Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.

For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.

In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.

For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.

Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.

Tip

To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.

Common Access Level Definitions

These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.

Info

The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12. You can view these in Configuration Manager as shown by the image above.

Expand
titleAdministrator and EmpowerID Administrator

Operation

Enables any assigned actor to

Add<%Actor%>To<%ResourceRole%>

add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.

AddOperationToResourceTypeRole<%ResourceType%>

add operations to Access Levels for the Resource Type resource object.

AddTo<%ResourceRole%>

grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.

AddTo<%ResourceRole%>InLocation

grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.

AddTo<%ResourceRole%>InRelativeResource

grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.

AssignResourceOrgZone

assign Resource Type resource objects to a location.

CreateResourceTypeRole<%ResourceType%>

create a Resource Type Role for the Resource Type.

Delete

delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.

DeleteResourceTypeRole<%ResourceType%>

delete a Resource Type Role for the Resource Type.

EditResourceTypeRole<%ResourceType%>

edit a Resource Type Role for the Resource Type.

Use

view the Resource Type resource object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

Info

This operation is needed to grant or revoke direct assignments of Access Levels

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

By-location operations such as this affect all objects in or below the location for which the operation is approved.

For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously,  including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.

RevokeResourceOrgZone

remove Resource Type resource objects from a location.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.

RemoveFrom<%ResourceRole%>InLocation

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.

RemoveFrom<%ResourceRole%>InRelativeResource

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location

Asset Catalog Item

Expand
titleAdministrator and EmpowerID Administrator

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

Operation

Enables any assigned actor to 

Request

request an Asset Catalog Item.

UnassignFromAdministrator

remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.

Expand
titleRequestor

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Use

view an Access Request Catalog Item in EmpowerID.

Request

request an Access Request Catalog Item.

Attestation Policy

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

Operation

Enables any assigned actor to 

Provision

provision an Attestation Policy object.

Delete

delete an Attestation Policy object.

Edit

edit an Attestation Policy object.

Review

review an Attestation Policy.

Expand
titleReviewer

This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Use

view an Attestation Policy object in EmpowerID.

Review

review an Attestation Policy.

Business Role

Expand
titleAdministrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.

Operation

Enables any assigned actor to 

AssignGroupOrgRoleOrgZone

assign a group to a Business Role and Location.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

Insert

create a Business Role.

MoveBusinessRole

move the Business Role from one location to another.

RemoveGroupOrgRoleOrgZone

remove a group from a Business Role and Location.

RemovePersonOrgRoleOrgZone

unassign a person from a secondary Business Role and Location.

SetPersonPrimaryBusinessRoleandLocation

assign the primary Business Role and Location for a person.

Update

edit a Business Role.

Expand
titleAssign and Unassign to Business Role

Operation

Enables any assigned actor to 

AssignOrgRoleOrgZone

assign a person to a Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

Use

view a Business Role.

RemovePersonOrgRoleOrgZone

unassign a person from a secondary Business Role and Location.

SetPersonPrimaryBusinessRoleandLocation

set the primary Business Role and Location for a person.

Expand
titleEditor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Edit

edit a Business Role.

Use

view a Business Role.

Update

update a Business Role.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation

Enables any assigned actor to 

AddOrgRoleOrgZoneToRelativeResourceRole

assign relative Access Levels to a Business Role and Location.

AddOrgRoleOrgZoneToResourceRole

assign Access Levels directly to a Business Role and Location.

AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation

assign Access Levels by location to a Business Role and Location.

RemoveOrgRoleOrgZoneFromRelativeResourceRole

remove relative Access Levels from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRole

remove Access Levels directly from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation

remove Access Levels scoped by location from a Business Role and Location.

Computer

Expand
titleAdministrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

Operation

Enables any assigned actor to 

DeleteComputer

delete a Computer object when running the DeleteComputer workflow.

DeleteDirectory

delete a directory when running the DeleteDirectory workflow.

DisableComputer

disable a Computer object when running the DisableComputer workflow.

EditComputerAdvancedSettings

edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.

EditDescription

edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.

EnableComputer

enable a Computer object.

EnableDisableComputerOperation

enable and/or disable a Computer object.

MoveComputer

move a Computer object from one location to another.

ProvisionComputer

provision a Computer object in EmpowerID.

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

Operation

Enables any assigned actor to 

PowershellMoveComputer

move a Computer object using Powershell commands.

RestartComputer

restart a Computer object.

RestartService

restart a service on an assigned Computer object.

StopApplicationPool

stop an application pool on an assigned Computer object.

StopProcess

stop a process on an assigned Computer object.

StopService

stop a service on an assigned Computer object.

Expand
titleCo-Owner

The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.

EmpowerID Operation

Enables any assigned actor to 

Use

view the Computer object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a Computer object. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.

Expand
titleCreate, Enable, Disable, Move and Delete

This Access Level Definition allows the actor assigned the Access Level to create, enable, disable, move and delete assigned Computer objects in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Use

view a Computer object in EmpowerID.

DeleteComputer

delete a Computer object from EmpowerID.

EnableComputer

enable a Computer object in EmpowerID.

DisableComputer

disable a Computer object in EmpowerID.

ProvisionComputer

provision a Computer object in EmpowerID.

MoveComputer

move a Computer object from one location to another in EmpowerID.

EnableDisableComputerOperation

enable and/or disable a Computer object.

EmpowerID System

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

Operation

Enables any assigned actor to 

CreateAssetType

create an Asset Type when running the ProvisionCatalogRequest workflow.

EditCatalogRequest

edit a Catalog Request item when running the AssetCatalogItemEdit workflow.

ProvisionCatalogRequest

create a Catalog Request item when running the ProvisionCatalogRequest workflow.

RunPowerShellScript

run a PowerShell Script against resources in EmpowerID.

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.

Operation

Enables any assigned actor to 

ProvisionSharePointSite

create a SharePoint Site.

Expand
titleUser

This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

Use

view the resource in EmpowerID.

Exchange Mailbox

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.

Operation

Enables any assigned actor to 

AddEmailAddress

add a new email address to an existing user mailbox.

DeleteEmailAddress

delete an email address from an existing user mailbox.

DisableActiveSync

deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableAuto-AcceptCalendar

deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableMailbox

disable a mailbox by setting all quota values on the mailbox to 0.

DisableOWA

deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableRequireAuthenticatedSenders

deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableUseDefaultQuota

deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.

EditMailboxAlias

edit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditMailboxExtensionAttributes

edit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.

EditMailboxNote

edit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditRoomCapacity

edit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditSendandReceiveLimits

edit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.

EditAcceptFrom

edit the "Allowed" list for who may send email to a specific mailbox.

EditEmailAddress

edit an email address when running the EditExchangeMailboxAddress workflow.

EditExchangeMailbox

perform a general edit of a mailbox.

EditMailboxForwarding

edit who receives a copy of mail sent to a mailbox.

EditMailboxQuota

edit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.

EditSMTPAddresses

edit the SMTP address for a mailbox.

EditRejectFrom

edit the "Allowed" list for who may not send email to a specific mailbox.

EnableRequireAuthenticatedSenders

select the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

EnableActiveSync

select the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

EnableAuto-AcceptCalendar

select the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

EnableMailbox

enable a mailbox.

EnableOWA

select the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EnableUseDefaultQuota

select the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.

EnableAutoAccept

enable auto-accept for appointments on room or equipment mailboxes.

HideinGAL

select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

LinkAccountToMailbox

link a user account to a mailbox.

MoveMailbox

move a mailbox from one location to another.

ReActiviateMailbox

activate a deactivated mailbox.

RemoteDeviceWipe

wipe data from an Active Sync device the next time the device tries to sync with the server (usually a phone).

RestoreDeletedMailbox

restore a mailbox that has been deleted in EmpowerID.

SetMasterAccount

set the master account for a linked mailbox to an account in a trusted domain in another forest.

ShowinGAL

deselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

SuspendMailbox

set the quota values on a mailbox to 0.

ViewMailboxExtensionAttributes

view the Extension Attributes for a mailbox.

ViewMailboxFeatureAttributes

select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

ViewMailboxQuotaAttributes

view the Quota Attributes for a mailbox.

ViewMailboxSendandReceiveLimitsAttributes

view the Send and Receive Limits Attributes for a mailbox.

ViewDeviceStatus

view the status of an Active Sync device.

Expand
titleFull Access in Outlook

This Access Level Definition grants native Full Access permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

...

Expand
titleRecipient Management

This Access Level Definition grants the actor assigned the Access Level the ability to manage mailboxes in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to 

AddEmailAddress

add a new email address to an existing user mailbox.

DeleteEmailAddress

delete an email address from an existing user mailbox.

DisableActiveSync

deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableAuto-AcceptCalendar

deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableMailbox

disable a mailbox by setting all quota values on the mailbox to 0.

DisableOWA

deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableRequireAuthentication

deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

DisableUseDefaultQuota

deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.

EditAcceptFrom

edit the "Allowed" list for who may send email to a specific mailbox.

EditMailboxAlias

edit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditMailboxExtensionAttributes

edit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.

EditMailboxNote

edit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditRejectFrom

edit the "Allowed" list for who may not send email to a specific mailbox.

EditRoomCapacity

edit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EditSendandReceiveLimits

edit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.

EditEmailAddress

edit an email address when running the EditExchangeMailboxAddress workflow.

EditExchangeMailbox

perform a general edit of a mailbox.

EditMailboxForwarding

edit who receives a copy of mail sent to a mailbox.

EditMailboxQuota

edit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.

EditSMTPAddresses

edit the SMTP address for a mailbox.

EnableActiveSync

select the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

EnableAuto-AcceptCalendar

select the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.

EnableMailbox

enable a mailbox.

EnableOWA

select the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

EnableUseDefaultQuota

select the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.

EnableAutoAccept

enable auto-accept for appointments on room or equipment mailboxes.

HideinGAL

select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

MoveMailbox

move a mailbox from one location to another.

ReActivateMailbox

activate a deactivated mailbox.

RemoveFromReader

remove the Reader Access Level from another EmpowerID Actor type.

RemoveFromRecipientManagement

remove the Recipient Management Access Level from another EmpowerID Actor.

