Page Comparison

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

...

Info
The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12. You can view these in Configuration Manager as shown by the image above.

Expand

title	Administrator and EmpowerID Administrator

Operation

Enables any assigned actor to

Add<%Actor%>To<%ResourceRole%>

add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.

AddOperationToResourceTypeRole<%ResourceType%>

add operations to Access Levels for the Resource Type resource object.

AddTo<%ResourceRole%>

grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.

AddTo<%ResourceRole%>InLocation

grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.

AddTo<%ResourceRole%>InRelativeResource

grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.

AssignResourceOrgZone

assign Resource Type resource objects to a location.

CreateResourceTypeRole<%ResourceType%>

create a Resource Type Role for the Resource Type.

Delete

delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.

DeleteResourceTypeRole<%ResourceType%>

delete a Resource Type Role for the Resource Type.

EditResourceTypeRole<%ResourceType%>

edit a Resource Type Role for the Resource Type.

Use

view the Resource Type resource object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

Info
This operation is needed to grant or revoke direct assignments of Access Levels

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

Info

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

By-location operations such as this affect all objects in or below the location for which the operation is approved.

For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.

RevokeResourceOrgZone

remove Resource Type resource objects from a location.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.

Remove<%Actor%>From<%ResourceRole%>

remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.

RemoveFrom<%ResourceRole%>InLocation

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.

RemoveFrom<%ResourceRole%>InRelativeResource

remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location

...

Expand

title	Administrator and EmpowerID Administrator

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

Operation	Enables any assigned actor to
Request	request an Asset Catalog Item.
UnassignFromAdministrator	remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.

Expand

title	Requestor

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

Operation	Enables any assigned actor to
Use	view an Access Request Catalog Item in EmpowerID.
Request	request an Access Request Catalog Item.

...

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

Operation	Enables any assigned actor to
Provision	provision an Attestation Policy object.
Delete	delete an Attestation Policy object.
Edit	edit an Attestation Policy object.
Review	review an Attestation Policy.

...

Expand

title	Assign and Unassign to Business Role

Operation	Enables any assigned actor to
AssignOrgRoleOrgZone	assign a person to a Business Role and Location.
AssignPersonOrgRoleOrgZone	assign a person to a Business Role and Location as a secondary Business Role and Location.
Use	view a Business Role.
RemovePersonOrgRoleOrgZone	unassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocation	set the primary Business Role and Location for a person.

Expand

title	Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

Operation	Enables any assigned actor to
Edit	edit a Business Role.
Use	view a Business Role.
Update	update a Business Role.

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

Operation	Enables any assigned actor to
AddOrgRoleOrgZoneToRelativeResourceRole	assign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRole	assign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocation	assign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRole	remove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRole	remove Access Levels directly from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocation	remove Access Levels scoped by location from a Business Role and Location.

...

Expand

title	Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

Operation	Enables any assigned actor to
DeleteComputer	delete a Computer object when running the DeleteComputer workflow.
DeleteDirectory	delete a directory when running the DeleteDirectory workflow.
DisableComputer	disable a Computer object when running the DisableComputer workflow.
EditComputerAdvancedSettings	edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
EditDescription	edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
EnableComputer	enable a Computer object.
EnableDisableComputerOperation	enable and/or disable a Computer object.
MoveComputer	move a Computer object from one location to another.
ProvisionComputer	provision a Computer object in EmpowerID.

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

Operation	Enables any assigned actor to
PowershellMoveComputer	move a Computer object using Powershell commands.
RestartComputer	restart a Computer object.
RestartService	restart a service on an assigned Computer object.
StopApplicationPool	stop an application pool on an assigned Computer object.
StopProcess	stop a process on an assigned Computer object.
StopService	stop a service on an assigned Computer object.

Expand

title	Co-Owner

The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.

EmpowerID Operation

Enables any assigned actor to

Use

view the Computer object in EmpowerID.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a Computer object.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.

...

Expand

title	Send As in Outlook

This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Expand

title	Send On Behalf in Outlook

This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

Group (Distribution, Security, Generic) Access Level Definitions

...

Expand

title	Membership Manager

This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

Operation

Enables any assigned actor to

AddAccountToGroup

add an account to a group.

Add<%Actor%>ToGroupMember

grant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.

AddToGroupMember

add People, Groups, or Business Role to the Member Access Level.

Use

view a group.

ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign or unassign any EmpowerID Access Levels for a group.

Info
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

Remove<%Actor%>FromGroupMember

remove People, Groups, or Business Roles from the Member Access Level.

