EmpowerID's Organizations have the ability to tailor requestable permissions for inventoried computers, allowing users to request these permissions when connecting through Privileged Session Management (PSM). Referred to as "IAM Shop Permission Levels provide a way to manage and control access to resources such as applications, shared folders, and computers within your organization. These permission levels represent native permissions that users can select when requesting access to resources through the IAM Shop.
Examples of such Permission Levels for computers could include "Local Admin", "Power User", or "Backup Operator.” When a user requests access to a computer and selects an IAM Shop Permission Level, EmpowerID adds the user to the corresponding group on the computer with those permissions. For this process to work, administrators must assign the desired IAM Shop Permission Levels to a computer and map those permission levels to the appropriate groups granting those permissions on the computer itself. It is important to note that IAM Shop Permission Levels are merely labels and must be mapped correctly to grant any permissions.
In this article, we will walk you through the process of assigning and mapping IAM Shop Permission Levels to computers in EmpowerID.
| Info |
|---|
EmpowerID includes “Local Admin” and “Domain Admin” as default IAM Shop Permission Levels for computers. However, to tailor permission levels to your specific needs, you have the option to create and label custom IAM Shop Permission Levels. If you're interested in this customization, please see Creating IAM Shop Permission Levels. |
How to assign IAM Shop Permission Levels to Computers
Navigate to the View One page for the computer to which you want to assign IAM Shop Permission Levels.
...
On the navbar, expand the Identity Management section and select Computers.
...
...
On the View One page for the computer, click the RBAC subtab and expand IAM Shop Assignees for Requesting Access.
...
Click the Add New 
button.
...
Under General, select the IAM Shop Permission Level you want to assign.
...
" in EmpowerID, these permissions play a vital role in enhancing IT security. They serve a dual purpose: they grant specific permissions during a computer session and enhance overall security by enforcing the principle of least privilege, automatically revoking these permissions once the session concludes.
When setting up IAM Shop Permission Levels for computers, organizations select specific groups with these permissions within the native system. Members of these groups, or those eligible for membership, can request the permission level when connecting via PSM. Moreover, systems can be configured to support Just-In-Time account provisioning for these groups. In such cases, EmpowerID creates an account linked to the individual and adds it to the group for the duration of the session. Upon the session's end, the account is removed from the group, ensuring a least privileged, zero-trust security model.
Steps to Assign IAM Shop Permission Levels
To effectively assign IAM Shop Permission Levels, administrators must do the following:
Ensure the target computer is connected to EmpowerID as a Local Windows Server Account Store: This connection is crucial as it enables EmpowerID to inventory the computer's users and groups, which is essential for accurately mapping permission levels to local groups. For the details, please see Connecting to Local Windows Servers as Account Stores.
Assign IAM Shop Permission Levels to Computers: This involves selecting the appropriate permission levels that correspond to the needs and security policies of the organization.
Map IAM Shop Permission Levels to Native Groups: Link the permission levels to the corresponding groups on the computer that grant those native permissions. For instance, to allow users to connect as a local admin, map the “Local Admin” permission level to a "local admin" group on the computer.
| Info |
|---|
EmpowerID includes default IAM Shop Permission Levels for computers, such as "Local Admin" and "Domain Admin." However, you can create custom permission levels tailored to your organization's needs. For more information on customization, please see Create IAM Shop Permission Levels. |
Procedure
Access the Computer's View (Configuration) Page:
Use the Global Search to locate the computer you wish to configure.
Navigate to the RBAC subtab on the computer's View page.
Expand the IAM Shop Assignees for Requesting Access accordion.
Click the Add New button.
Configure the IAM Shop Permission Level:
Under General, select the desired IAM Shop Permission Level.
Under Assignee Granting the Permission Level, do the following:
Select whether to Enforce Assignee Eligibility in IAM Shop. This setting instructs the system to check whether users meet the necessary eligibility requirements before they can view and select the IAM Shop Permission Level. If users do not meet these criteria, the permission level will not be available when requesting access. For example, if the assignee granting the permission is a group, only users eligible for membership in that group will see the permission level as an available option.
Select the assignee type from the Which Type of Assignee For This Policy dropdown.
Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.
Click Save.
Repeat to add Finalize the Configuration:
Repeat the addition of other assignees as
necessary.
Click Submit to complete the process.
...
Expected Results
EmpowerID creates the IAM Shop Assignment for the IAM Shop permission level. You can view and manage these assignments in the IAM Shop Assignees for Requesting Access accordion.
...