RestoreDeletedMailbox

restore a mailbox that has been deleted in EmpowerID.

ShowinGAL

deselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

ViewMailboxExtensionAttributes

view the Extension Attributes for a mailbox.

ViewMailboxFeatureAttributes

select the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.

ViewMailboxQuotaAttributes

view the Quota Attributes for a mailbox.

ViewMailboxSendandReceiveLimitsAttributes

view the Send and Receive Limits Attributes for a mailbox.

Expand
titleSend As in Outlook

This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Expand
titleSend On Behalf in Outlook

This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Group (Distribution, Security, Generic) Access Level Definitions

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Group Resource Types.

Operation

Enables any assigned actor to 

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

EditADGroupNameAttributes

edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditExchangeSettings

edit the fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupAdvancedSettings

edit the fields in the Advanced Options section of the Advanced Tab on the Group Resource Management screen (Group Details form).

EditGroupDescriptionandNote

edit the Description and Note fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupExtensionAttributes

edit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditGroupType

edit the Group Type drop-down in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).

EditAcceptFrom

edit the "Allowed" list for who may send email to a specific group.

EditRejectFrom

edit the "Denied" list for who may not send email to a specific group.

EditSMTPAddresses

edit the SMTP addresses for a group when running the EditSMTPAddresses workflow.

HideGroupinGAL

select the Hidden In GAL option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MailDisableGroup

disable mail for a group by deselecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MailEnableGroup

assign an email address to a group by selecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).

MoveComputer

move a computer from one location to another.

MoveGroup

move a group from one location to another.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ShowGroupinGAL

designate that a selected group be visible in the Global Address List when running the ShowDLInGAL workflow.

Expand
titleGroup Co-Owner

This Access Level grants the person assigned the Access Level owner status for a Group and has the following operations allowed.

Operation

Enables any assigned actor to

AddToGroupMember

add any EmpowerID Actor type to the Member Access Level for the group.

Use

view a group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the group. 

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

RemoveFromGroupMember

remove any EmpowerID Actor type from the Member Access Level for the group.

Expand
titleMembership Manager

This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

Operation

Enables any assigned actor to

AddAccountToGroup

add an account to a group.

Add<%Actor%>ToGroupMember

grant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.

AddToGroupMember

add People, Groups, or Business Role to the Member Access Level.

Use

view a group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign or unassign any EmpowerID Access Levels for a group. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

Remove<%Actor%>FromGroupMember

remove People, Groups, or Business Roles from the Member Access Level.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Groups has the following additional operations allowed.

Operation

Enables any assigned actor to

AddGroupToRelativeResourceRole

assign relative Access Levels to a Distribution Group.

AddGroupToResourceRole

assign Access Levels directly to a Distribution Group.

AddGroupToResourceRoleAssignmentByLocation

assign Access Levels by location to a Distribution Group.

Use

view a Distribution Group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the group. 

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by-location Access Level assignment; otherwise the operation will route for approval.

RemoveGroupFromRelativeResourceRole

remove relative Access Levels from a Distribution Group.

RemoveGroupFromResourceRole

remove Access Levels directly from a Distribution Group.

RemoveGroupFromResourceRoleAssignmentByLocation

remove Access Levels scoped by location from a Distribution Group.

Location

Expand
titleAdministrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Location Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AssignGroupOrgRoleOrgZone

assign a group to a Business Role and Location.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleZone

assign a person to a Business Role and Location.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

RemoveGroupOrgRoleOrgZone

remove a group from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRole

directly remove Access Levels from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation

remove Access Levels from a Business Role and Location scoped by location.

RemovePersonOrgRoleOrgZone

unassign a person from a secondary Business Role and Location.

SetPersonPrimaryBusinessRoleandLocation

set the primary Business Role and Location for a person.

Update

edit a location.

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Location Resource Type.

Operation

Enables any assigned actor to

CreateOU

create an AD OU.

EditOU

edit an AD OU.

MoveBusinessLocation

move a business location to another location.

ProvisionPartner

create a partner location.

Expand
titleAssign and Unassign to Location

This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign People to and from locations in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

AssignResourceOrgZone

assign a resource to a location.

Use

view a location.

RemovePersonOrgRoleOrgZone

unassign a person from a Business Role and Location as a secondary Business Role and Location.

RevokeResourceOrgZone

remove Resource Type resource objects from a location.

SetPersonPrimaryBusinessRoleandLocation

set the primary Business Role and Location for a person.

Expand
titleEditor

This Access Level Definition grants the actor assigned the Access Level the ability to edit locations in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

Edit

edit a location.

EditOU

edit an AD OU.

Use

view a location.

Update

edit a location.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation

Enables any assigned actor to

AddOrgRoleOrgZoneToRelativeResourceRole

assign relative Access Levels to a Business Role and Location.

AddOrgRoleOrgZoneToResourceRole

assign Access Levels directly to a Business Role and Location.

AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation

assign Access Levels by location to a Business Role and Location.

RemoveOrgRoleOrgZoneFromRelativeResourceRole

remove relative Access Levels from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRole

directly remove Access Levels from a Business Role and Location.

RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation

remove Access Levels from a Business Role and Location scoped by location.

Management Role and EmpowerID Management Role Definition

Expand
titleAdministrator

This Access Level Definition gives the actor assigned the Access Level the ability to create, edit, and delete Management Roles, but does not grant them the ability to manage assignments to Management Roles or RBAC delegations. The Administrator Access Level Definition for the Management Role and Management Role Definition Resource Types has the following operations set to allowed.

Operation

Enables any assigned actor to

Delete

delete a Management Role or Management Role Definition.

Edit

edit a Management Role or Management Role Definition.

Use

view a Management Role or Management Role Definition.

Provision

create a Management Role or Management Role Definition.

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ManageManagementRoleAssignments

manage the Access Level Assignments of the Management Role.

ManageManagementRoleDefinitionAssignments (Management Role Definition Only)

add or remove Access Level Assignments to and from the Management Role Definition.

Expand
titleAssignment Definition Editor

This Access Level Definition grants the actor assigned the Access Level the ability to manage the Access Levels of the Management Role and Management Role Definition and has the following operations set to allowed.

Operation

Enables any assigned actor to

Use

view a Management Role or Management Role Definition.

ManageManagementRoleAssignments (Management Role Only)

manage the Access Level Assignments of the Management Role.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

Operation

Enables any assigned actor to

ManageManagementRoleAssignments (Management Role Only)

add or remove Access Level Assignments to and from the Management Role.

ManageManagementRoleDefinitionAssignments (Management Role Definitions Only)

add or remove Access Level Assignments to and from the Management Role Definition.

Person

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowPasswordOperations

select the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowSyncAttributes

select the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person. 

Info

This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

ClaimAccount

claim an orphaned account.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps.

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

DenyLogin

deselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

DenyPasswordOperations

deselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

DenySyncAttributes

deselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

DisablePerson

disable a Person object.

EditPersonAboutAttribute

edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonDemographics

update information on the Edit Person Demographics screen for a Person object.

EditPersonExtensionAttributes

edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.

EditPersonMustChangePasswordonNextLogin

select the Must Change Password option on the Person Edit form for the Person object.

EditPersonNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonOrganizationAttributes

edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

EditPersonMultiOperations

edit all attributes of a Person object.

EnablePerson

enable a Person object.

Enroll

enroll a Person object in the Password Reset Center.

JoinAccountToPerson

join an orphaned account to a Person object.

Login

login to EmpowerID.

Read

view a Person object.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for a Person object.

RestoreDeletedPerson

restore a deleted Person object.

SelfServiceChangePassword

change their password.

SelfServiceResetPassword

reset their password.

SetPasswordManagerPolicy

select the Password Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

SetPersonPrimaryBusinessRoleandLocation

set the Primary Business Role and Location for a Person object.

SetProfileManagerPolicy

select the Profile Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

Terminate

terminate a Person object.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID. 

Info

This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

UnClaimSSOApplicationAccount

remove a selected SSO Application account from their Person object, removing their ability to SSO into that account from EmpowerID. 

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

Unenroll

unenroll a Person object from the Password Reset Center.

UnjoinAccountFromPerson

unjoin an account from a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewStreetAddressAttribute

view the Address section on the Edit Person Demographics screen.

ViewAboutPersonAttributes

view the About Person section on the Person Tab of the Resource Management Screen for a Person object.

ViewAddressandPhoneNumbers

view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.

ViewAdvancedPersonAttributes

view the Advanced Tab of the Resource Management Screen for a Person object.

ViewExtensionAtttributes

view the Extension Tab of the Resource Management Screen for a Person object.

ViewNameInformation

view the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

ViewOrganizationAttributes

view the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

Expand
titleAssign and Unassign to Business Role and Location

This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign people to and from Business Role and Locations in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

AssignOrgRoleOrgZone

assign a Person object to a Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a Person object to a Business Role and Location.

Use

view a Business Role.

RemovePersonOrgRoleOrgZone

unassign a Person object from a secondary Business Role and Location.

SetPersonPrimaryBusinessRoleandLocation

set the primary Business Role and Location for a Person object.

Expand
titleEditor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Person objects in EmpowerID and has the following operations set to allowed:

Operation

Enables any assigned actor to

Delete

delete Person objects.

EditPersonAboutAttribute

edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonDemographics

update demographic information for a Person object on the Edit Person Demographics screen.

EditPersonNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonOrganizationAttributes

edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

Use

view a Person object.

Login

login to EmpowerID.

ViewStreetAddressAttribute

view the Address section on the Edit Person Demographics screen.

ViewAboutPersonAttributes

view the About Person section on the Person Tab of the Resource Management Screen for the Person object.

ViewAddressandPhoneNumbers

view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.

ViewNameInformation

view the Name Information section on the Person Tab of the Resource Management Screen for the Person object.

ViewOrganizationAttributes

view the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.

Expand
titleEmpowerID User

This Access Level Definition grants the actor assigned the Access Level the ability to login to EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

Login

login to EmpowerID.

Expand
titleHelpdesk

This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities for Person objects in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

DisablePerson

disable a Person object.

EditPersonAboutAttribute

edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonDemographics

update information on the Edit Person Demographics screen for a Person object.

EditPersonExpiration

edit the expiration date for a Person object's access.

EditPersonExtensionAttributes

edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.

EditPersonMustChangePasswordonNextLogin

select the Must Change Password option on the Person Edit form for a Person object.

EditPersonNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonOrganizationAttributes

edit the Organization Information section on the Organization tab of the Resource Management Screen for a Person object.

EnablePerson

enable a Person object.

JoinAccountToPerson

join an orphaned account to a Person object.

Use

view a Person object.

Login

login to EmpowerID.

ResetPassword

reset a password for a Person object.

Unenroll

unenroll a Person object from the Password Reset Center.

UnjoinAccountFromPerson

unjoin an account from a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewStreetAddressAttribute

view the Address section on the Edit Person Demographics screen.

ViewAboutPersonAttributes

view the About Person section on the Person Tab of the Resource Management Screen for the Person object.

ViewAddressandPhoneNumbers

view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.

ViewAdvancedPersonAttributes

view the Advanced Tab of the Resource Management Screen for the Person object.

ViewExtensionAtttributes

view the Extension Tab of the Resource Management Screen for the Person object.

ViewNameInformation

view the Name Information section on the Person Tab of the Resource Management Screen for the Person object.

ViewOrganizationAttributes

view the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.

Expand
titlePassword Reset and Unlock

This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

EnablePerson

enable a Person object.

Use

view a Person object.

Login

login to EmpowerID.

ResetPassword

reset a password for a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

Expand
titleProvision/Deprovision and Business Role Change

This Access Level Definition grants the actor assigned the Access Level the ability to provision, terminate, and change Business Role and Locations for Person objects in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

Create

create a Person object.

Delete

delete a Person object.

Use

view a Person object.

RemovePersonOrgRoleOrgZone

unassign a person from a Business Role and Location as a secondary Business Role and Location.

RestoreDeletedPerson

restore a deleted Person object.

SetPersonPrimaryBusinessRoleandLocation

assign a primary Business Role and Location for a Person object.

Terminate

terminate a Person object.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed:

Operation

Enables any assigned actor to

AddPersonToRelativeResourceRole

assign relative Access Levels to a Person object.

AddPersonToResourceRole

assign Access Levels directly to a Person object.

AddPersonToResourceRoleAssignmentByLocation

assign Access Levels scoped by location to a Person object.

RemovePersonFromRelativeResourceRole

remove relative Access Levels from a Person object.

RemovePersonFromResourceRole

remove resources directly from a Person object.

RemovePersonFromResourceRoleAssignmentsByLocation

remove Access Levels scoped by location from a Person object.

Expand
titleSelf-Service Password Reset User

This Access Level Definition grants users assigned the Access Level the ability to enroll for password self-service and reset passwords for their users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

, such as Google Apps. 

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

EnablePerson

enable a Person object.

Use

view a Person object.

Login

login to EmpowerID.

ResetPassword

reset a password for a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

SAML SSO Connection

Expand
titleEmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation

Enables any assigned actor to

AddAttributeStatement

add an attribute statement to a SAML SSO Connection object.

AddEncryptingStatement

add an encrypting statement to a SAML SSO Connection object.

AddSigningCertificate

add a signing certificate to a SAML SSO Connection object.

Create

create a new SAML SSO Connection object.

CreateSAMLSingleSignOnAudienceAssociation

create a new Audience Association for a SAML SSO Connection object.

CreateSAMLSingleSignOnCertificatesAssociations

add a certificate to a SAML SSO Connection object.

CreateSAMLSingleSignOnSubjectConfirmationAssociation

add a Subject Confirmation to a SAML SSO Connection object.

CreateSSOConnection

create a new SAML SSO Connection object.

DeleteSAMLSSOConnection

delete a SAML SSO Connection object.

EditAssertionConsumerServiceURLforPartnership

edit the ACS URL for a SAML SSO Connection (SP) object.

EditAssertionEncryptionAlgorithm

edit the Assertion Encryption Method for a SAML SSO Connection object.

EditAttributeEncryptionAlgorithm

edit the Attribute Encryption Method for a SAML SSO Connection object.

EditAudienceRestrictions

edit the Audience Restriction properties for a SAML SSO Connection object.

EditConnectionAccountStore

edit the account store created for a SAML SSO Connection object.

EditConnectionAuthenticationRequest

edit the type of authentication request for a SAML SSO Connection object.

EditConnectionNameAttributes

edit the Name and Display Names for a SAML SSO Connection object.

EditIDPURL

edit the IDP URL for a SAML SSO Connection (IdP) object.

EditIssuerName

edit the Issuer field for a SAML SSO Connection object.

EditIssuerQualifierSettings

edit the Issuer Qualifier Settings for a SAML SSO Connection object.

EditLoginWFACSURL

edit the Login Workflow ACS URL field for a SAML SSO Connection object.

EditLogoImage

edit the Logo Image field for a SAML SSO Connection object.

EditNameIdentifierFormatType

edit the Name Identifier Format type for a SAML SSO Connection object.

EditNameIdentifierMethod

edit the Name Identifier Method for a SAML SSO Connection object.

EditRequestWorkflow

edit the Request Workflow associated with a SAML SSO Connection object, if any.

