You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Partner Access Assignment Details

EmpowerID employs a structured approach to access management through the use of Management Roles, which are essential in restricting and delegating access to various resources and functionalities. These roles are categorized based on their function within EmpowerID and are prefixed accordingly to signify their specific utility. This framework is particularly effective for delegating access to partners, ensuring they have the necessary permissions to manage their operations within the system while maintaining overall security and integrity.

Types of Management Roles:

  1. UI (User Interface) Management Roles:

    • Purpose: These roles are specifically designed to grant access to particular UI elements within the EmpowerID Web interface.

    • Functionality: Users assigned UI-prefixed roles can interact with specific parts of the interface, which may include administrative panels, reporting dashboards, or user management screens, depending on the role's specifications.

  2. VIS (Visibility) Management Roles:

    • Purpose: VIS-prefixed roles enable users to view specific objects within EmpowerID.

    • Functionality: This access is crucial for monitoring, oversight, and management purposes. Users can see certain data or system components, aiding in informed decision-making and operational control.

  3. ACT (Action) Management Roles:

    • Purpose: ACT-prefixed roles empower users to manage specific objects within EmpowerID.

    • Functionality: These roles involve a higher level of access, allowing users to perform actions like modifying, adding, or removing certain objects or settings in the system.

  4. Role Bundles (RB) Management Roles

    • Definition: RB Management Roles are composite roles that include a collection of various Management Roles.

    • Utility: These role bundles simplify the process of delegating access by grouping related roles into a single assignment.

    • Access Provision: Users assigned an RB Management Role inherit the access rights of all the individual roles included in that bundle, making it an efficient method to grant comprehensive permissions tailored to specific user needs or partner requirements.

 

To make delegating access to partners easy, EmpowerID includes the following two Role Bundle Management Roles.

Partner Admin Role Bundle

Management Role

Role Type

Description

Management Role

Role Type

Description

UI-Person-Object-Administration

Feature Set (Ui)

Provides access to Person Object UI and workflows. The role specifically grants access to the following user interface controls, pages and reports, and workflows:

UI-Person-Password-Helpdesk

Feature Set (UI)

Grants access to perform assisted password resets and unlocks. The role specifically grants access to the following user interface controls, pages and reports, and workflows:

VIS-OrgRoleOrgZone-ALL

Visibility (VIS)

Grants access to see all Business Role and Location combinations. The role specifically grants access to the following user interface controls and web services:

ACT-Location-Object-Administration-MyLocationsBelow

Activity (ACT)

Provides access to create, edit, and delete all locations in the person’s locations and below.

ACT-Person-Object-Administration-MyOrg

Activity (ACT)

Provides access to create, edit, and delete Person objects in the person’s organization.

ACT-Person-Password-Helpdesk-MyOrg

Activity (ACT)

Provides access to assist people in the person's organization by resetting passwords and unlocking accounts.

Partner User

Role Bundle

See the Partner User Role Bundle table below for details about the access granted by the role.

Partner User Role Bundle

Management Role

Role Type

Description

Management Role

Role Type

Description

 

UI-IT-Shop-MS-Management-Role

Feature Set (Ui)

Grants access to shop for EmpowerID Management Roles in the IT Shop microservice app. The role specifically grants access to the following user interface controls, pages and reports, web services, and workflows:

VIS-Management-Role-MyOrg

Visibility (VIS)

Grants access to see management roles in the person’s organizations. The role specifically grants access to invoke the following web services:

VIS-Person-MyOrg

Visibility (VIS)

Grants access to see people in the person’s organizations. The role specifically grants access to the following user interface controls and web services:

VIS-Management-Role-All

Visibility (VIS)

Grants access to see all Management Roles. The role specifically grants access to invoke the following web services:

VIS-Groups-Security-MyOrg

Visibility (VIS)

Grants access to see all security groups in the person’s organizations. The role specifically grants access to the following user interface controls and web services:

VIS-Groups-Distribution-MyOrg

Visibility (VIS)

Grants access to see all distribution groups in the person’s organizations. The role specifically grants access to the following user interface controls and web services:

VIS-Groups-Generic-MyOrg

Visibility (VIS)

Grants access to see all generic groups in the person’s organizations. The role specifically grants access to the following user interface controls and web services:

VIS-BusinessRole-Partner

Visibility (VIS)

Grants access to see all partner Business Roles. The role specifically grants access to the following user interface controls and web services:

ACT-Person-Profile-Self-Service

Activity (ACT)

Grants users access to operations needed to edit their profiles.

ACT-Person-MFA-Self-Service

Activity (ACT)

Grants users access to operations needed to edit their MFA options.

Password-Self-Service

Role Bundle

Grants users access to perform password self-service. This role bundle grants access to the following additional Management Roles:

IAM Shop, My Tasks, and My Identity Self-Service Basic Access

Role Bundle

Grants access for the UI to use the IAM Shop, My Tasks, My Identity microservices but does not grant visibility to objects or the UI- roles for each resource type. This may be added separately as needed.

This role bundle grants access to the following additional Management Roles: