You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Default Access Level Definitions

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.

For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.

In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.

For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.

Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.

To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.

Common Access Level Definitions

These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.


The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12. You can view these in Configuration Manager as shown by the image above.

 Administrator and EmpowerID Administrator
OperationEnables any assigned actor to
Add<%Actor%>To<%ResourceRole%>add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
AddOperationToResourceTypeRole<%ResourceType%>add operations to Access Levels for the Resource Type resource object.
AddTo<%ResourceRole%>grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
AddTo<%ResourceRole%>InLocationgrant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
AddTo<%ResourceRole%>InRelativeResourcegrant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
AssignResourceOrgZoneassign Resource Type resource objects to a location.
CreateResourceTypeRole<%ResourceType%>create a Resource Type Role for the Resource Type.
Deletedelete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
DeleteResourceTypeRole<%ResourceType%>delete a Resource Type Role for the Resource Type.
EditResourceTypeRole<%ResourceType%>edit a Resource Type Role for the Resource Type.
Useview the Resource Type resource object in EmpowerID.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels

This operation is needed to grant or revoke direct assignments of Access Levels


ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the Resource Type resource object.

This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

By-location operations such as this affect all objects in or below the location for which the operation is approved.

For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously,  including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.

RevokeResourceOrgZoneremove Resource Type resource objects from a location.
Remove<%Actor%>From<%ResourceRole%>remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
Remove<%Actor%>From<%ResourceRole%>remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
RemoveFrom<%ResourceRole%>InLocationremove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
RemoveFrom<%ResourceRole%>InRelativeResourceremove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location


Asset Catalog Item

 Administrator and EmpowerID Administrator

In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.

OperationEnables any assigned actor to 
Requestrequest an Asset Catalog Item.
UnassignFromAdministratorremove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.


 Requestor

This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview an Access Request Catalog Item in EmpowerID.
Requestrequest an Access Request Catalog Item.



Attestation Policy

 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.

OperationEnables any assigned actor to 
Provisionprovision an Attestation Policy object.
Deletedelete an Attestation Policy object.
Editedit an Attestation Policy object.
Reviewreview an Attestation Policy.
 Reviewer

This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview an Attestation Policy object in EmpowerID.
Reviewreview an Attestation Policy.



Business Role

 Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.

OperationEnables any assigned actor to 
AssignGroupOrgRoleOrgZoneassign a group to a Business Role and Location.
AssignOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location.
Insertcreate a Business Role.
MoveBusinessRolemove the Business Role from one location to another.
RemoveGroupOrgRoleOrgZoneremove a group from a Business Role and Location.
RemovePersonOrgRoleOrgZoneunassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocationassign the primary Business Role and Location for a person.
Updateedit a Business Role.


 Assign and Unassign to Business Role
OperationEnables any assigned actor to 
AssignOrgRoleOrgZoneassign a person to a Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
Useview a Business Role.
RemovePersonOrgRoleOrgZoneunassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocationset the primary Business Role and Location for a person.
 Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Editedit a Business Role.
Useview a Business Role.
Updateupdate a Business Role.
 Click here to expand...

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

OperationEnables any assigned actor to 
AddOrgRoleOrgZoneToRelativeResourceRoleassign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleassign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocationassign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRoleremove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleremove Access Levels directly from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocationremove Access Levels scoped by location from a Business Role and Location.


Computer

 Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.

OperationEnables any assigned actor to 
DeleteComputerdelete a Computer object when running the DeleteComputer workflow.
DeleteDirectorydelete a directory when running the DeleteDirectory workflow.
DisableComputerdisable a Computer object when running the DisableComputer workflow.
EditComputerAdvancedSettingsedit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
EditDescriptionedit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
EnableComputerenable a Computer object.
EnableDisableComputerOperationenable and/or disable a Computer object.
MoveComputermove a Computer object from one location to another.
ProvisionComputerprovision a Computer object in EmpowerID.
 Click here to expand...

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.

OperationEnables any assigned actor to 
PowershellMoveComputermove a Computer object using Powershell commands.
RestartComputerrestart a Computer object.
RestartServicerestart a service on an assigned Computer object.
StopApplicationPoolstop an application pool on an assigned Computer object.
StopProcessstop a process on an assigned Computer object.
StopServicestop a service on an assigned Computer object.
 Co-Owner

The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.


OperationEnables any assigned actor to 
Useview the Computer object in EmpowerID.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a Computer object. 


This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.

 Create, Enable, Disable, Move and Delete

This Access Level Definition allows the actor assigned the Access Level to create, enable, disable, move and delete assigned Computer objects in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview a Computer object in EmpowerID.
DeleteComputerdelete a Computer object from EmpowerID.
EnableComputerenable a Computer object in EmpowerID.
DisableComputerdisable a Computer object in EmpowerID.
ProvisionComputerprovision a Computer object in EmpowerID.
MoveComputermove a Computer object from one location to another in EmpowerID.
EnableDisableComputerOperationenable and/or disable a Computer object.



EmpowerID System

 Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

OperationEnables any assigned actor to 
CreateAssetTypecreate an Asset Type when running the ProvisionCatalogRequest workflow.
EditCatalogRequestedit a Catalog Request item when running the AssetCatalogItemEdit workflow.
ProvisionCatalogRequestcreate a Catalog Request item when running the ProvisionCatalogRequest workflow.
RunPowerShellScriptrun a PowerShell Script against resources in EmpowerID.
 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.

OperationEnables any assigned actor to 
ProvisionSharePointSitecreate a SharePoint Site.
 User

This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
Useview the resource in EmpowerID.

Exchange Mailbox

 Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.

OperationEnables any assigned actor to 
AddEmailAddressadd a new email address to an existing user mailbox.
DeleteEmailAddressdelete an email address from an existing user mailbox.
DisableActiveSyncdeselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableAuto-AcceptCalendardeselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableMailboxdisable a mailbox by setting all quota values on the mailbox to 0.
DisableOWAdeselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableRequireAuthenticatedSendersdeselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableUseDefaultQuotadeselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EditMailboxAliasedit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditMailboxExtensionAttributesedit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
EditMailboxNoteedit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditRoomCapacityedit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditSendandReceiveLimitsedit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditAcceptFromedit the "Allowed" list for who may send email to a specific mailbox.
EditEmailAddressedit an email address when running the EditExchangeMailboxAddress workflow.
EditExchangeMailboxperform a general edit of a mailbox.
EditMailboxForwardingedit who receives a copy of mail sent to a mailbox.
EditMailboxQuotaedit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditSMTPAddressesedit the SMTP address for a mailbox.
EditRejectFromedit the "Allowed" list for who may not send email to a specific mailbox.
EnableRequireAuthenticatedSendersselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableActiveSyncselect the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableAuto-AcceptCalendarselect the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableMailboxenable a mailbox.
EnableOWAselect the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EnableUseDefaultQuotaselect the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EnableAutoAcceptenable auto-accept for appointments on room or equipment mailboxes.
HideinGALselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
LinkAccountToMailboxlink a user account to a mailbox.
MoveMailboxmove a mailbox from one location to another.
ReActiviateMailboxactivate a deactivated mailbox.
RemoteDeviceWipewipe data from an Active Sync device the next time the device tries to sync with the server (usually a phone).
RestoreDeletedMailboxrestore a mailbox that has been deleted in EmpowerID.
SetMasterAccountset the master account for a linked mailbox to an account in a trusted domain in another forest.
ShowinGALdeselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
SuspendMailboxset the quota values on a mailbox to 0.
ViewMailboxExtensionAttributesview the Extension Attributes for a mailbox.
ViewMailboxFeatureAttributesselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
ViewMailboxQuotaAttributesview the Quota Attributes for a mailbox.
ViewMailboxSendandReceiveLimitsAttributesview the Send and Receive Limits Attributes for a mailbox.
ViewDeviceStatusview the status of an Active Sync device.
 Full Access in Outlook

This Access Level Definition grants native Full Access permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

 Reader in Outlook

This Access Level Definition grants Read permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

 Recipient Management

This Access Level Definition grants the actor assigned the Access Level the ability to manage mailboxes in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to 
AddEmailAddressadd a new email address to an existing user mailbox.
DeleteEmailAddressdelete an email address from an existing user mailbox.
DisableActiveSyncdeselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableAuto-AcceptCalendardeselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableMailboxdisable a mailbox by setting all quota values on the mailbox to 0.
DisableOWAdeselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableRequireAuthenticationdeselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableUseDefaultQuotadeselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EditAcceptFromedit the "Allowed" list for who may send email to a specific mailbox.
EditMailboxAliasedit the Alias option in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditMailboxExtensionAttributesedit the Extension Attributes on the Extension Tab of the Exchange Mailbox Resource Management screen.
EditMailboxNoteedit the Notes field in the Overview section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditRejectFromedit the "Allowed" list for who may not send email to a specific mailbox.
EditRoomCapacityedit the Capacity field in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EditSendandReceiveLimitsedit the fields in the Send and Receive Limits section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditEmailAddressedit an email address when running the EditExchangeMailboxAddress workflow.
EditExchangeMailboxperform a general edit of a mailbox.
EditMailboxForwardingedit who receives a copy of mail sent to a mailbox.
EditMailboxQuotaedit the Quota fields in the Quota Settings section of the Quota and Limits Tab on the Exchange Mailbox Resource Management screen.
EditSMTPAddressesedit the SMTP address for a mailbox.
EnableActiveSyncselect the ActiveSync Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableAuto-AcceptCalendarselect the Auto-Accept Calendar option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
EnableMailboxenable a mailbox.
EnableOWAselect the OWA Enabled options in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
EnableUseDefaultQuotaselect the Use Default Quota option in the Quota Limits section on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.
EnableAutoAcceptenable auto-accept for appointments on room or equipment mailboxes.
HideinGALselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
MoveMailboxmove a mailbox from one location to another.
ReActivateMailboxactivate a deactivated mailbox.
RemoveFromReaderremove the Reader Access Level from another EmpowerID Actor type.
RemoveFromRecipientManagementremove the Recipient Management Access Level from another EmpowerID Actor.
RestoreDeletedMailboxrestore a mailbox that has been deleted in EmpowerID.
ShowinGALdeselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
ViewMailboxExtensionAttributesview the Extension Attributes for a mailbox.
ViewMailboxFeatureAttributesselect the Hidden In GAL option in the Mailbox Features section of the Mailbox Tab on the Exchange Mailbox Resource Management screen.
ViewMailboxQuotaAttributesview the Quota Attributes for a mailbox.
ViewMailboxSendandReceiveLimitsAttributesview the Send and Receive Limits Attributes for a mailbox.
 Send As in Outlook

This Access Level Definition grants native Send As permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.

 Send On Behalf in Outlook

This Access Level Definition grants native Send On Behalf permissions (ACLs) for a mailbox in Exchange and contains no EmpowerID operations.


Group (Distribution, Security, Generic) Access Level Definitions


 Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Group Resource Types.

OperationEnables any assigned actor to 
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

EditADGroupNameAttributesedit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
EditExchangeSettingsedit the fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
EditGroupAdvancedSettingsedit the fields in the Advanced Options section of the Advanced Tab on the Group Resource Management screen (Group Details form).
EditGroupDescriptionandNoteedit the Description and Note fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
EditGroupExtensionAttributesedit the Name, Display Name, and Logon Name fields in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
EditGroupTypeedit the Group Type drop-down in the Overview section of the General Tab on the Group Resource Management screen (Group Details form).
EditAcceptFromedit the "Allowed" list for who may send email to a specific group.
EditRejectFromedit the "Denied" list for who may not send email to a specific group.
EditSMTPAddressesedit the SMTP addresses for a group when running the EditSMTPAddresses workflow.
HideGroupinGALselect the Hidden In GAL option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).
MailDisableGroupdisable mail for a group by deselecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).
MailEnableGroupassign an email address to a group by selecting the Is Mail-Enabled option in the Exchange Options section of the Exchange Tab on the Group Resource Management screen (Group Details form).
MoveComputermove a computer from one location to another.
MoveGroupmove a group from one location to another.
RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ShowGroupinGALdesignate that a selected group be visible in the Global Address List when running the ShowDLInGAL workflow.


 Group Co-Owner

This Access Level grants the person assigned the Access Level owner status for a Group and has the following operations allowed.

OperationEnables any assigned actor to
AddToGroupMemberadd any EmpowerID Actor type to the Member Access Level for the group.
Useview a group.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 


This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the group. 


This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

RemoveFromGroupMemberremove any EmpowerID Actor type from the Member Access Level for the group.
 Membership Manager

This Access Level grants the person assigned the Access Level the ability to manage group membership and has the following operations allowed.

OperationEnables any assigned actor to
AddAccountToGroupadd an account to a group.
Add<%Actor%>ToGroupMembergrant group membership to the EmpowerID Actor type (Person, Business Role and Locations, or Group) in question.
AddToGroupMember

add People, Groups, or Business Role to the Member Access Level.

Useview a group.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 


This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign or unassign any EmpowerID Access Levels for a group. 


This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

Remove<%Actor%>FromGroupMemberremove People, Groups, or Business Roles from the Member Access Level.
 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Groups has the following additional operations allowed.

OperationEnables any assigned actor to
AddGroupToRelativeResourceRoleassign relative Access Levels to a Distribution Group.
AddGroupToResourceRoleassign Access Levels directly to a Distribution Group.
AddGroupToResourceRoleAssignmentByLocationassign Access Levels by location to a Distribution Group.
Useview a Distribution Group.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for a group. 


This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for the group. 


This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for groups by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by-location Access Level assignment; otherwise the operation will route for approval.

RemoveGroupFromRelativeResourceRoleremove relative Access Levels from a Distribution Group.
RemoveGroupFromResourceRoleremove Access Levels directly from a Distribution Group.
RemoveGroupFromResourceRoleAssignmentByLocationremove Access Levels scoped by location from a Distribution Group.


Location


 Administrator and EmpowerID Administrator

In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Location Resource Type.

OperationEnables any assigned actor to
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AssignGroupOrgRoleOrgZoneassign a group to a Business Role and Location.
AssignOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleZoneassign a person to a Business Role and Location.
RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

RemoveGroupOrgRoleOrgZoneremove a group from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoledirectly remove Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocationremove Access Levels from a Business Role and Location scoped by location.
RemovePersonOrgRoleOrgZoneunassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocationset the primary Business Role and Location for a person.
Updateedit a location.
 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Location Resource Type.

OperationEnables any assigned actor to
CreateOUcreate an AD OU.
EditOUedit an AD OU.
MoveBusinessLocationmove a business location to another location.
ProvisionPartnercreate a partner location.
 Assign and Unassign to Location

This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign People to and from locations in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
AssignOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location.
AssignResourceOrgZoneassign a resource to a location.
Useview a location.
RemovePersonOrgRoleOrgZoneunassign a person from a Business Role and Location as a secondary Business Role and Location.
RevokeResourceOrgZoneremove Resource Type resource objects from a location.
SetPersonPrimaryBusinessRoleandLocationset the primary Business Role and Location for a person.
 Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit locations in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
Editedit a location.
EditOUedit an AD OU.
Useview a location.
Update

edit a location.

 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

OperationEnables any assigned actor to
AddOrgRoleOrgZoneToRelativeResourceRoleassign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleassign Access Levels directly to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRoleAssignmentByLocationassign Access Levels by location to a Business Role and Location.
RemoveOrgRoleOrgZoneFromRelativeResourceRoleremove relative Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoledirectly remove Access Levels from a Business Role and Location.
RemoveOrgRoleOrgZoneFromResourceRoleAssignmentByLocationremove Access Levels from a Business Role and Location scoped by location.


Management Role and EmpowerID Management Role Definition


 Administrator

This Access Level Definition gives the actor assigned the Access Level the ability to create, edit, and delete Management Roles, but does not grant them the ability to manage assignments to Management Roles or RBAC delegations. The Administrator Access Level Definition for the Management Role and Management Role Definition Resource Types has the following operations set to allowed.

OperationEnables any assigned actor to
Deletedelete a Management Role or Management Role Definition.
Editedit a Management Role or Management Role Definition.
Useview a Management Role or Management Role Definition.
Provisioncreate a Management Role or Management Role Definition.
 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Management Role and Management Role Definition Resource Types.

OperationEnables any assigned actor to
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ManageManagementRoleAssignmentsmanage the Access Level Assignments of the Management Role.
ManageManagementRoleDefinitionAssignments (Management Role Definition Only)add or remove Access Level Assignments to and from the Management Role Definition.
 Assignment Definition Editor

This Access Level Definition grants the actor assigned the Access Level the ability to manage the Access Levels of the Management Role and Management Role Definition and has the following operations set to allowed.

OperationEnables any assigned actor to
Useview a Management Role or Management Role Definition.
ManageManagementRoleAssignments (Management Role Only)manage the Access Level Assignments of the Management Role.
 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Management Roles and Management Role Definitions has the following additional operations allowed.

