Organizations can configure the requestable permissions for inventoried computers to give users the ability to request those permissions when connecting via Privileged Session Management (PSM). These permissions, known in EmpowerID as “IAM Shop Permission Levels,” are fundamental to creating a secure IT environment and serve a dual purpose: providing distinct permissions while in a computer session and reinforcing the overall security posture by adhering to the principle of least privilege by removing those permissions from users immediately after their session ends. When configuring IAM Shop Permission Levels for computers, organizations pick specific groups with those permissions on the native system. If users belong to those groups, they get the specified access. Additionally, computers can be configured to allow Just-In-Time account provisioning in those groups. When this is the case, EmpowerID provisions an account that is linked to the person and adds it to the group. Once the session ends, the account is removed from the group. This ensures a truly least privileged, zero-trust environment. Coupled with eligibility , IAM Shop Permission Levels ensure only users with the need for those permissions can access them. Depending on organizational policy, users without eligibility for those permission levels may still initiate sessions as non-privileged users.
To successfully assign IAM Shop Permission Levels, administrators must:
Assign IAM Shop Permission Levels to computers.
Map permission levels to corresponding groups on the actual computer that grant those native permissions.
For example, to allow users to connect as a local admin, map the permission level to a "local admin" group on the computer.
For effective assignment of IAM Shop Permission Levels, computers must be connected to EmpowerID as Local Windows Server account stores. This connection allows EmpowerID to inventory users and groups on the computer, essential for mapping permission levels to local groups on that machine. Note that permission levels are merely labels and require accurate mapping to grant permissions.
EmpowerID includes default IAM Shop Permission Levels for computers, such as "Local Admin" and "Domain Admin." However, you can create custom permission levels tailored to your organization's needs. For more information on customization, please see Create IAM Shop Permission Levels.
How to assign IAM Shop Permission Levels to Computers
Navigate to the View One page for the computer to which you want to assign IAM Shop Permission Levels.
The quickest way to do this is to use the Global Search located at the top of each page.
Show MeClick the RBAC subtab on the View page for the computer, and expand IAM Shop Assignees for Requesting Access.
Click the Add New
button.
Under General, select the IAM Shop Permission Level you want to assign.
Now that you have selected the permission level, the next step is to select the assignee granting the permission level (map the permission level). In our example, we are going to select an EmpowerID group that is mapped to a group on the native system. You can select any type of RBAC actor as the assignee type as long as that actor has a role that grants the access represented by the access level.Under Assignee Granting the Permission Level, do the following:
Select the assignee type from the Which Type of Assignee For This Policy dropdown.
Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.
Click Save.
Repeat to add other assignees as needed.
Click Submit to complete the process.