EditSAMLNameQualifierForPartnership

edit the Name Qualifier field for a SAML SSO Connection object.

EditSAMLSingleSignOnDomain

edit the domain used for a SAML SSO Connection object.

EditSAMLSPNameQualifierforPartnership

edit the SP Name Qualifier field for a SAML SSO Connection object.

EditSignatureAlgorithm

edit the Signature Algorithm used with a SAML SSO Connection object.

EditSingleLogoutSettings

edit the Single Logout settings for a SAML SSO Connection object.

EditTargetURL

edit the Target IDP/SP URL for a SAML SSO Connection object.

RemoveAttributeStatement

remove an Attribute Statement from a SAML SSO Connection object.

RemoveEncryptingCertificate

remove an Encrypting Certificate from a SAML SSO Connection object.

RemoveSigningCertificate

remove a Signing Certificate from a SAML SSO Connection object.

Separation of Duties

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Separation of Duties Resource Type.

Operation

Enables any assigned actor to

Delete

delete a specific Separation of Duties (SoD) policy.

Edit

edit a specific SoD policy.

EditTag

edit the tag associated with a specific SoD policy.

Provision

create a new SoD policy.

Review

review violations to a SoD policy.

Expand
titleReviewer

This Access Level grants the actor assigned the Access Level the ability to review violations to Separation of Duties policies and has the following operations allowed:

Operation

Enables any assigned actor to

Use

see a specific Separation of Duties policy.

Review

review violations to a specific Separation of Duties policy.

Set Group

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Set Group Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation

Enables any assigned actor to

AddSetGroupToResourceRole

assign Access Levels directly to a Set Group.

AddSetGroupToResourceRoleAssignmentByLocation

assign Access Levels scoped by location to a Set Group.

RemoveSetGroupFromResourceRole

remove Access Levels directly from a Set Group.

RemovSetGroupFromResourceRoleAssignmentsByLocation

remove Access Levels scoped by location from a Set Group.

SSO Application

Expand
titleEmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operations

Enables any assigned actor to

AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person. 

Info

This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

Create

create a new SSO Application object.

Edit

edit an SSO Application object.

Delete

delete an SSO Application object.

EditTag

edit the tag associated with an SSO Application object.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

, such as Google Apps. 

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID. 

Info

This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

Expand
titleSSO Application User

This Access Level grants the actor assigned the Access Level the ability to claim an account for an SSO Application that has been configured in EmpowerID

, such as Google Apps

. This Access Level has the following operations allowed.

Operations

Enables any assigned actor to

LUse

Use

view any SSO Account objects for which the operation is assigned.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

, such as Google Apps. 

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

SSO Application Definition

Expand
titleEmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation

Enables any assigned actor to

Create

create a new SSO Application Definition object.

Edit

edit an SSO Application Definition object.

Delete

delete an SSO Application Definition object.

EditTag

edit the tag associated with an SSO Application Definition object.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID

, such as Google Apps. 

Info

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

SharePoint (Document, Folder, and List)

The Access Level Defintions Definitions for SharePoint Document, Folder and List contain no EmpowerID Operations. They are used to grant native permissions for SharePoint objects managed by EmpowerID. Definitions include:

  • Approve

  • Contribute

  • Design

  • Full Control

  • Limited Access

  • Manage Hierarchy

  • Read Only

  • Restricted Read

User Account

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Account Details Screen.

ChangePassword

change the password of a user account.

ClaimAccount

claim an orphaned account.

CreateUserHomeFolder

create a home folder.

DisableUser

disable a user account from the Password Options section of the Account Tab on the Account Details Screen.

EditTerminalServicesAccess

select or clear the Allow this user permissions to log on to Terminal Services option in the Account Details screen on the Remote Desktop tab's Profile section.

EditTerminalServicesProfile

edit the Profile Path for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountHomeFolder

edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountProfile

edit the Profile settings for an account from the Profile Tab of the Account Details Screen.

EditUserAdvancedSettings

edit the settings applied to the Prevent Deletion in EmpowerID and Hide in EmpowerID settings for accounts from the Advanced Tab of the Account Details Screen.

EditUserExpiration

set the expiration date for an account in Active Directory.

EditUserExtensionAttributes

edit the user extension attributes from the Extension Tab of the Account Details Screen.

EditUserNameAttributes

edit the user name attributes from the Account Name Information section of the Account Tab on the Account Details Screen.

EditUserOrganizationAttributes

edit the Organization Information section for an account from the Organization Tab of the Account Details Screen.

EditUserPasswordOptions

edit the Password Options settings for an account from the Account Tab of the Account Details Screen.

EditUserTerminalServicesEnvironment

edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.

EditUserTerminalServicesHomeDrive

edit the Terminal Services Home Drive setting for an account from the Profile section of the Remote DesktopTab on the Account Details Screen.

EditUserTerminalServicesRemoteControl

edit the Terminal Services Remote Control settings for an account from Remote Control section of the Remote Desktop Tab on the Account Details Screen.

EditUserTerminalServicesSession

edit the Terminal Services Session settings for an account from Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.

EnableRequireSmartCardLogon

set the Require SmartCard Logon option for an account from the Password Options section of the Account Tab on the Account Details Screen.

EnableUser

enable a disabled account from the Password Options section of the Account Tab on the Account Details Screen.

JoinAccountToPerson

join an orphaned account to a Person object.

MailDisable

remove the Mail-enabled flag from an account.

MailDisableAccount

remove the Mail-enabled flag from an account.

MailEnable

set an account as mail-enabled, making it available in the Exchange GAL.

MailEnableAccount

set an account as mail-enabled, making it available in the Exchange GAL.

MoveAccount

move an account from one location to another.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 

Info

To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for an account.

RestoreDeletedAccount

restore a deleted account.

RestoreDeletedMailbox

restore a mailbox that has been deleted from an account.

SetAccountManager

select the AD line manager for an account.

SetAllowDialIn

set the Allow Dialin option for an account from the Password Options section on the Account Tab of the Account Details Screen.

UnlockUser

unlock an account that is locked in Active Directory.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewAddressandPhoneNumberAttributes

view the Address and Phone Numbers section on the Organization Tab of the Account Details Screen.

ViewAdvancedAttributeInformation

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewExtensionAtttributes

view the Extension Attributes section on the Extension Tab of the Account Details Screen.

ViewOrganizationInformationAttributes

view the Organization Information section on the Organization Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

ViewProfileOptionAttributes

view the Profile Options section on the Profile Tab of the Account Details Screen.

ViewRemoteDesktopAttributes

view the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopEnvironmentAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopProfileAttributes

view the Profile section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopRemoteControlAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopSessionandTimeOutSettings

view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.

Expand
titleEmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the User Account Resource Types.

Operation

Enables any assigned actor to

UnjoinAccountFromPerson

unlink an account from an EmpowerID Person.

ViewEmployeeIDs

view the EmployeeID attribute for an EmpowerID Person's AD user account.

Expand
titleCo-Owner

This Access Level Definition grants owner status for an account and has the following operations set to allowed.

Operation

Enables any assigned actor to

Use

view an account.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for an account, such as the Use Access Level for a specific computer object, to any other EmpowerID Actor type. 

Info

This operation is needed to grant or revoke direct assignments of Access Levels for a particular resource object to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for an account. 

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

Expand
titleEditor

This Access Level Definition grants the actor assigned the Access Level the ability to edit an account in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

EditUserDemographics

update demographic information for the EmpowerID Person linked to an account.

EditUserNameAttributes

edit the user attributes on the Account Name Information section on the Account Tab of the Account Details Screen .

EditUserOrganizationAttributes

edit the user attributes on the Organization Information and Address and Phone Numbers section on the Organization Tab of the Account Details Screen.

Use

view an account.

SetAccountManager

select the AD line manager for an account.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewAddressandPhoneNumberAttributes

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewAdvancedAttributeInformation

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewEmployeeIDs

view the EmployeeID attribute for an EmpowerID Person's AD user account.

ViewExtensionAtttributes

view the Extension Attributes section on the Extension Tab of the Account Details Screen.

ViewOrganizationInformationAttributes

view the Organization Information section on the Organization Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

ViewProfileOptionAttributes

view the Profile Options section on the Profile Tab of the Account Details Screen.

ViewRemoteDesktopAttributes

view the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopEnvironmentAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopProfileAttributes

view the Profile section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopRemoteControlAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopSessionandTimeOutSettings

view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.

Expand
titleHelpdesk

This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

ChangePassword

change the password of a user account.

CreateUserHomeFolder

create a home folder.

DisableUser

disable a Person object.

EditTerminalServicesAccess

edit the access for Terminal Services for an account.

EditTerminalServicesProfile

edit the Terminal Services profile for an account.

EditUserAccountHomeFolder

edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserExpiration

set the expiration date for an account in Active Directory.

EditUserExtensionAttributes

edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.

EditUserNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditUserOrganizationAttributes

edit the Organization Information section on the Organization Tab of the Account Details Screen.

EditUserPasswordOptions

edit the Password Options settings for an account from the Account Tab of the Account Details Screen.

EditUserTerminalServicesEnvironment

edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.

EditUserTerminalServicesHomeDrive

edit the Terminal Services Home Drive setting for an account from the Profiles section of the Remote Desktop Tab on the Account Details Screen.

EditUserTerminalServicesRemoteControl

edit the Terminal Services Remote Control settings for an account from the Remote Control section of the Remote Desktop Tab on the Account Details Screen.

EditUserTerminalServicesSession

edit the Terminal Services Session settings for an account from the Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.

Use

view a Person object.

MailDisable

remove the Mail-enabled flag from an account.

MailDisableAccount

remove the Mail-enabled flag from an account.

MailEnable

set an account as mail-enabled, making it available in the Exchange GAL.

MailEnableAccount

set an account as mail-enabled, making it available in the Exchange GAL.

MoveAccount

move an account from one location to another.

ResetPassword

reset a password for an account.

RestoreDeletedAccount

restore a deleted account.

RestoreDeletedMailbox

restore a mailbox that has been deleted from an account.

SetAccountManager

select the AD line manager for an account.