OperationEnables any assigned actor to
ManageManagementRoleAssignments (Management Role Only)add or remove Access Level Assignments to and from the Management Role.
ManageManagementRoleDefinitionAssignments (Management Role Definitions Only)add or remove Access Level Assignments to and from the Management Role Definition.


Person

 Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.

OperationEnables any assigned actor to
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLoginselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.
AllowPasswordOperationsselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.
AllowSyncAttributesselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.
AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person. 


This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

AssignOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location.
ClaimAccountclaim an orphaned account.
ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps.

The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

DenyLogindeselect the Allow Login option on the Advanced Tab of the Resource Management Screen for a Person object.
DenyPasswordOperationsdeselect the Allow Password Operations option on the Advanced Tab of the Resource Management Screen for a Person object.
DenySyncAttributesdeselect the Allow Attribute Sync option on the Advanced Tab of the Resource Management Screen for a Person object.
DisablePersondisable a Person object.
EditPersonAboutAttributeedit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonDemographicsupdate information on the Edit Person Demographics screen for a Person object.
EditPersonExtensionAttributesedit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
EditPersonMustChangePasswordonNextLoginselect the Must Change Password option on the Person Edit form for the Person object.
EditPersonNameAttributesedit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonOrganizationAttributesedit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
EditPersonMultiOperationsedit all attributes of a Person object.
EnablePersonenable a Person object.
Enrollenroll a Person object in the Password Reset Center.
JoinAccountToPersonjoin an orphaned account to a Person object.
Loginlogin to EmpowerID.
Readview a Person object.
RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPasswordreset a password for a Person object.
RestoreDeletedPersonrestore a deleted Person object.
SelfServiceChangePasswordchange their password.
SelfServiceResetPasswordreset their password.
SetPasswordManagerPolicyselect the Password Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.
SetPersonPrimaryBusinessRoleandLocationset the Primary Business Role and Location for a Person object.
SetProfileManagerPolicyselect the Profile Manager Policy applied to a Person object from the Advanced Tab of the Resource Management Screen for Person objects.
Terminateterminate a Person object.
UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID. 


This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

UnClaimSSOApplicationAccount

remove a selected SSO Application account from their Person object, removing their ability to SSO into that account from EmpowerID. 


The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

Unenrollunenroll a Person object from the Password Reset Center.
UnjoinAccountFromPersonunjoin an account from a Person object.
UnlockFromResetCenterunlock an account for a Person object that has been locked out of the Password Reset Center.
UnlockPersonunlock a Person object.
UnlockPersonAccountsunlock accounts for a Person object.
ViewStreetAddressAttributeview the Address section on the Edit Person Demographics screen.
ViewAboutPersonAttributesview the About Person section on the Person Tab of the Resource Management Screen for a Person object.
ViewAddressandPhoneNumbersview the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
ViewAdvancedPersonAttributesview the Advanced Tab of the Resource Management Screen for a Person object.
ViewExtensionAtttributesview the Extension Tab of the Resource Management Screen for a Person object.
ViewNameInformationview the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
ViewOrganizationAttributesview the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
 Assign and Unassign to Business Role and Location

This Access Level Definition grants the actor assigned the Access Level the ability to assign or unassign people to and from Business Role and Locations in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
AssignOrgRoleOrgZoneassign a Person object to a Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a Person object to a Business Role and Location.
Useview a Business Role.
RemovePersonOrgRoleOrgZoneunassign a Person object from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocationset the primary Business Role and Location for a Person object.
 Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit Person objects in EmpowerID and has the following operations set to allowed:

OperationEnables any assigned actor to
Deletedelete Person objects.
EditPersonAboutAttributeedit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonDemographicsupdate demographic information for a Person object on the Edit Person Demographics screen.
EditPersonNameAttributesedit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonOrganizationAttributesedit the Organization Information section on the Organization Tab of the Resource Management Screen for a Person object.
Useview a Person object.
Loginlogin to EmpowerID.
ViewStreetAddressAttributeview the Address section on the Edit Person Demographics screen.
ViewAboutPersonAttributesview the About Person section on the Person Tab of the Resource Management Screen for the Person object.
ViewAddressandPhoneNumbersview the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
ViewNameInformationview the Name Information section on the Person Tab of the Resource Management Screen for the Person object.
ViewOrganizationAttributesview the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.
 EmpowerID User

This Access Level Definition grants the actor assigned the Access Level the ability to login to EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
Loginlogin to EmpowerID.
 Helpdesk

This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities for Person objects in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
DisablePersondisable a Person object.
EditPersonAboutAttributeedit the About Person section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonDemographicsupdate information on the Edit Person Demographics screen for a Person object.
EditPersonExpirationedit the expiration date for a Person object's access.
EditPersonExtensionAttributesedit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
EditPersonMustChangePasswordonNextLoginselect the Must Change Password option on the Person Edit form for a Person object.
EditPersonNameAttributesedit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
EditPersonOrganizationAttributesedit the Organization Information section on the Organization tab of the Resource Management Screen for a Person object.
EnablePersonenable a Person object.
JoinAccountToPersonjoin an orphaned account to a Person object.
Useview a Person object.
Loginlogin to EmpowerID.
ResetPasswordreset a password for a Person object.
Unenrollunenroll a Person object from the Password Reset Center.
UnjoinAccountFromPersonunjoin an account from a Person object.
UnlockFromResetCenterunlock an account for a Person object that has been locked out of the Password Reset Center.
UnlockPersonunlock a Person object.
UnlockPersonAccountsunlock accounts for a Person object.
ViewStreetAddressAttributeview the Address section on the Edit Person Demographics screen.
ViewAboutPersonAttributesview the About Person section on the Person Tab of the Resource Management Screen for the Person object.
ViewAddressandPhoneNumbersview the Address and Phone Numbers section on the Organization Tab of the Resource Management Screen for the Person object.
ViewAdvancedPersonAttributesview the Advanced Tab of the Resource Management Screen for the Person object.
ViewExtensionAtttributesview the Extension Tab of the Resource Management Screen for the Person object.
ViewNameInformationview the Name Information section on the Person Tab of the Resource Management Screen for the Person object.
ViewOrganizationAttributesview the Organization Information section on the Organization Tab of the Resource Management Screen for the Person object.
 Password Reset and Unlock

This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
EnablePersonenable a Person object.
Useview a Person object.
Loginlogin to EmpowerID.
ResetPasswordreset a password for a Person object.
UnlockFromResetCenterunlock an account for a Person object that has been locked out of the Password Reset Center.
UnlockPersonunlock a Person object.
UnlockPersonAccountsunlock accounts for a Person object.
 Provision/Deprovision and Business Role Change

This Access Level Definition grants the actor assigned the Access Level the ability to provision, terminate, and change Business Role and Locations for Person objects in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
AssignOrgRoleOrgZoneassign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZoneassign a person to a Business Role and Location.
Createcreate a Person object.
Deletedelete a Person object.
Useview a Person object.
RemovePersonOrgRoleOrgZoneunassign a person from a Business Role and Location as a secondary Business Role and Location.
RestoreDeletedPersonrestore a deleted Person object.
SetPersonPrimaryBusinessRoleandLocationassign a primary Business Role and Location for a Person object.
Terminateterminate a Person object.
 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed:

OperationEnables any assigned actor to
AddPersonToRelativeResourceRoleassign relative Access Levels to a Person object.
AddPersonToResourceRoleassign Access Levels directly to a Person object.
AddPersonToResourceRoleAssignmentByLocationassign Access Levels scoped by location to a Person object.
RemovePersonFromRelativeResourceRoleremove relative Access Levels from a Person object.
RemovePersonFromResourceRoleremove resources directly from a Person object.
RemovePersonFromResourceRoleAssignmentsByLocationremove Access Levels scoped by location from a Person object.
 Self-Service Password Reset User

This Access Level Definition grants users assigned the Access Level the ability to enroll for password self-service and reset passwords for their users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps. 


The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

EnablePersonenable a Person object.
Useview a Person object.
Loginlogin to EmpowerID.
ResetPasswordreset a password for a Person object.
UnlockFromResetCenterunlock an account for a Person object that has been locked out of the Password Reset Center.
UnlockPersonunlock a Person object.
UnlockPersonAccountsunlock accounts for a Person object.


SAML SSO Connection


 EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

OperationEnables any assigned actor to
AddAttributeStatementadd an attribute statement to a SAML SSO Connection object.
AddEncryptingStatementadd an encrypting statement to a SAML SSO Connection object.
AddSigningCertificateadd a signing certificate to a SAML SSO Connection object.
Createcreate a new SAML SSO Connection object.
CreateSAMLSingleSignOnAudienceAssociationcreate a new Audience Association for a SAML SSO Connection object.
CreateSAMLSingleSignOnCertificatesAssociationsadd a certificate to a SAML SSO Connection object.
CreateSAMLSingleSignOnSubjectConfirmationAssociationadd a Subject Confirmation to a SAML SSO Connection object.
CreateSSOConnectioncreate a new SAML SSO Connection object.
DeleteSAMLSSOConnectiondelete a SAML SSO Connection object.
EditAssertionConsumerServiceURLforPartnershipedit the ACS URL for a SAML SSO Connection (SP) object.
EditAssertionEncryptionAlgorithmedit the Assertion Encryption Method for a SAML SSO Connection object.
EditAttributeEncryptionAlgorithmedit the Attribute Encryption Method for a SAML SSO Connection object.
EditAudienceRestrictionsedit the Audience Restriction properties for a SAML SSO Connection object.
EditConnectionAccountStoreedit the account store created for a SAML SSO Connection object.
EditConnectionAuthenticationRequestedit the type of authentication request for a SAML SSO Connection object.
EditConnectionNameAttributesedit the Name and Display Names for a SAML SSO Connection object.
EditIDPURLedit the IDP URL for a SAML SSO Connection (IdP) object.
EditIssuerNameedit the Issuer field for a SAML SSO Connection object.
EditIssuerQualifierSettingsedit the Issuer Qualifier Settings for a SAML SSO Connection object.
EditLoginWFACSURLedit the Login Workflow ACS URL field for a SAML SSO Connection object.
EditLogoImageedit the Logo Image field for a SAML SSO Connection object.
EditNameIdentifierFormatTypeedit the Name Identifier Format type for a SAML SSO Connection object.
EditNameIdentifierMethodedit the Name Identifier Method for a SAML SSO Connection object.
EditRequestWorkflowedit the Request Workflow associated with a SAML SSO Connection object, if any.
EditSAMLNameQualifierForPartnershipedit the Name Qualifier field for a SAML SSO Connection object.
EditSAMLSingleSignOnDomainedit the domain used for a SAML SSO Connection object.
EditSAMLSPNameQualifierforPartnershipedit the SP Name Qualifier field for a SAML SSO Connection object.
EditSignatureAlgorithmedit the Signature Algorithm used with a SAML SSO Connection object.
EditSingleLogoutSettingsedit the Single Logout settings for a SAML SSO Connection object.
EditTargetURLedit the Target IDP/SP URL for a SAML SSO Connection object.
RemoveAttributeStatementremove an Attribute Statement from a SAML SSO Connection object.
RemoveEncryptingCertificateremove an Encrypting Certificate from a SAML SSO Connection object.
RemoveSigningCertificateremove a Signing Certificate from a SAML SSO Connection object.


Separation of Duties

 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Separation of Duties Resource Type.

OperationEnables any assigned actor to
Deletedelete a specific Separation of Duties (SoD) policy.
Editedit a specific SoD policy.
EditTagedit the tag associated with a specific SoD policy.
Provisioncreate a new SoD policy.
Reviewreview violations to a SoD policy.
 Reviewer

This Access Level grants the actor assigned the Access Level the ability to review violations to Separation of Duties policies and has the following operations allowed:

OperationEnables any assigned actor to
Usesee a specific Separation of Duties policy.
Reviewreview violations to a specific Separation of Duties policy.


Set Group

 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Set Group Resource Type.

OperationEnables any assigned actor to
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

OperationEnables any assigned actor to
AddSetGroupToResourceRoleassign Access Levels directly to a Set Group.
AddSetGroupToResourceRoleAssignmentByLocationassign Access Levels scoped by location to a Set Group.
RemoveSetGroupFromResourceRoleremove Access Levels directly from a Set Group.
RemovSetGroupFromResourceRoleAssignmentsByLocationremove Access Levels scoped by location from a Set Group.


SSO Application

 EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

OperationsEnables any assigned actor to
AssignAccounttoSSOApplication

register an account for a given SSO application configured in EmpowerID to a Person. 


This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

Createcreate a new SSO Application object.
Editedit an SSO Application object.
Deletedelete an SSO Application object.
EditTagedit the tag associated with an SSO Application object.
ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps. 


The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.

UnassignAccountfromSSOApplication

remove from a Person an account for a given SSO application configured in EmpowerID. 


This operation must be allowed for both the SSO application and the Person in question to complete the task without requiring approval.

 SSO Application User

This Access Level grants the actor assigned the Access Level the ability to claim an account for an SSO Application that has been configured in EmpowerID, such as Google Apps. This Access Level has the following operations allowed.

OperationsEnables any assigned actor to
LUseview any SSO Account objects for which the operation is assigned.
ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps. 


The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.


SSO Application Definition

 EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

OperationEnables any assigned actor to
Createcreate a new SSO Application Definition object.
Editedit an SSO Application Definition object.
Deletedelete an SSO Application Definition object.
EditTagedit the tag associated with an SSO Application Definition object.
ClaimSSOApplicationAccount

claim an account from an SSO application configured in EmpowerID, such as Google Apps. 


The actor must have this operation allowed for both the Person object and the SSO Application in question to complete the task without requiring approval.



SharePoint (Document, Folder, and List)

The Access Level Defintions for SharePoint Document, Folder and List contain no EmpowerID Operations. They are used to grant native permissions for SharePoint objects managed by EmpowerID. Definitions include:

Approve

Contribute

Design

Full Control

Limited Access

Manage Hierarchy

Read Only

Restricted Read


User Account

 Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the User Account Resource Type.

OperationEnables any assigned actor to
AddToManagementRole

add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.

AllowLoginselect the Allow Login option on the Advanced Tab of the Account Details Screen.
ChangePasswordchange the password of a user account.
ClaimAccountclaim an orphaned account.
CreateUserHomeFoldercreate a home folder.
DisableUserdisable a user account from the Password Options section of the Account Tab on the Account Details Screen.
EditTerminalServicesAccessselect or clear the Allow this user permissions to log on to Terminal Services option in the Account Details screen on the Remote Desktop tab's Profile section.
EditTerminalServicesProfileedit the Profile Path for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
EditUserAccountHomeFolderedit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
EditUserAccountProfileedit the Profile settings for an account from the Profile Tab of the Account Details Screen.
EditUserAdvancedSettingsedit the settings applied to the Prevent Deletion in EmpowerID and Hide in EmpowerID settings for accounts from the Advanced Tab of the Account Details Screen.
EditUserExpirationset the expiration date for an account in Active Directory.
EditUserExtensionAttributesedit the user extension attributes from the Extension Tab of the Account Details Screen.
EditUserNameAttributesedit the user name attributes from the Account Name Information section of the Account Tab on the Account Details Screen.
EditUserOrganizationAttributesedit the Organization Information section for an account from the Organization Tab of the Account Details Screen.
EditUserPasswordOptionsedit the Password Options settings for an account from the Account Tab of the Account Details Screen.
EditUserTerminalServicesEnvironmentedit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.
EditUserTerminalServicesHomeDriveedit the Terminal Services Home Drive setting for an account from the Profile section of the Remote DesktopTab on the Account Details Screen.
EditUserTerminalServicesRemoteControledit the Terminal Services Remote Control settings for an account from Remote Control section of the Remote Desktop Tab on the Account Details Screen.
EditUserTerminalServicesSessionedit the Terminal Services Session settings for an account from Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.
EnableRequireSmartCardLogonset the Require SmartCard Logon option for an account from the Password Options section of the Account Tab on the Account Details Screen.
EnableUserenable a disabled account from the Password Options section of the Account Tab on the Account Details Screen.
JoinAccountToPersonjoin an orphaned account to a Person object.
MailDisableremove the Mail-enabled flag from an account.
MailDisableAccountremove the Mail-enabled flag from an account.
MailEnableset an account as mail-enabled, making it available in the Exchange GAL.
MailEnableAccountset an account as mail-enabled, making it available in the Exchange GAL.
MoveAccountmove an account from one location to another.
RemoveFromManagementRole

remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. 


To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

ResetPasswordreset a password for an account.
RestoreDeletedAccountrestore a deleted account.
RestoreDeletedMailboxrestore a mailbox that has been deleted from an account.
SetAccountManagerselect the AD line manager for an account.
SetAllowDialInset the Allow Dialin option for an account from the Password Options section on the Account Tab of the Account Details Screen.
UnlockUserunlock an account that is locked in Active Directory.
UnlockPersonAccountsunlock accounts for a Person object.
ViewAccountNameInformationAttributesview the Account Name Information section on the Account Tab of the Account Details Screen.
ViewAddressandPhoneNumberAttributesview the Address and Phone Numbers section on the Organization Tab of the Account Details Screen.
ViewAdvancedAttributeInformationview the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
ViewExtensionAtttributesview the Extension Attributes section on the Extension Tab of the Account Details Screen.
ViewOrganizationInformationAttributesview the Organization Information section on the Organization Tab of the Account Details Screen.
ViewPasswordOptionAttributesview the Password Options section on the Account Tab of the Account Details Screen.
ViewProfileOptionAttributesview the Profile Options section on the Profile Tab of the Account Details Screen.
ViewRemoteDesktopAttributesview the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopEnvironmentAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopProfileAttributesview the Profile section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopRemoteControlAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopSessionandTimeOutSettingsview the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
 EmpowerID Administrator

In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the User Account Resource Types.

OperationEnables any assigned actor to
UnjoinAccountFromPersonunlink an account from an EmpowerID Person.
ViewEmployeeIDsview the EmployeeID attribute for an EmpowerID Person's AD user account.
 Co-Owner

This Access Level Definition grants owner status for an account and has the following operations set to allowed.

OperationEnables any assigned actor to
Useview an account.
ManageAnyResourceRole

assign or unassign any EmpowerID Access Levels for an account, such as the Use Access Level for a specific computer object, to any other EmpowerID Actor type. 


This operation is needed to grant or revoke direct assignments of Access Levels for a particular resource object to users.

ManageAnyResourceRoleAssignmentByLocation

assign Access Levels by location for an account. 


This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.

 Editor

This Access Level Definition grants the actor assigned the Access Level the ability to edit an account in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
EditUserDemographicsupdate demographic information for the EmpowerID Person linked to an account.
EditUserNameAttributesedit the user attributes on the Account Name Information section on the Account Tab of the Account Details Screen .
EditUserOrganizationAttributesedit the user attributes on the Organization Information and Address and Phone Numbers section on the Organization Tab of the Account Details Screen.
Useview an account.
SetAccountManagerselect the AD line manager for an account.
ViewAccountNameInformationAttributesview the Account Name Information section on the Account Tab of the Account Details Screen.
ViewAddressandPhoneNumberAttributesview the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
ViewAdvancedAttributeInformationview the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
ViewEmployeeIDsview the EmployeeID attribute for an EmpowerID Person's AD user account.
ViewExtensionAtttributesview the Extension Attributes section on the Extension Tab of the Account Details Screen.
ViewOrganizationInformationAttributesview the Organization Information section on the Organization Tab of the Account Details Screen.
ViewPasswordOptionAttributesview the Password Options section on the Account Tab of the Account Details Screen.
ViewProfileOptionAttributesview the Profile Options section on the Profile Tab of the Account Details Screen.
ViewRemoteDesktopAttributesview the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopEnvironmentAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopProfileAttributesview the Profile section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopRemoteControlAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopSessionandTimeOutSettingsview the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
 Helpdesk

This Access Level Definition grants the actor assigned the Access Level the ability to perform account management activities in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
ChangePasswordchange the password of a user account.
CreateUserHomeFoldercreate a home folder.
DisableUserdisable a Person object.
EditTerminalServicesAccessedit the access for Terminal Services for an account.
EditTerminalServicesProfileedit the Terminal Services profile for an account.
EditUserAccountHomeFolderedit the Home Directory for an account from the Profile Section of the Remote Desktop Tab on the Account Details Screen.
EditUserExpirationset the expiration date for an account in Active Directory.
EditUserExtensionAttributesedit the Extension Attributes section on the Extension Tab of the Resource Management Screen for a Person object.
EditUserNameAttributesedit the Name Information section on the Person Tab of the Resource Management Screen for a Person object.
EditUserOrganizationAttributesedit the Organization Information section on the Organization Tab of the Account Details Screen.
EditUserPasswordOptionsedit the Password Options settings for an account from the Account Tab of the Account Details Screen.
EditUserTerminalServicesEnvironmentedit the Terminal Services Environment settings for an account from the Environment section of the Remote Desktop Tab of the Account Details Screen.
EditUserTerminalServicesHomeDriveedit the Terminal Services Home Drive setting for an account from the Profiles section of the Remote Desktop Tab on the Account Details Screen.
EditUserTerminalServicesRemoteControledit the Terminal Services Remote Control settings for an account from the Remote Control section of the Remote Desktop Tab on the Account Details Screen.
EditUserTerminalServicesSessionedit the Terminal Services Session settings for an account from the Session and Timeout Settings section of the Remote Desktop Tab on the Account Details Screen.
Useview a Person object.
MailDisableremove the Mail-enabled flag from an account.
MailDisableAccountremove the Mail-enabled flag from an account.
MailEnableset an account as mail-enabled, making it available in the Exchange GAL.
MailEnableAccountset an account as mail-enabled, making it available in the Exchange GAL.
MoveAccountmove an account from one location to another.
ResetPasswordreset a password for an account.
RestoreDeletedAccountrestore a deleted account.
RestoreDeletedMailboxrestore a mailbox that has been deleted from an account.
SetAccountManagerselect the AD line manager for an account.
UnlockUserunlock an account that is locked in Active Directory.
ViewAccountNameInformationAttributesview the Account Name Information section on the Account Tab of the Account Details Screen.
ViewAddressandPhoneNumberAttributesview the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
ViewAdvancedAttributeInformationview the Advanced Attribute Information section on the Advanced Tab of the Account Details Screen.
ViewExtensionAtttributesview the Extension Attributes section on the Extension Tab of the Account Details Screen.
ViewOrganizationInformationAttributesview the Organization Information section on the Organization Tab of the Account Details Screen.
ViewPasswordOptionAttributesview the Password Options section on the Account Tab of the Account Details Screen.
ViewProfileOptionAttributesview the Profile Options section on the Profile Tab of the Account Details Screen.
ViewRemoteDesktopAttributesview the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopEnvironmentAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopProfileAttributesview the Profile section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopRemoteControlAttributesview the Environment section on the Remote Desktop Tab of the Account Details Screen.
ViewRemoteDesktopSessionandTimeOutSettingsview the Session and Timeout Settings section on the Remote Desktop Tab of the Account Details Screen.
 Password Manager

This Access Level Definition grants the actor assigned the Access Level the ability to assist users by resetting passwords and unlocking accounts in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
ChangePasswordchange the password for an account.
EditUserPasswordOptionsedit the Password Options section of the Account Tab of the Account Details Screen.
Useview a Person object.
Loginlogin to EmpowerID.
ResetPasswordreset a password for an account.
UnlockUserunlock an account associated with an EmpowerID Person.
ViewAccountNameInformationAttributesview the Account Name Information section on the Account Tab of the Account Details Screen.
ViewPasswordOptionAttributesview the Password Options section on the Account Tab of the Account Details Screen.
 Access Level Assigner

Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.

OperationEnables any assigned actor to
AddAccountToResourceRoleassign Access Levels directly to an account.
RemoveAccountFromResourceRoleremove resources directly from an account.


Windows Shared Folder

 Administrator and EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the Windows Shared Folder Resource Type.

OperationEnables any assigned actor to
RegisterExistingShareregister a share in EmpowerID that exists on a computer managed by EmpowerID.
 Co-Owner

This Access Level Definition grants owner status for a shared folder and has the following operations set to allowed.

OperationEnables any assigned actor to
Useview an account.
ManageAnyResourceRoleassign or unassign Access Levels for an account.
ManageAnyResourceRoleAssignmentByLocationassign Access Levels by location for an account.
 Deny All

This Access Level Definition contains no EmpowerID Operations. Is is used to deny access to Shared Folders.

 Full Control

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • AppendData
  • ChangePermissions
  • Delete
  • DeleteSubdirectoriesAndFiles
  • ExecuteFile
  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions
  • Synchronize
  • TakeOwnership
  • WriteAttributes
  • WriteData
  • WriteExtendedAttributes
 Modify

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions
  • WriteAttributes
  • WriteData
  • WriteExtendedAttributes
 Read Only

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following NTFS File System rights for Shared Folders managed by EmpowerID.

  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • ReadPermissions


Windows Shared Printer

 EmpowerID Administrator

In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Windows Shared Folder Resource Type.

OperationEnables any assigned actor to
RevokeResourceOrgZoneremove a printer from a location.
 Manage Documents

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • Delete
 Manage Documents and Print

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • Synchronize
  • TakeOwnership
  • WriteAttributes
 Manage Documents and Printer

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • ReadExtendedAttributes
  • ReadPermissions
  • TakeOwnership
 Manage Printers

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • AppendData
  • ReadAttributes
  • ReadData
  • ReadExtendedAttributes
  • WriteAttributes
 Print

This Access Level Definition contains no EmpowerID Operations. It is used to grant the following native permissions for Shared Printers managed by EmpowerID.

  • WriteData


Workflow

 Administrator and EmpowerID Administrator

In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Workflow Resource Type.

OperationEnables any assigned actor to
EditRequestWorkflowedit a workflow when running the Right-Click Edit workflow.
Initiateinitiate a workflow.
 Initiator

This Access Level Definition grants the actor assigned the Access Level the ability to see and initiate workflows in EmpowerID and has the following operations set to allowed.

OperationEnables any assigned actor to
Initiateinitiate a workflow.
Useview the resource in EmpowerID.


WS-Federation SSO Connection

 EmpowerID Administrator

In addition to many of the operations common to all EmpowerID Administrator Access Level Definitions, the EmpowerID Administrator Access Level Definition has the following operations allowed for the SAML SSO Connection Resource Type.

OperationEnables any assigned actor to
CreateSSOConnectioncreate a new WS-Federation SSO Connection object.
CreateWSFederationSingleSignOnConnectionOperationcreate a new operation for a WS-Federation Single Sign On Connection object.
DeleteWSFederationSingleSignOnConnectiondelete a WS-Federation SSO Connection object.
DeleteWSFederationSingleSignOnConnectionOperationdelete an operation from a WS-Federation Single Sign On Connection object.
EditAccountStoreedit the account store that is associated with a WS-Federation SSO Connection object.
EditAssertionConsumerServiceURLforPartnershipedit the ACS URL for a WS-Federation SSO Connection (SP) object.
EditCertificatesforPartnershipedit the certificates for a WS-Federation SSO Connection object.
EditDescriptionedit the Description field for a WS-Federation SSO Connection object.
EditEncryptionCertificateedit the encryption certificate used for a WS-Federation SSO Connection object.
EditEncryptionEnabledselect or clear encryption for a WS-Federation SSO Connection object.
EditHomeRealmchange the edit the certificates for a WS-Federation SSO Connection object.
EditLogoImageedit the Logo Image field for a WS-Federation SSO Connection object.
EditMaptoAccountClaimTypeedit the Map to Account Claim Type field for a WS-Federation SSO Connection object.
EditNameQualifierforPartnershipedit the Name Qualifier field for a WS-Federation SSO Connection object.
EditOrganizationedit the Organization for a WS-Federation SSO Connection object.
EditSigningCertificateedit the Signing Certificate used with a WS-Federation SSO Connection object.
EditURLforPartnershipedit the URL for a WS-Federation SSO Connection object.



  • No labels