Skip to end of banner
Go to start of banner

IAM Shop Permissions Levels and Computers

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

In EmpowerID, IAM Shop Permission Levels define permissions for specific resources within native systems, such as shared folders, mailboxes, and computers. These levels can be configured to align with organizational requirements, ensuring that access to resources is controlled according to user roles and responsibilities. For example, a shared folder may have a "Read-Only" permission level for general users, while a computer might have a "Local Admin" access level designated for IT staff.

Application in Computer Administration

Within computer administration, IAM Shop Permission Levels are important for facilitating Privileged Session Management (PSM). These permission levels enable administrators to define and control access rights during PSM sessions, allowing users to request specific permissions directly from the IAM Shop.

Role of IAM Shop Permission Levels in PSM

IAM Shop Permission Levels assist in managing access during PSM sessions by:

  • Granting Specific Permissions: Users can be given administrator-level access to perform designated tasks during a computer session.

  • Enforcing Security Principles: Permissions are revoked immediately after the session concludes, adhering to the principle of least privilege and reducing security risks by preventing prolonged unauthorized access.

To implement these levels, organizations select specific groups within the native system that have the required permissions and map the IAM Shop Permission Levels to those groups. Users who are members of these groups receive the specified access during their sessions. For instance, if a group has read and write permissions on a database, a member initiating a PSM session will automatically receive these permissions.

Integration of Just-In-Time (JIT) Access

EmpowerID supports Just-In-Time (JIT) account provisioning on computers for specific groups. This feature generates a user account at the start of a PSM session, assigns it to the appropriate group, and removes it when the session ends. The account, uniquely identified (e.g., jposada_566054625600), may be retained for future use or deleted based on JIT access settings. This method ensures that access is granted only as needed and withdrawn immediately afterward.


Eligibility in Access Provisioning

EmpowerID ensures that only eligible users can access specific Permission Levels, following defined access controls. For example, a database administrator might be eligible for higher-level permissions appropriate to their role, while a customer service representative would not. Depending on organizational policies, users not eligible for certain Permission Levels can still initiate sessions but only as non-privileged users, enhancing system security.

Create IAM Shop Permission Levels

Assign IAM Shop Permission Levels to Computers

Configure Computers for Just-In-Time Access

Enable Computers for Privileged Session Management

Access Request Policies and Privileged Session Management

Assign PSM-Enabled Computers to Access Request Policies

  • No labels