Default Access Level Definitions

EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.

RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.

For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.

In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.

For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.

Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.

To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.

Common Access Level Definitions

These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.

The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12. You can view these in Configuration Manager as shown by the image above.

Asset Catalog Item

Attestation Policy

Business Role


EmpowerID System

Exchange Mailbox

Group (Distribution, Security, Generic) Access Level Definitions


Management Role and EmpowerID Management Role Definition


SAML SSO Connection

Separation of Duties

Set Group

SSO Application

SSO Application Definition

SharePoint (Document, Folder, and List)

User Account

Windows Shared Folder

Windows Shared Printer


WS-Federation SSO Connection