement-Role-Membership- |
|
AssignmentManagement | Grants access to the user |
|
interface interfaces and workflows for managing |
|
assignments of people to rolesthe membership of Management Roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS |
|
Person Actions accordionViewer for the Business Roles and Locations Management Role Page Viewer for the page Viewer for the
|
|
Business and Locations Tab All People in Business Role and Location Accordion General Tab Viewer for the
|
|
Net Access Granted By Direct and Inherited Membership Global Search Box
Shopping Cart Business Roles WorkflowUpdate Business Role and Location Person Assignment Workflow Person WorkflowChange Primary Business Role and Location Workflow
Move People Location Only WorkflowBusinessRoleMyLocationsMyOrg | Grants visibility for |
|
Business Roles locations This required to see qualifying Business Roles in the Business Roles treesneeded when responsible for assigning roles to people in the person’s organizations. | Visibility | VIS- |
|
BusinessRoleManagement-Role-MyOrg | Grants visibility for |
|
Business Roles in a person's organizations. This role is required to see qualifying Business Roles in the Business Roles trees Roles Needed to Add People to Groups
To manage the group membership of people, users need to have the following Management Role assignment:
Management Role | Purpose of Management Role | Role Type |
UI-Groupall Management Roles belonging to the same organizations. | Visibility |
|
VIS-BusinessRole-All | Grants visibility for all Business Roles. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility |
VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations. This role is required to see qualifying Locations in the Locations trees. | Visibility |
VIS-Location-MyLocationsAndAbove | Grants visibility for the Person's locations and above. This role is required to see qualifying Locations in the Locations trees. | Visibility |
VIS-Location-MyLocationsAndBelow | Grants visibility for the Person's locations and below. This role is required to see qualifying Locations in the Locations trees. | Visibility |
VIS-Location-All | Grants visibility for all locations in the location trees related to managing shared credentials. This role is required to see qualifying Locations in the Locations trees. | Visibility |
ACT-Business-Role-Assignment-All | Grants people with the role access to operations for managing assignments of people to business roles in the person's organizations. | Activity |
ACT-Business-Role-Assignment-MyLocations | Grants people with the role access to operations for managing assignments of people to business roles in the person's locations and below. | Activity |
ACT-Business-Role-Assignment-MyOrg | Grants people with the role access to operations for managing assignments of people to business roles in the person's organizations. | Activity |
ACT-Management-Role-Membership-Management-MyOrg | Grants access to manage membership for management roles in person's organization. | Activity |
|
Expand |
---|
title | Roles needed by people to manage the Management Role assignments of partners |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Management-Role-Membership-Management | Grants access to the user interfaces and workflows for managing the membership of Management Roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Roles, Accounts and Login Security accordion Viewer for the Advanced Attributes Editable Lists
Find Management Role Page Management Role View One Page Viewer for the page Viewer for the General Tab Viewer for the More Info Accordion Viewer for the People Members of Management Role Grid
Resultant Resource Locations Page
WORKFLOW ACCESS | VIS-Person-All | Grants visibility for all people. | Visibility | VIS-Management-Role-All | Grants visibility for all Management Roles. | Visibility | ACT-Management-Role-Membership-Management-Partners | Grants access to manage membership for management roles in or below the Partners location. | Activity |
|
Expand |
---|
title | Roles needed by people to manage the Management Role assignments of all people |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Management-Role-Membership-Management | Grants access to the user |
|
interface user interface and workflows for group membership managementfor managing the membership of Management Roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESS |
|
Group Person Page Viewer for the page Viewer for the
|
|
All Groups TabView One Person Page Viewer for the page Viewer for the
|
|
Groups I Group Membership Changes TabAdd People to Groups Workflow
Update Person Group Membership WorkflowAdd Accounts to GroupsUpdate Group Account Membership WorkflowVIS-GroupsAdd Groups to Group Workflow
Remove Groups from Group Workflow
Remove Service Principal From Groups Workflow
Temporary Group Membership Workflow
