EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.
RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.
For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.
In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.
For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.
Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.
To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.
Common Access Level Definitions
These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.
The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Add<%Actor%>To<%ResourceRole%>
add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
AddOperationToResourceTypeRole<%ResourceType%>
add operations to Access Levels for the Resource Type resource object.
AddTo<%ResourceRole%>
grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
AddTo<%ResourceRole%>InLocation
grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
AddTo<%ResourceRole%>InRelativeResource
grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
AssignResourceOrgZone
assign Resource Type resource objects to a location.
CreateResourceTypeRole<%ResourceType%>
create a Resource Type Role for the Resource Type.
Delete
delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
DeleteResourceTypeRole<%ResourceType%>
delete a Resource Type Role for the Resource Type.
EditResourceTypeRole<%ResourceType%>
edit a Resource Type Role for the Resource Type.
Use
view the Resource Type resource object in EmpowerID.
ManageAnyResourceRole
assign or unassign any EmpowerID Access Levels
This operation is needed to grant or revoke direct assignments of Access Levels
ManageAnyResourceRoleAssignmentByLocation
assign Access Levels by location for the Resource Type resource object.
RevokeResourceOrgZone
remove Resource Type resource objects from a location.
Remove<%Actor%>From<%ResourceRole%>
remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
Remove<%Actor%>From<%ResourceRole%>
remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
RemoveFrom<%ResourceRole%>InLocation
remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
RemoveFrom<%ResourceRole%>InRelativeResource
remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location
Asset Catalog Item
In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Request
request an Asset Catalog Item.
UnassignFromAdministrator
remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.
This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view an Access Request Catalog Item in EmpowerID.
Request
request an Access Request Catalog Item.
Attestation Policy
In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Provision
provision an Attestation Policy object.
Delete
delete an Attestation Policy object.
Edit
edit an Attestation Policy object.
Review
review an Attestation Policy.
This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view an Attestation Policy object in EmpowerID.
Review
review an Attestation Policy.
Business Role
Computer
EmpowerID System
Exchange Mailbox
Group (Distribution, Security, Generic) Access Level Definitions
Location
Management Role and EmpowerID Management Role Definition
Person
SAML SSO Connection
Separation of Duties
Set Group
SSO Application
SSO Application Definition
SharePoint (Document, Folder, and List)
The Access Level Definitions for SharePoint Document, Folder and List contain no EmpowerID Operations. They are used to grant native permissions for SharePoint objects managed by EmpowerID. Definitions include: