Administrator and EmpowerID Administrator

Operation	Enables any assigned actor to
Add<%Actor%>To<%ResourceRole%>	add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
AddOperationToResourceTypeRole<%ResourceType%>	add operations to Access Levels for the Resource Type resource object.
AddTo<%ResourceRole%>	grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
AddTo<%ResourceRole%>InLocation	grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
AddTo<%ResourceRole%>InRelativeResource	grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
AssignResourceOrgZone	assign Resource Type resource objects to a location.
CreateResourceTypeRole<%ResourceType%>	create a Resource Type Role for the Resource Type.
Delete	delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
DeleteResourceTypeRole<%ResourceType%>	delete a Resource Type Role for the Resource Type.
EditResourceTypeRole<%ResourceType%>	edit a Resource Type Role for the Resource Type.
Use	view the Resource Type resource object in EmpowerID.
ManageAnyResourceRole	assign or unassign any EmpowerID Access Levels for a group. This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular group to users.
ManageAnyResourceRoleAssignmentByLocation	assign Access Levels by location for the Resource Type resource object. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval. By-location operations such as this affect all objects in or below the location for which the operation is approved. For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.
RevokeResourceOrgZone	remove Resource Type resource objects from a location.
Remove<%Actor%>From<%ResourceRole%>	remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
Remove<%Actor%>From<%ResourceRole%>	remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
RemoveFrom<%ResourceRole%>InLocation	remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
RemoveFrom<%ResourceRole%>InRelativeResource	remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location

User

This Access Level Definition allows the actor assigned the Access Level to see resource objects in EmpowerID and has the following operations set to allowed for all Resource Types.

Operation	Enables any assigned actor to
Use	view a Resource Type resource object in EmpowerID.

Access Level Assigner

This Access Level Definition allows the actor assigned the Access Level to assign or unassign any Access Levels for Resource Types in EmpowerID and has the following operations set to allowed for most Resource Types.

Operation	Enables any assigned actor to
Use	view a Resource Type resource object in EmpowerID.
ManageAnyResourceRole	assign or unassign any EmpowerID Access Levels for the Resource Type resource object, such as the Use Access Level for a specific computer object, to any other EmpowerID Actor type. This operation is needed to grant or revoke direct assignments of Access Levels for a particular resource object to users.
ManageAnyResourceRoleAssignmentByLocation	assign Access Levels by location for the Resource Type resource object. This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval. By-location operations such as this affect all objects in or below the location for which the operation is approved. For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.

Management Role Assigner

The Management Role Assigner Access Level Definition gives the actor assigned the Access Level the ability to add or remove other EmpowerID Actors to and from a Management Role and has the following operations allowed for applicable Resource Types (EmpowerID Business Role, EmpowerID Location, EmpowerID Management Role, EmpowerID Management Role Definition, EmpowerID Person, and Group).

Operation	Enables any assigned actor to
AddToManagementRole	add another EmpowerID Actor type to a Management Role as an actor, giving them the ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the AddToManagementRole operation allowed for the Management Role in question.
Use	view a location.
RemoveFromManagementRole	remove another EmpowerID Actor type from a Management Role as an actor, removing their ability to add Access Levels to the Management Role. To complete this assignment, the actor making the assignment must also have the RemoveFromManagementRole operation allowed for the Management Role in question.

Browser not supported