VIS-Person-All | Grants visibility for all |
|
groupspeople in the system. | Visibility | VIS-Management- |
|
Groups-AD | Grants visibility for all |
|
AD groupsManagement Roles. | Visibility |
|
VISGroupsAll-AWSGrants visibility for all AWS groups. | Visibility | VIS-Groups-All-Azure | Grants visibility for all Azure groups in any tenant. | Visibility |
VIS-Groups-All-IT-Systems | Grants visibility for all groups. under All IT Systems. | Visibility |
VIS-Groups-All-O365 | Grants visibility for all Office 365 groups. | Visibility |
VIS-Groups-All-SAP | Grants visibility for all SAP Roles and Profiles. | Visibility |
VIS-Groups-Distribution-MyLocation | Grants visibility for all Distribution groups in a person’s locations. | Visibility |
VIS-Groups-Distribution-MyOrg | Grants visibility for all Distribution groups in a person’s organizations. | Visibility |
VIS-Groups-Generic-MyLocation | Grants visibility for all Generic groups in a person’s locations. | Visibility |
VIS-Groups-Generic-MyOrg | Grants visibility for all Generic groups in a person’s organizations. | Visibility |
VIS-Groups-Security-MyLocation | Grants visibility for all Security groups in a person’s locations. | Visibility |
VIS-Groups-Security-MyOrg | Grants visibility for all Security groups in a person’s organizations. | Visibility |
ACT-Group-Membership-Management-All-Groups | Grants people with the role access to manage membership for all groups | ACT-Group-Membership-Management-All-AD-Groups | Grants people with the role access to manage membership for all Active Directory groups. | Activity |
ACT-Group-Membership-Management-All-AWS-Groups | Grants people with the role access to manage membership for all AWS groups. | Activity |
ACT-Group-Membership-Management-All-IT-Systems | Grants people with the role access to manage group membership for all groups under All IT Systems. | Activity |
ACT-Group-Membership-Management-All-O365-Groups | Grants people with the role access to manage membership for all Office 365 groups. | Activity |
ACT-Group-Membership-Management-All-SAP-Groups | Grants people with the role access to manage membership for all SAP Roles and Profiles. | Activity |
ACT-Group-Membership-Management-DistributionRole-Membership-Management-All | Grants access to manage membership for all Management Roles. | Activity |
|
Roles needed to manage Business Role assignments
To manage the Business Role assignments of people, users need to have a combination of the following Management Role assignments (based on the needed scope):
Expand |
---|
title | Roles needed by people to manage the Business Role assignments of roles and people in their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Role-Assignment | Grants access to user interface and workflows for managing assignments of people to roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESSUpdate Person Business Roles Update Business Role and Location Person Assignment Update Person Management Role Assignments Change Primary Business Role and Location Workflow Move People Location Only
| VIS-Person-MyLocations | Grants visibility for all people in a person's locations. The role is needed when responsible for assigning roles to people in the person’s locations. | Visibility | VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in a person's locations. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility | VIS-Location-MyLocationsAndBelow | Grants visibility for the Person's locations and below. This role is required to see qualifying Locations in the Locations trees. | Visibility | ACT-Business-Role-Assignment-MyLocations | Grants people with the role access to |
|
manage membership for all distribution groups in person's locations.Activity | ACT-Group-Membership-Management-Distribution-MyOrganizations | Grants people with the role access to manage membership for all distribution groups in person's organizations. | Activity |
ACT-Group-Membership-Management-Generic-MyLocations | Grants people with the role access to manage membership for all generic groups in person's locations. | Activity |
ACT-Group-Membership-Management-Generic-MyOrganizations | Grants people with the role access to manage membership for all generic groups in person's organizations. | Activity |
ACT-Group-Membership-Management-Security-MyLocations | Grants people with the role access to manage membership for all security groups in person's locations. | Activity |
ACT-Group-Membership-Management-Security-MyOrganizations | Grants people with the role access to manage membership for all security groups in person's organizationsoperations for managing assignments of people to business roles in the person's locations and below. | Activity |
|
Expand |
---|
title | Roles needed by people to manage the Business Role assignments of roles and people in their organizations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Role-Assignment | Grants access to user interface and workflows for managing assignments of people to roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESSUpdate Person Business Roles Update Business Role and Location Person Assignment Update Person Management Role Assignments Change Primary Business Role and Location Workflow Move People Location Only
| VIS-Person-MyOrg | Grants visibility for people in a person's organizations. The role is needed when responsible for assigning roles to people in the person’s organizations. | Visibility | VIS-BusinessRole-MyOrg | Grants visibility for Business Roles in a person's organizations. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility | VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations. This role is required to see qualifying Locations in the Locations trees. | Visibility | VIS-Location-MyLocationsAndAbove | Grants visibility for the Person's locations and above. This role is required to see qualifying Locations in the Locations trees. | Visibility | ACT-Business-Role-Assignment-MyOrg | Grants people with the role access to operations for managing assignments of people to business roles in the person's organizations. | Activity |
|
Expand |
---|
title | Roles needed by people to manage all Business Role assignments |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Role-Assignment | Grants access to user interface and workflows for managing assignments of people to roles. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESSUpdate Person Business Roles Update Business Role and Location Person Assignment Update Person Management Role Assignments Change Primary Business Role and Location Workflow Move People Location Only
| VIS-Person-All | Grants visibility for all people in the system. | Visibility | VIS-BusinessRole-All | Grants visibility for all Business Roles. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility | VIS-Location-All | Grants visibility for all locations in the location trees related to managing shared credentials. This role is required to see qualifying Locations in the Locations trees. | Visibility | ACT-Business-Role-Assignment-All | Grants people with the role access to operations for managing assignments of people to business roles in the person's organizations. | Activity |
|
Roles needed to manage group membership
To manage the group membership of people, users need to have the following Management Role assignment:
Expand |
---|
title | Roles needed by people to manage the group membership of people and groups belonging to their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Group-Membership-Management | Grants access to user interface and workflows user interface and workflows for group membership management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Group Page Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Members Grid
WORKFLOW ACCESSAdd People to Groups Update Person Group Membership Add Accounts to Groups Update Group Account Membership Add Groups to Group Remove Groups from Group Remove Service Principal From Groups Temporary Group Membership
| VIS-Person-MyLocations | Grants visibility for all people in a person's locations. The role is needed when responsible for assigning roles to people in the person’s locations. | Visibility | VIS-Groups-Security-MyLocation | Grants visibility for all Security groups in a person’s locations. | Visibility | VIS-Groups-Distribution-MyLocation | Grants visibility for all Distribution groups in a person’s locations. | Visibility | VIS-Groups-Generic-MyLocation | Grants visibility for all Generic groups in a person’s locations. | Visibility | ACT-Group-Membership-Management-Distribution-MyLocations | Grants people with the role access to manage membership for all distribution groups in person's locations. | Activity | ACT-Group-Membership-Management-Generic-MyLocations | Grants people with the role access to manage membership for all generic groups in person's locations. | Activity | ACT-Group-Membership-Management-Security-MyLocations | Grants people with the role access to manage membership for all security groups in person's locations. | Activity |
|
Expand |
---|
title | Roles needed by people to manage the group membership of people and groups belonging to their organizations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Group-Membership-Management | Grants access to user interface and workflows user interface and workflows for group membership management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Group Page Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Members Grid
WORKFLOW ACCESSAdd People to Groups Update Person Group Membership Add Accounts to Groups Update Group Account Membership Add Groups to Group Remove Groups from Group Remove Service Principal From Groups Temporary Group Membership
| VIS-Person-MyOrg | Grants visibility for people in a person's organizations. The role is needed when responsible for assigning roles to people in the person’s organizations. | Visibility | VIS-Groups-Security-MyOrg | Grants visibility for all Security groups in a person’s organizations. | Visibility | VIS-Groups-Distribution-MyOrg | Grants visibility for all Distribution groups in a person’s organizations. | Visibility | VIS-Groups-Generic-MyOrg | Grants visibility for all Generic groups in a person’s organizations. | Visibility | ACT-Group-Membership-Management-Security-MyOrganizations | Grants people with the role access to manage membership for all security groups in person's organizations. | Activity | ACT-Group-Membership-Management-Distribution-MyOrganizations | Grants people with the role access to manage membership for all distribution groups in person's organizations. | Activity | ACT-Group-Membership-Management-Generic-MyOrganizations | Grants people with the role access to manage membership for all generic groups in person's organizations. | Activity |
|
Expand |
---|
title | Roles needed by people to manage all group memberships |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Group-Membership-Management | Grants access to user interface and workflows user interface and workflows for group membership management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Group Page Group View One Page Viewer for the page Viewer for the General Tab Viewer for the Membership Changes Tab Viewer for the Members Grid
WORKFLOW ACCESSAdd People to Groups Update Person Group Membership Add Accounts to Groups Update Group Account Membership Add Groups to Group Remove Groups from Group Remove Service Principal From Groups Temporary Group Membership
| VIS-Person-All | Grants visibility for all people in the system. | Visibility | VIS-Groups-All | Grants visibility for all groups. | Visibility | ACT-Group-Membership-Management-All-Groups | Grants people with the role access to manage membership for all groups | |
|
Expand |
---|
title | Additional Group Management Roles that can used with any of the above roles depending on the needed scope |
---|
|
Management Role | Purpose of Management Role | Role Type |
---|
VIS-Groups-All-AD | Grants visibility for all AD groups. | Visibility | VIS-Groups-All-AWS | Grants visibility for all AWS groups. | Visibility | VIS-Groups-All-Azure | Grants visibility for all Azure groups in any tenant. | Visibility | VIS-Groups-All-IT-Systems | Grants visibility for all groups. under All IT Systems. | Visibility | VIS-Groups-All-O365 | Grants visibility for all Office 365 groups. | Visibility | VIS-Groups-All-SAP | Grants visibility for all SAP Roles and Profiles. | Visibility | ACT-Group-Membership-Management-All-AD-Groups | Grants people with the role access to manage membership for all Active Directory groups. | Activity | ACT-Group-Membership-Management-All-AWS-Groups | Grants people with the role access to manage membership for all AWS groups. | Activity | ACT-Group-Membership-Management-All-IT-Systems | Grants people with the role access to manage group membership for all groups under All IT Systems. | Activity | ACT-Group-Membership-Management-All-O365-Groups | Grants people with the role access to manage membership for all Office 365 groups. | Activity | ACT-Group-Membership-Management-All-SAP-Groups | Grants people with the role access to manage membership for all SAP Roles and Profiles. | Activity |
|
Roles Needed to Create Person Objects
To create new Person objects in EmpowerID, users need to have a combination of the following Management Role assignments (based on the needed scope):
Expand |
---|
title | Roles needed by people to create new people in their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Create | Grants access to the user interfaces and workflows to create Person objects. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESS | VIS-Person-MyLocations | Grants visibility for all people in a person's locations. Visibility is needed to access the Action links for the opening the Create Person Simple page and the Create Person Advanced Edit One page. | Visibility | VIS-BusinessRole-MyLocations | Grants visibility for Business Roles in a person's locations. This role is required to see qualifying Business Roles in the Business Roles trees. All people must have a Business Role. | Visibility | VIS-Location-MyLocationsAndBelow | Grants visibility for the Person's locations and below. This role is required to see qualifying Locations in the Locations trees. All people must belong to a location. | Visibility | ACT-Business-Role-Assignment-MyLocations | Grants people with the role access to operations for managing assignments of people to business roles in the person's locations and below. | Activity | Additionally, if running the Create Person Advanced workflow and assigning Management Roles to the person, user need the following additional roles: | VIS-Management-Role-MyLocations | Grants visibility for Management Roles belonging to the same locations as the current person. If the Management Roles do not meet this criteria, they are not visible. | Visibility | ACT-Management-Role-Membership-Management-MyLocations | Grants access to manage membership for all Management Roles belonging to the same location as the current person. | Activity |
