Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

importhttps://docs.empowerid.com/docs.css
Div

E2D / Authorization RBAC/ABAC / Management Roles / Current: Assigning Access Levels to Management Roles

EmpowerID Access Levels, also known as Resource Roles, are collections of "operational capabilities" and/or "native system rights" specific to a particular resource type, such as an account, group or mailbox. When you assign an Access Level to a Management Role, you give anyone assigned membership in the Management Role the ability to perform those operations or tasks against a selected resource

Info

Generally speaking, the default Management Roles shipped by EmpowerID contain all the Access Levels sufficient for those roles. Therefore, it is recommended that you only assign Access Levels to the Management Roles you create or clone.


To assign Access Levels to Management Roles

  1. In the
Navigation Sidebar of the EmpowerID Web interface, expand Role Management and click Manage Delegations.
  • On the Actor Delegations tab, drop down the Assignee Type and select Management Role.
  • Enter the name of the Management Role to delegate access to in the Enter a Management Role Name to Search field and click the tile for the role.

    Image Removed
    Drop down the Assignment Type and select By Location. Selecting By Location gives the Management Role
    1. navigation sidebar, navigate to the Management Roles page by expanding Role Management and clicking Management Roles.
    2. Search for the Management Role to which you want to assign one or more Access Levels.
    3. From the search results, click the Display Name link for the role.

      Image Added

      This opens the Management Role Details (View One) page for the role. This page allows you to view and edit information and configuration settings for the Management Role, as well as perform specific actions against the role.

      Image Added

    4. Click the Advanced tab and then click the Access Granted sub-tab.

      Image Added

    5. Click the Access Granted to Management Role Members accordion to expand it.

      Image Added

    6. In the Access Granted to Management Role Members accordion, do the following:
      1. Assign direct to resource or other method? — Select how you want the Access Level to be assigned. 
        • Direct — Select this option if you want to assign to Management Role members direct access to a single resource. An example would be granting the Initiator Access Level to the Create Person workflow. 
        • By Location — Select this option if you want to assign to Management Role members access to all resources of a
    resource
        • specific type in a specific location and
    all
        • its child locations
    .In the Assignments grid, click the Add Assignments (+) button.
    Image Removed
  • In the Grant Access dialog that appears, select the resource type for which to give the Management Role an access level. This example selects the Computer resource type.
  • Under For Resource in or Below, click the Select a Location link, and in the Location Selector that appears, search for and select the location in which you want the Access Level to have effect.
    Image Removed
  • Click Save to close the Location Selector.
  • Drop down the Access Level and select the one to assign to the Management Role. This example uses the Administrator Access Level. This gives anyone who is assigned to the Management Role all of the EmpowerID Operations and native system rights delegated to the Management Role.
  • Optionally, select Time Constraint to add a time constraint to the Access Level assignment. When this option is selected, click in the Valid From and Valid To fields and pick Calendar values to set date and time ranges.
    Image Removed
    Click Save to add the assignment to the shopping cart.
    Image Removed
    Repeat for each Access Level to assign to the Management Role Definition, and when you have finished adding Access Level assignments, click the Shopping Cart icon, type a reason for the assignments in the cart dialog and click Submit
    Image Removed
        • (if any). An example would be granting the Access Manager Access Level for all Computers in the Default Organization and below.
        • Relative — Select this option if you want to assign to Management Role members access to all resources of a specific type relative to their location within the organization. An example would be granting the Access Manager Access Level for all Computers in a member's locations and below
        • Belonging to which group? — Select this option if you want to assign to Management Role members a specific type of access to all user accounts or people belonging to a particular group. An example would be granting the ACT-Account-Membership-Management Access Level for all user accounts belonging to the Contractor's group.
        • Belonging to which Management Role? — Select this option if you want to assign to Management Role members a specific type of access to all people belonging to a particular Management Role. An example would be granting the ACT-Person-Profile-Edit Access Level for all people belonging to the  VIS-Person-MyOrg Management Role.
        • Belonging to which Query-Based Collection? — Select this option if you want to assign to Management Role members a specific type of access to all objects belonging to a particular Query-Based Collection. An example would be granting the ACT-Account-Object-Administration Access Level for all user accounts belonging to the AD Accounts Never Logged In Query-Based Collection.
      1. Click the Add New button in the grid.

        Image Added

      2. Resource Type Search for and select the specific type of resource against which you are granting the Access Level. 
      3. Search for and select the specific resource against which you are granting the Access Level Depending on the access assignment method chosen above and the resource type selected, the field will differ accordingly. For example, if you selected By Location as the access assignment method, you are presented with a Select a Location link, as shown below. Clicking the link opens the Location selection tree.   

        Image Added

      4. Access Level — Search for and select the Access Level you want to assign to the role.
      5. Click Save.

        Image Added

      6. Repeat for any other Access Levels you want to assign to the role.
    1. After you have completed adding Access Levels, click the Shopping Cart at the top of the page.
    2. Enter a reason for the Access Level assignment and then click Submit.

      Image Added