Organizations can customize have the ability to tailor requestable permissions for inventoried computers, enabling allowing users to request those these permissions when connecting through Privileged Session Management (PSM). Known Referred to as “IAM "IAM Shop Permission Levels” Levels" in EmpowerID, these permissions are crucial in fortifying play a vital role in enhancing IT security. They serve a dual purpose: they grant specific permissions during a computer session and enhance overall security by enforcing the principle of least privilege, automatically revoking these permissions once the session concludes.
When setting up IAM Shop Permission Levels for computers, organizations select specific groups with these permissions within the native system. Users who are members Members of these groups are granted the access specified by the permission level, or those eligible for membership, can request the permission level when connecting via PSM. Moreover, systems can be configured to support Just-In-Time account provisioning for these groups. In such cases, EmpowerID creates an account linked to the individual and adds it to the group for the duration of the session. Upon the session's end, the account is removed from the group, ensuring a least privileged, zero-trust security model.
...
Access the Computer's View (Configuration) Page:
Use the Global Search to locate the computer you wish to configure.
Navigate to the RBAC subtab on the computer's View page.
Expand the IAM Shop Assignees for Requesting Access accordion.
Click the Add New button.
Configure the IAM Shop Permission Level:
Under General, select the desired IAM Shop Permission Level.
Under Assignee Granting the Permission Level, do the following:
Select whether to Enforce Assignee Eligibility in IAM Shop. This setting instructs the system to confirm if users who request check whether users meet the necessary eligibility requirements before they can view and select the IAM Shop Permission Level satisfy the necessary eligibility requirements before being granted . If users do not meet these criteria, the permission level will not be available when requesting access. For example, if the assignee granting the permission is a group, the system will verify if only users are eligible to be members of that group prior to granting them eligible for membership in that group will see the permission level as an available option.
Select the assignee type from the Which Type of Assignee For This Policy dropdown.
Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.
Click Save.
Finalize the Configuration:
Repeat the addition of other assignees as necessary.
Click Submit to complete the process.
...