|
Expand |
---|
title | Roles needed by people to create new people in their organizations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Create | Grants access to the user interfaces and workflows to create Person objects. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESS | VIS-Person-MyOrg | Grants visibility for people in a person's organizations. Visibility is needed to access the Action links for the opening the Create Person Simple page and the Create Person Advanced Edit One page. | Visibility | VIS-BusinessRole-MyOrg | Grants visibility for Business Roles in a person's organizations. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility | VIS-Location-All-Business-Locations | Grants visibility for all locations under All Business Locations. This role is required to see qualifying Locations in the Locations trees. | Visibility | VIS-Location-MyLocationsAndAbove | Grants visibility for the Person's locations and above. This role is required to see qualifying Locations in the Locations trees. | Visibility | VIS-Location-MyLocationsAndBelow | Grants visibility for the Person's locations and below. This role is required to see qualifying Locations in the Locations trees. | Visibility | ACT-Business-Role-Assignment-MyOrg | Grants people with the role access to operations for managing assignments of people to business roles in the person's organizations. | Activity | Additionally, if running the Create Person Advanced workflow and assigning Management Roles to the person, user need the following additional roles: | VIS-Management-Role-MyOrg | Grants visibility for Management Roles belonging to the same organizations as the current person. | Visibility | ACT-Management-Role-Membership-Management-MyOrg | Grants access to manage membership for all Management Roles belonging to the same organizations as the current person. | Activity |
|
Expand |
---|
title | Roles needed by people to create new people in any location |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Create | Grants access to the user interfaces and workflows to create Person objects. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSWORKFLOW ACCESS | VIS-Person-All | Grants visibility for all people in the system. Visibility is needed to access the Action links for the opening the Create Person Simple page and the Create Person Advanced Edit One page. | Visibility | VIS-BusinessRole-All | Grants visibility for all Business Roles. This role is required to see qualifying Business Roles in the Business Roles trees. | Visibility | VIS-Location-All | Grants visibility for all locations in the system. This role is required to see qualifying Locations in the Locations trees. | Visibility | ACT-Business-Role-Assignment-All | Grants people with the role access to operations for managing assignments of people to any business role. | Activity | Additionally, if running the Create Person Advanced workflow and assigning Management Roles to the person, user need the following additional roles: | VIS-Management-Role-All | Grants visibility for all Management Roles. | Visibility | ACT-Management-Role-Membership-Management-All | Grants access to manage membership for all Management Roles. | Activity |
|
Roles Needed to Administer People
To perform administrative actions against people, such as creating and deleting them from EmpowerID, users need to have a combination of the following Management Role assignments (based on the needed scope):
Expand |
---|
title | Roles needed by people to administer people belonging to their locations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Administration | Grants access to the user interfaces and workflows for person object management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page Viewer for the page Viewer for the People Tab Viewer for the Deleted People Tab Viewer for the Pending Termination Tab
View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Org Chart Accordion Viewer for the Actions Accordion Viewer for the Advanced Attributes Editable Lists
Edit Person Page Edit Person Contextual Page Create Person Simple Page Create Person Advanced Edit One Page Resultant Resource Locations Page Navbar Global Search Box
WORKFLOW ACCESSCreate Person Person Edit Disable Multiple People WF Enable People Update Person Relationships Reset Password and Email Invite User to Join Organization Person Photo Approval Delete Multiple People with Options Restore Multiple Deleted People
| VIS-Person-MyLocations | Grants visibility for all people in a person's locations. Visibility is needed to access the Action links for the appropriate workflow and pages related to person management. | Visibility | ACT-Person-Object-Administration-MyLocations | Grants people with the role access to create, update, and delete people belonging to the same locations. | Activity |
|
Expand |
---|
title | Roles needed by people to administer people belonging to their organizations |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Administration | Grants access to the user interfaces and workflows for person object management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page Viewer for the page Viewer for the People Tab Viewer for the Deleted People Tab Viewer for the Pending Termination Tab
View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Org Chart Accordion Viewer for the Actions Accordion Viewer for the Advanced Attributes Editable Lists
Edit Person Page Edit Person Contextual Page Create Person Simple Page Create Person Advanced Edit One Page Resultant Resource Locations Page Navbar Global Search Box
WORKFLOW ACCESSCreate Person Person Edit Disable Multiple People WF Enable People Update Person Relationships Reset Password and Email Invite User to Join Organization Person Photo Approval Delete Multiple People with Options Restore Multiple Deleted People
| VIS-Person-MyOrg | Grants visibility for all people in a person's locations. Visibility is needed to access the Action links for the appropriate workflow and pages related to person management. | Visibility | ACT-Person-Object-Administration-MyOrg | Grants people with the role access to create, update, and delete people belonging to the same locations. | Activity |
|
Expand |
---|
title | Roles needed by people to administer partners and customers |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Administration | Grants access to the user interfaces and workflows for person object management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page Viewer for the page Viewer for the People Tab Viewer for the Deleted People Tab Viewer for the Pending Termination Tab
View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Org Chart Accordion Viewer for the Actions Accordion Viewer for the Advanced Attributes Editable Lists
Edit Person Page Edit Person Contextual Page Create Person Simple Page Create Person Advanced Edit One Page Resultant Resource Locations Page Navbar Global Search Box
WORKFLOW ACCESSCreate Person Person Edit Disable Multiple People WF Enable People Update Person Relationships Reset Password and Email Invite User to Join Organization Person Photo Approval Delete Multiple People with Options Restore Multiple Deleted People
| VIS-Person-All | Grants visibility for all people. Visibility is needed to access the Action links for the appropriate workflow and pages related to person management. | Visibility | ACT-Person-Object-Administration-Partners | Grants people with the role access to create, update, and delete all people below the Partners location. | Activity | ACT-Person-Object-Administration-Customers | Grants people with the role access to create, update, and delete all people below the Customers location. | Activity |
|
Expand |
---|
title | Roles needed by people to administer all people |
---|
|
Management Role | Access Granted by Management Role | Role Type |
---|
UI-Person-Object-Administration | Grants access to the user interfaces and workflows for person object management. | Feature Set — Inherits the below Access Levels from the parent Management Role Definition: PAGES AND CONTROLS ACCESSFind Person Page Viewer for the page Viewer for the People Tab Viewer for the Deleted People Tab Viewer for the Pending Termination Tab
View One Person Page Viewer for the page Viewer for the Manage Tab Viewer for the Org Chart Accordion Viewer for the Actions Accordion Viewer for the Advanced Attributes Editable Lists
Edit Person Page Edit Person Contextual Page Create Person Simple Page Create Person Advanced Edit One Page Resultant Resource Locations Page Navbar Global Search Box
WORKFLOW ACCESSCreate Person Person Edit Disable Multiple People WF Enable People Update Person Relationships Reset Password and Email Invite User to Join Organization Person Photo Approval Delete Multiple People with Options Restore Multiple Deleted People
| VIS-Person-All | Grants visibility for all people. Visibility is needed to access the Action links for the appropriate workflow and pages related to person management. | Visibility | ACT-Person-Object-Administration-All | Grants people with the role access to create, update, and delete all people. | Activity |
|