...

Management Role and EmpowerID Management Role Definition

Expand

title	Administrator

This Access Level Definition gives the actor assigned the Access Level the ability to create, edit, and delete Management Roles, but does not grant them the ability to manage assignments to Management Roles or RBAC delegations. The Administrator Access Level Definition for the Management Role and Management Role Definition Resource Types has the following operations set to allowed.

Operation	Enables any assigned actor to
Delete	delete a Management Role or Management Role Definition.
Edit	edit a Management Role or Management Role Definition.
Use	view a Management Role or Management Role Definition.
Provision	create a Management Role or Management Role Definition.

Expand

title	EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ManageManagementRoleAssignments

manage the Access Level Assignments of the Management Role.

ManageManagementRoleDefinitionAssignments (Management Role Definition Only)

add or remove Access Level Assignments to and from the Management Role Definition.

Expand

title	Assignment Definition Editor

This Access Level Definition grants the actor assigned the Access Level the ability to manage the Access Levels of the Management Role and Management Role Definition and has the following operations set to allowed.

Operation	Enables any assigned actor to
Use	view a Management Role or Management Role Definition.
ManageManagementRoleAssignments (Management Role Only)	manage the Access Level Assignments of the Management Role.

Expand

title	Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

Operation	Enables any assigned actor to
ManageManagementRoleAssignments (Management Role Only)	add or remove Access Level Assignments to and from the Management Role.
ManageManagementRoleDefinitionAssignments (Management Role Definitions Only)	add or remove Access Level Assignments to and from the Management Role Definition.

Person

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowPasswordOperations

select the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

AllowSyncAttributes

select the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

AssignOrgRoleOrgZone

assign a person to a Business Role and Location as a secondary Business Role and Location.

AssignPersonOrgRoleOrgZone

assign a person to a Business Role and Location.

ClaimAccount

claim an orphaned account.

ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps.

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

DenyLogin

deselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.

DenyPasswordOperations

deselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.

DenySyncAttributes

deselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.

DisablePerson

disable a Person object.

EditPersonAboutAttribute

edit the About Person section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonDemographics

update information on the Edit Person Demographics screen for a Person object.

EditPersonExtensionAttributes

edit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.

EditPersonMustChangePasswordonNextLogin

select the Must Change Password option on the Person Edit form for the Person object.

EditPersonNameAttributes

edit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

EditPersonOrganizationAttributes

edit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

EditPersonMultiOperations

edit all attributes of a Person object.

EnablePerson

enable a Person object.

Enroll

enroll a Person object in the Password Reset Center.

JoinAccountToPerson

join an orphaned account to a Person object.

Login

login to EmpowerID.

Read

view a Person object.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for a Person object.

RestoreDeletedPerson

restore a deleted Person object.

SelfServiceChangePassword

change their password.

SelfServiceResetPassword

reset their password.

SetPasswordManagerPolicy

select the Password Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

SetPersonPrimaryBusinessRoleandLocation

set the Primary Business Role and Location for a Person object.

SetProfileManagerPolicy

select the Profile Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.

Terminate

terminate a Person object.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID.

Info
This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

UnClaimSSOApplicationAccount

remove a selected SSO Application account from their Person object, removing their ability to SSO into that account from EmpowerID.

Info
The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

Unenroll

unenroll a Person object from the Password Reset Center.

UnjoinAccountFromPerson

unjoin an account from a Person object.

UnlockFromResetCenter

unlock an account for a Person object that has been locked out of the Password Reset Center.

UnlockPerson

unlock a Person object.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewStreetAddressAttribute

view the Address section on the Edit Person Demographics screen.

ViewAboutPersonAttributes

view the About Person section on the Person Tab of the Resource Management Screen for a Person object.

ViewAddressandPhoneNumbers

view the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.

ViewAdvancedPersonAttributes

view the Advanced Tab of the Resource Management Screen for a Person object.

ViewExtensionAtttributes

view the Extension Tab of the Resource Management Screen for a Person object.

ViewNameInformation

view the Name Information section on the Person Tab of the Resource Management Screen for a Person object.

ViewOrganizationAttributes

view the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.

...

Approve
Contribute
Design
Full Control
Limited Access
Manage Hierarchy
Read Only
Restricted Read

User Account

Expand

title	Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.

Operation

Enables any assigned actor to

AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLogin

select the Allow Login option on the Advanced Tab of the Account Details Screen.

ChangePassword

change the password of a user account.

ClaimAccount

claim an orphaned account.

CreateUserHomeFolder

create a home folder.

