Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
EmpowerID ships with the following default Access Level Definitions for each Resource Type. Each Access Level Definition is defined by EmpowerID Operations and/or native system rights. Many of the operations, such as the RBAC operations generated for the Administrator and EmpowerID Administrator Access Level Definitions, are similar for each Resource Type.
RBAC operations allow the person assigned the operation to grant or remove a particular Access Level for the Resource Type to or from another EmpowerID Actor (Account, Group, Set Group, Person, and Business Role and Location) as long as the person with the operation has that operation allowed for the EmpowerID Actor in question as well. This is because the operation is a dual operation; it is being performed against two different types of resources.
For example, if "Vivian" is an Administrator for a Computer object, she has the AddPersonToUse operation allowed for that Computer object, meaning she can assign the Use Access Level for that computer to another EmpowerID Person. However, in order for Vivian to complete the assignment, she must also have the AddPersonToUse operation allowed for the EmpowerID Person receiving the assignment. If she only has the operation allowed for the computer, but not for the person, the assignment is routed for approval to someone with the operation allowed for both Resource Types. This is true for all such RBAC operation assignments.
In the RBAC operations listed below, <%Actor%> is a placeholder for each of the EmpowerID Actor types (Account, Group, Set Group, Person, and Business Role and Location) and <%ResourceRole%> is a placeholder for each Access Level specific to a Access Level Definition. When viewing these types of operations, substitute <%Actor%> with an EmpowerID Actor type and <%ResourceRole%> with the Access Level for the Resource Type.
For example, the Add<%Actor%>To<%ResourceRole%> operation can be parsed out as AddAccountToUse, AddGroupToUse, AddSetGroupToUse, AddPersonToUse, and AddOrgRoleOrgZoneToUse. The only exception to this rule concerns the Set Group, which is generally allowed only for the EmpowerID Administrator Access Level Definitions in the default setup.
Additionally, to avoid repetition, Access Level Definitions common to all Resource Types, such as the Use and Access Level Assigner Access Level Definitions, are listed under the Common Access Level Definitions heading below and are not repeated for each Resource Type. Where these differ, the definitions are listed under that Resource Type.
To view the Access Level Definitions with their respective Access Levels and operations, go to the Access Level Definitions node under RBAC Definitions in Configuration Manager.
Common Access Level Definitions
These Access Level Definitions have many operations in common for each Resource Type. The main difference between the two is that the EmpowerID Administrator has all operations allowed for the Resource Type while the Administrator has most, but not all.
The number of Default Access Levels for each Resource Type varies from type to type. For example, the EmpowerID Access Request Catalog Item has four Access Levels while the SharePoint Document has 12.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Add<%Actor%>To<%ResourceRole%>
add the specific Access Level for the Resource Type resource object to the EmpowerID Actor type in question.
AddOperationToResourceTypeRole<%ResourceType%>
add operations to Access Levels for the Resource Type resource object.
AddTo<%ResourceRole%>
grant the specific Access Level for the Resource Type resource object to any EmpowerID Actor type.
AddTo<%ResourceRole%>InLocation
grant the specific Access Level to any EmpowerID Actor for Resource Type resource objects scoped by location.
AddTo<%ResourceRole%>InRelativeResource
grant the specific Access Level to any EmpowerID Actor for resources relative to that actor, such as all resource objects in or below their location.
AssignResourceOrgZone
assign Resource Type resource objects to a location.
CreateResourceTypeRole<%ResourceType%>
create a Resource Type Role for the Resource Type.
Delete
delete a resource from a Resource Type, such as a specific Business Role from the EmpowerID Business Role Resource Type.
DeleteResourceTypeRole<%ResourceType%>
delete a Resource Type Role for the Resource Type.
EditResourceTypeRole<%ResourceType%>
edit a Resource Type Role for the Resource Type.
Use
view the Resource Type resource object in EmpowerID.
ManageAnyResourceRole
assign or unassign any EmpowerID Access Levels
This operation is needed to grant or revoke direct assignments of Access Levels
ManageAnyResourceRoleAssignmentByLocation
assign Access Levels by location for the Resource Type resource object.
This operation is needed to grant or revoke assignments of Access Levels, such as the Use Access Level, to another EmpowerID Actor type, for resource objects by location, meaning the actor needs to have this operation allowed at or below the location for which they are making a by location Access Level assignment; otherwise the operation will route for approval.
By-location operations such as this affect all objects in or below the location for which the operation is approved.
For example, if you grant this operation to an actor for the Security Group Resource Type, that actor has the ability to grant any Access Level for all security groups in or below the location for which the operation is allowed. Thus, if you have 12 groups in a location named "Switzerland" and 12 groups in a location named United Kingdom, and you grant this operation for groups in Switzerland, but not for groups in United Kingdom, to a user named "Bob," then Bob can in turn grant the Use Access Level (or the Editor Access Level or any other Access Level that may exist for groups) to any other EmpowerID Actor type at the Switzerland location or at any child locations of the Switzerland location, such as Zurich. This type of by location assignment at Switzerland would grant the Access Level for all 12 groups in Switzerland simultaneously, including any groups in locations below Switzerland. Bob, however, would not be able to grant any Access Level assignments for groups in the United Kingdom because he does not have the operation allowed for the United Kingdom location. If Bob attempts to make such an assignment, the operation will route for approval.
RevokeResourceOrgZone
remove Resource Type resource objects from a location.
Remove<%Actor%>From<%ResourceRole%>
remove the specific Access Level for the Resource Type resource object from the EmpowerID Actor type in question.
Remove<%Actor%>From<%ResourceRole%>
remove the specific Access Level for the Resource Type resource object from any EmpowerID Actor type.
RemoveFrom<%ResourceRole%>InLocation
remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects scoped by location.
RemoveFrom<%ResourceRole%>InRelativeResource
remove the specific Access Level from any EmpowerID Actor type for Resource Type resource objects relative to that actor, such as all resource objects in or below their location
Asset Catalog Item
In addition to the operations common to all Administrator and EmpowerID Administrator Access Level Definitions mentioned above, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Asset Request Item Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Request
request an Asset Catalog Item.
UnassignFromAdministrator
remove the Administrator Access Level for an Asset Catalog Item from any EmpowerID Actor type.
This Access Level Definition allows the actor assigned the Access Level to request Asset Catalog Items in EmpowerID and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view an Access Request Catalog Item in EmpowerID.
Request
request an Access Request Catalog Item.
Attestation Policy
In addition to the operations common to all EmpowerID Administrator Access Level Definitions mentioned above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID Attestation Policy Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Provision
provision an Attestation Policy object.
Delete
delete an Attestation Policy object.
Edit
edit an Attestation Policy object.
Review
review an Attestation Policy.
This Access Level Definition gives the actor assigned the Access Level the ability to review attestation tasks and perform access certification and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view an Attestation Policy object in EmpowerID.
Review
review an Attestation Policy.
Business Role
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Business Role Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
AssignGroupOrgRoleOrgZone
assign a group to a Business Role and Location.
AssignOrgRoleOrgZone
assign a person to a Business Role and Location as a secondary Business Role and Location.
AssignPersonOrgRoleOrgZone
assign a person to a Business Role and Location.
Insert
create a Business Role.
MoveBusinessRole
move the Business Role from one location to another.
RemoveGroupOrgRoleOrgZone
remove a group from a Business Role and Location.
RemovePersonOrgRoleOrgZone
unassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocation
assign the primary Business Role and Location for a person.
Update
edit a Business Role.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
AssignOrgRoleOrgZone
assign a person to a Business Role and Location.
AssignPersonOrgRoleOrgZone
assign a person to a Business Role and Location as a secondary Business Role and Location.
Use
view a Business Role.
RemovePersonOrgRoleOrgZone
unassign a person from a secondary Business Role and Location.
SetPersonPrimaryBusinessRoleandLocation
set the primary Business Role and Location for a person.
This Access Level Definition grants the actor assigned the Access Level the ability to edit Business Roles in EmpowerID and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Edit
edit a Business Role.
Use
view a Business Role.
Update
update a Business Role.
Beyond the operations common to all Access Level Assigner Access Level Definitions, the Access Level Assigner for Business Roles has the following additional operations allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
AddOrgRoleOrgZoneToRelativeResourceRole
assign relative Access Levels to a Business Role and Location.
AddOrgRoleOrgZoneToResourceRole
assign Access Levels directly to a Business Role and Location.
remove Access Levels scoped by location from a Business Role and Location.
Computer
In addition to most of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Computer Resource Type both have the following EmpowerID Operations allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
DeleteComputer
delete a Computer object when running the DeleteComputer workflow.
DeleteDirectory
delete a directory when running the DeleteDirectory workflow.
DisableComputer
disable a Computer object when running the DisableComputer workflow.
EditComputerAdvancedSettings
edit the Advanced Tab fields on the Computer Resource Management Screen for a Computer object.
EditDescription
edit the Description field on the Computer Tab of the Computer Resource Management Screen for a Computer object.
EnableComputer
enable a Computer object.
EnableDisableComputerOperation
enable and/or disable a Computer object.
MoveComputer
move a Computer object from one location to another.
ProvisionComputer
provision a Computer object in EmpowerID.
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the Computer Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
PowershellMoveComputer
move a Computer object using Powershell commands.
RestartComputer
restart a Computer object.
RestartService
restart a service on an assigned Computer object.
StopApplicationPool
stop an application pool on an assigned Computer object.
StopProcess
stop a process on an assigned Computer object.
StopService
stop a service on an assigned Computer object.
The Co-Owner Access Level Definition has the following operations set to allowed for the Computer Resource Type.
EmpowerID Operation
Enables any assigned actor to
EmpowerID Operation
Enables any assigned actor to
Use
view the Computer object in EmpowerID.
ManageAnyResourceRole
assign or unassign any EmpowerID Access Levels for a Computer object.
This operation is needed to grant or revoke direct assignments of Access Levels, such as the Use Access Level, for a particular Computer object to users.
This Access Level Definition allows the actor assigned the Access Level to create, enable, disable, move and delete assigned Computer objects in EmpowerID and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view a Computer object in EmpowerID.
DeleteComputer
delete a Computer object from EmpowerID.
EnableComputer
enable a Computer object in EmpowerID.
DisableComputer
disable a Computer object in EmpowerID.
ProvisionComputer
provision a Computer object in EmpowerID.
MoveComputer
move a Computer object from one location to another in EmpowerID.
EnableDisableComputerOperation
enable and/or disable a Computer object.
EmpowerID System
In addition to many of the operations common to all Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions both have the following operations allowed for the EmpowerID Person Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
CreateAssetType
create an Asset Type when running the ProvisionCatalogRequest workflow.
EditCatalogRequest
edit a Catalog Request item when running the AssetCatalogItemEdit workflow.
ProvisionCatalogRequest
create a Catalog Request item when running the ProvisionCatalogRequest workflow.
RunPowerShellScript
run a PowerShell Script against resources in EmpowerID.
In addition to the operations common to all EmpowerID Administrator Access Level Definitions and those shared with the Administrator Access Level Definition mentioned directly above, the EmpowerID Administrator Access Level Definition has the following operations allowed for the EmpowerID System Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
ProvisionSharePointSite
create a SharePoint Site.
This Access Level Definition grants the actor assigned the Access Level the ability to login and use EmpowerID and has the following operations set to allowed.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
Use
view the resource in EmpowerID.
Exchange Mailbox
In addition to many of the operations common to most Administrator and EmpowerID Administrator Access Level Definitions, the Administrator and EmpowerID Administrator Access Level Definitions for the Exchange Mailbox both have the following operations allowed for the Exchange Mailbox Resource Type.
Operation
Enables any assigned actor to
Operation
Enables any assigned actor to
AddEmailAddress
add a new email address to an existing user mailbox.
DeleteEmailAddress
delete an email address from an existing user mailbox.
DisableActiveSync
deselect the ActiveSync Enabled option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableAuto-AcceptCalendar
deselect the Auto-Accept Calendar option on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableMailbox
disable a mailbox by setting all quota values on the mailbox to 0.
DisableOWA
deselect the OWA Enabled option in the Mailbox Features section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableRequireAuthenticatedSenders
deselect the Require authenticated senders option in the Send and Receive Limits section on the Mailbox Tab of the Exchange Mailbox Resource Management screen.
DisableUseDefaultQuota
deselect the Use Default Quota option on the Quota and Limits Tab of the Exchange Mailbox Resource Management screen.