Organizations can configure have the ability to tailor requestable permissions for inventoried computers to give , allowing users the ability to request those these permissions when connecting via through Privileged Session Management (PSM). These permissions, known in EmpowerID as “IAM Referred to as "IAM Shop Permission Levels,” are fundamental to creating a secure IT environment and " in EmpowerID, these permissions play a vital role in enhancing IT security. They serve a dual purpose: providing distinct permissions while in they grant specific permissions during a computer session and reinforcing the enhance overall security posture by adhering to enforcing the principle of least privilege by removing those permissions from users immediately after their session ends. When configuring , automatically revoking these permissions once the session concludes.
When setting up IAM Shop Permission Levels for computers, organizations pick select specific groups with those these permissions on within the native system. If users belong to those groups, they get the specified access. Additionally, computers Members of these groups, or those eligible for membership, can request the permission level when connecting via PSM. Moreover, systems can be configured to allow support Just-In-Time account provisioning in those for these groups. When this is the caseIn such cases, EmpowerID provisions creates an account that is linked to the person individual and adds it to the group . Once for the duration of the session. Upon the session ends's end, the account is removed from the group. This ensures , ensuring a truly least privileged, zero-trust environmentsecurity model. Coupled with eligibility Tooltip and footnote macro
Steps to Assign IAM Shop Permission Levels
To effectively assign IAM Shop Permission Levels have the ability to select them when connecting to a computer session.
To successfully assign IAM Shop Permission Levels, administrators must:
...
Assign IAM Shop Permission Levels to computers.
...
, administrators must do the following:
Ensure the target computer is connected to EmpowerID as a Local Windows Server Account Store: This connection is crucial as it enables EmpowerID to inventory the computer's users and groups, which is essential for accurately mapping permission levels to local groups. For the details, please see Connecting to Local Windows Servers as Account Stores.
Assign IAM Shop Permission Levels to Computers: This involves selecting the appropriate permission levels that correspond to the needs and security policies of the organization.
Map IAM Shop Permission Levels to Native Groups: Link the permission levels to the corresponding groups on the computer that grant those native permissions. For
...
instance, to allow users to connect as a local admin, map the “Local Admin” permission level to a "local admin" group on the computer.
...
For effective assignment of IAM Shop Permission Levels, computers must be connected to EmpowerID as Local Windows Server account stores. This connection allows EmpowerID to inventory users and groups on the computer, essential for mapping permission levels to local groups on that machine. Note that permission levels are merely labels and require accurate mapping to grant permissions. |
| Info |
|---|
EmpowerID includes default IAM Shop Permission Levels for computers, such as "Local Admin" and "Domain Admin." However, you can create custom permission levels tailored to your organization's needs. For more information on customization, please see Create IAM Shop Permission Levels. |
How to assign IAM Shop Permission Levels to Computers
...
Navigate to the View One page for the computer to which you want to assign IAM Shop Permission Levels.
The quickest way to do this is to use the Global Search located at the top of each page.
Show Me
...
...
Procedure
Access the Computer's View (Configuration) Page:
Use the Global Search to locate the computer you wish to configure.
Navigate to the RBAC subtab on the computer's View page.
Expand the IAM Shop Assignees for Requesting Access accordion.
Click the Add New
button.
Configure the IAM Shop Permission Level:
Under General, select the desired IAM Shop Permission Level
Under Assignee Granting the Permission Level, do the following:
.
Now that you have selected the permission level, the next step is to select the assignee granting the permission level (map the permission level). In our example, we are going to select an EmpowerID group that is mapped to a group on the native system. You can select any type of RBAC actor as the assignee type as long as that actor has a role that grants the access represented by the access level. 
Under Assignee Granting the Permission Level, do the following:
Select whether to Enforce Assignee Eligibility in IAM Shop. This setting instructs the system to check whether users meet the necessary eligibility requirements before they can view and select the IAM Shop Permission Level. If users do not meet these criteria, the permission level will not be available when requesting access. For example, if the assignee granting the permission is a group, only users eligible for membership in that group will see the permission level as an available option.
Select the assignee type from the Which Type of Assignee For This Policy dropdown.
Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.
Click Save.
Finalize the Configuration:
Repeat
the addition of other assignees as
necessary.
Click Submit to complete the process.
...
Expected Results
EmpowerID creates the IAM Shop Assignment for the IAM Shop permission level. You can view and manage these assignments in the IAM Shop Assignees for Requesting Access accordion.
...