DisableUser

disable a user account from the Password Options section of the Account Tab on the Account Details Screen.

EditTerminalServicesAccess

select or clear the Allow this user permissions to log on to Terminal Services option in the Account Details screen on the Remote Desktop tab's Profile section.

EditTerminalServicesProfile

edit the Profile Path for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountHomeFolder

edit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.

EditUserAccountProfile

edit the Profile settings for an account from the Profile Tab of the Account Details Screen.

EditUserAdvancedSettings

edit the settings applied to the Prevent Deletion in EmpowerID and Hide in EmpowerID settings for accounts from the Advanced Tab of the Account Details Screen.

EditUserExpiration

set the expiration date for an account in Active Directory.

EditUserExtensionAttributes

edit the user extension attributes from the Extension Tab of the Account Details Screen.

EditUserNameAttributes

edit the user name attributes from the Account Name Information section of the Account Tab on the Account Details Screen.

EditUserOrganizationAttributes

edit the Organization Information section for an account from the Organization Tab of the Account Details Screen.

EditUserPasswordOptions

edit the Password Options settings for an account from the Account Tab of the Account Details Screen.

EditUserTerminalServicesEnvironment

edit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.

EditUserTerminalServicesHomeDrive

edit the Terminal Services Home Drive setting for an account from the Profile section of the Remote DesktopTab on the Account Details Screen.

EditUserTerminalServicesRemoteControl

edit the Terminal Services Remote Control settings for an account from Remote Control section of the Remote Desktop Tab on the Account Details Screen.

EditUserTerminalServicesSession

edit the Terminal Services Session settings for an account from Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.

EnableRequireSmartCardLogon

set the Require SmartCard Logon option for an account from the Password Options section of the Account Tab on the Account Details Screen.

EnableUser

enable a disabled account from the Password Options section of the Account Tab on the Account Details Screen.

JoinAccountToPerson

join an orphaned account to a Person object.

MailDisable

remove the Mail-enabled flag from an account.

MailDisableAccount

remove the Mail-enabled flag from an account.

MailEnable

set an account as mail-enabled, making it available in the Exchange GAL.

MailEnableAccount

set an account as mail-enabled, making it available in the Exchange GAL.

MoveAccount

move an account from one location to another.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role.

Info
To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPassword

reset a password for an account.

RestoreDeletedAccount

restore a deleted account.

RestoreDeletedMailbox

restore a mailbox that has been deleted from an account.

SetAccountManager

select the AD line manager for an account.

SetAllowDialIn

set the Allow Dialin option for an account from the Password Options section on the Account Tab of the Account Details Screen.

UnlockUser

unlock an account that is locked in Active Directory.

UnlockPersonAccounts

unlock accounts for a Person object.

ViewAccountNameInformationAttributes

view the Account Name Information section on the Account Tab of the Account Details Screen.

ViewAddressandPhoneNumberAttributes

view the Address and Phone Numbers section on the Organization Tab of the Account Details Screen.

ViewAdvancedAttributeInformation

view the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.

ViewExtensionAtttributes

view the Extension Attributes section on the Extension Tab of the Account Details Screen.

ViewOrganizationInformationAttributes

view the Organization Information section on the Organization Tab of the Account Details Screen.

ViewPasswordOptionAttributes

view the Password Options section on the Account Tab of the Account Details Screen.

ViewProfileOptionAttributes

view the Profile Options section on the Profile Tab of the Account Details Screen.

ViewRemoteDesktopAttributes

view the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopEnvironmentAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopProfileAttributes

view the Profile section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopRemoteControlAttributes

view the Environment section on the Remote Desktop Tab of the Account Details Screen.

ViewRemoteDesktopSessionandTimeOutSettings

view the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.

...

Expand

title	Co-Owner

This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

Operation	Enables any assigned actor to
Use	view an account.
ManageAnyResourceRole	assign or unassign Access Levels for an account.
ManageAnyResourceRoleAssignmentByLocation	assign Access Levels by location for an account.

Expand

title	Deny All

This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.

Expand

title	Full Control

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

AppendData
ChangePermissions
Delete
DeleteSubdirectoriesAndFiles
ExecuteFile
ReadAttributes
ReadData
ReadExtendedAttributes
ReadPermissions
Synchronize
TakeOwnership
WriteAttributes
WriteData
WriteExtendedAttributes

...

Versions Compared

Old Version 6

New Version Current

Key

Group (Distribution, Security, Generic) Access Level Definitions

Management Role and EmpowerID Management Role Definition

Person

User Account