UnlockUser

unlock an account that is locked in Active Directory.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewAddressandPhoneNumberAttributes

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewAdvancedAttributeInformation

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewExtensionAtttributes

view the Extension Attributes section on the Extension Tab of the Account Details Screen.

ViewOrganizationInformationAttributes

view the Organization Information section on the Organization Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

ViewProfileOptionAttributes

view the Profile Options section on the Profile Tab of the Account Details Screen.

ViewRemoteDesktopAttributes

view the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopEnvironmentAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopProfileAttributes

view the Profile section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopRemoteControlAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopSessionandTimeOutSettings

view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.

Expand
titlePassword Manager

This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

ChangePassword

change the password for an account.

EditUserPasswordOptions

edit the Password Options section of the Account Tab of the Account Details Screen.

Use

view a Person object.

Login

login to EmpowerID.

ResetPassword

reset a password for an account.

UnlockUser

unlock an account associated with an EmpowerID Person.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

Expand
titleAccess Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation

Enables any assigned actor to

AddAccountToResourceRole

assign Access Levels directly to an account.

RemoveAccountFromResourceRole

remove resources directly from an account.

Windows Shared Folder

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Windows Shared Folder Resource Type.

Operation

Enables any assigned actor to

RegisterExistingShare

register a share in EmpowerID that exists on a computer managed by EmpowerID.

Expand
titleCo-Owner

This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

Operation

Enables any assigned actor to

Use

view an account.

ManageAnyResourceRole

assign or unassign Access Levels for an account.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for an account.

Expand
titleDeny All

This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.

Expand
titleFull Control

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • AppendData

  • ChangePermissions

  • Delete

  • DeleteSubdirectoriesAndFiles

  • ExecuteFile

  • ReadAttributes

  • ReadData

  • ReadExtendedAttributes

  • ReadPermissions

  • Synchronize

  • TakeOwnership

  • WriteAttributes

  • WriteData

  • WriteExtendedAttributes

Expand
titleModify

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • ReadAttributes

  • ReadData

  • ReadExtendedAttributes

  • ReadPermissions

  • WriteAttributes

  • WriteData

  • WriteExtendedAttributes

Expand
titleRead Only

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • ReadAttributes

  • ReadData

  • ReadExtendedAttributes

  • ReadPermissions

Windows Shared Printer

Expand
titleEmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Windows Shared Folder Resource Type.

Operation

Enables any assigned actor to

RevokeResourceOrgZone

remove a printer from a location.

Expand
titleManage Documents

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • Delete

Expand
titleManage Documents and Print

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • ReadAttributes

  • ReadData

  • ReadExtendedAttributes

  • Synchronize

  • TakeOwnership

  • WriteAttributes

Expand
titleManage Documents and Printer

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • ReadExtendedAttributes

  • ReadPermissions

  • TakeOwnership

Expand
titleManage Printers

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • AppendData

  • ReadAttributes

  • ReadData

  • ReadExtendedAttributes

  • WriteAttributes

Expand
titlePrint

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • WriteData

Workflow

Expand
titleAdministrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Workflow Resource Type.

Operation

Enables any assigned actor to

EditRequestWorkflow

edit a workflow when running the Right-Click Edit workflow.

Initiate

initiate a workflow.

Expand
titleInitiator

This Access Level Definition grants the actor assigned the Access Level the ability to see and initiate workflows in EmpowerID and has the following operations set to allowed.

Operation

Enables any assigned actor to

Initiate

initiate a workflow.

Use

view the resource in EmpowerID.

WS-Federation SSO Connection

https://docs.empowerid.com/docs.css
Expand
titleEmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

Operation

Enables any assigned actor to

CreateSSOConnection

create a new WS-Federation SSO Connection object.

CreateWSFederationSingleSignOnConnectionOperation

create a new operation for a WS-Federation Single Sign On Connection object.

DeleteWSFederationSingleSignOnConnection

delete a WS-Federation SSO Connection object.

DeleteWSFederationSingleSignOnConnectionOperation

delete an operation from a WS-Federation Single Sign On Connection object.

EditAccountStore

edit the account store that is associated with a WS-Federation SSO Connection object.

EditAssertionConsumerServiceURLforPartnership

edit the ACS URL for a WS-Federation SSO Connection (SP) object.

EditCertificatesforPartnership

edit the certificates for a WS-Federation SSO Connection object.

EditDescription

edit the Description field for a WS-Federation SSO Connection object.

EditEncryptionCertificate

edit the encryption certificate used for a WS-Federation SSO Connection object.

EditEncryptionEnabled

select or clear encryption for a WS-Federation SSO Connection object.

EditHomeRealm

change the edit the certificates for a WS-Federation SSO Connection object.

EditLogoImage

edit the Logo Image field for a WS-Federation SSO Connection object.

EditMaptoAccountClaimType

edit the Map to Account Claim Type field for a WS-Federation SSO Connection object.

EditNameQualifierforPartnership

edit the Name Qualifier field for a WS-Federation SSO Connection object.

EditOrganization

edit the Organization for a WS-Federation SSO Connection object.

EditSigningCertificate

edit the Signing Certificate used with a WS-Federation SSO Connection object.

EditURLforPartnership

edit the URL for a WS-Federation SSO Connection object.

Style
import

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue