IAM Shop Permission Levels are EmpowerID constructs that represent permissions in native systems for specific resources, such as applications, shared folders, mailboxes, and computers that organizations can configure to grant specific permissions against those resources, such as “read-only” for a shared folder or “local admin” for a computer. When users request access from the IAM Shop to a resource configured with IAM Shop Permission Levels, they will have the option to choose a permission level, as shown in the following image.
In the above image, the user sees two permission levels for a computer, “Local Admin” and “Domain Admin.” Each of these is mapped to a specific group on the native system that grants those permissions in the native system. For example, if a user selects the IAM Shop Permission Level named “Local Admin,” upon approval, EmpowerID fulfills the request by adding the user to the group granting local admin rights on the computer.
EmpowerID includes IAM Shop Permission Levels for shared folders, computers, and mailboxes that can be used to represent native permissions out of the box. However, you can create your own, naming them whatever makes sense for your environment. Once added to a resource, these custom permission levels will then appear to users shopping for those resources in the IAM Shop. For example, if you create an IAM Shop Permission Level for Computer X named “Power User,” users will see “Power User” as a permission option for Computer X. The key to using IAM Shop Permission Levels is to ensure they are mapped to the right objects in the native system that grant those permissions represent in the native system. Without mapping, IAM Shop Permission Levels are simply labeled options.