PAM Management Roles

EmpowerID restricts access to PAM and PSM through the use of Management Roles. To work with PAM and PSM, users must be assigned to the appropriate roles. Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI — Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface. An example of this type of role for PAM is UI-Computer-PAM-User-Full-Access. This role grants access to the user interfaces and workflows for requesting PSM access to computers.

  • VIS — Management Roles prefixed with VIS grant users the ability to see specific objects in EmpowerID. An example of this type of role for PAM is VIS-Computer-MyLocations. This role grants access to see computers that belong to same location as the person with the role.

  • ACT — Management Roles prefixed wtih ACT grant users the ability to manage specific objects in EmpowerID. An  example of this type of role for PAM is ACT-Computer-Shared-Credential-Assigner-MyLocations. This role grants users with the role the ability to assign and unassign shared credentials to computers in the person's locations.

Roles needed to use vaulted credentials

To use vaulted credentials, users need to have a combination of the following Management Role assignments (based on the needed scope):

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

UI-Shared-Credential-PAM-User-Self-Service

Grants access to the user interfaces and workflows to request and use vaulted credentials.

UI-Computer-Shared-Credential-PAM-User-Self-Service

Grants access to the user interfaces and workflows to request and use vaulted credentials and PSM access to computers.

VIS-Computer-MyLocations

Grants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only.

VIS-Computer-MyOrg

Grants visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations.

VIS-Computer-All

Grants visibility for all inventoried computers. This role would be assigned if the person should have visibility for all computers.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

VIS-Shared-Credential-MyOrg

Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

VIS-Shared-Credential-All

Grants visibility for all vaulted credentials.

ACT-Shared-Credential-Use-All

Grants people with the role the ability to check out all shared credentials without requiring approval.

ACT-Shared-Credential-Use-MyLocations

Grants people with the role the ability to check out shared credentials in their locations without requiring approval.

ACT-Shared-Credential-Use-MyOrg

Grants people with the role the ability to check out shared credentials in their organization without requiring approval.

ACT-Computer-Shared-Credential-Login-All

Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer without requiring approval. 

ACT-Computer-Shared-Credential-Login-LocalAdmin

Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer where the person is a member of the local admins group without requiring approval.

ACT-Computer-Shared-Credential-Login-MyLocations

Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer in person's locations without requiring approval.

ACT-Computer-Shared-Credential-Login-MyOrg

Grants people with the role the ability to use a shared credential to initiate a Privileged Session to any computer in person's organization without requiring approval.

Roles needed to manage vaulted credentials for computers

To manage vaulted credentials for computers, users need to have a combination of the following Management Role assignments (based on the needed scope):

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

UI-Computer-Shared-Credential-PAM-User-Full-Access

Grants access to the user interfaces and workflows for managing shared credentials and their relationship to computer objects.

UI-Computer-PAM-User-Full-Access

Grants access to the user interfaces and workflows for managing computer objects for PSM.

VIS-Computer-MyLocations

Grants visibility for computers in a person's locations. This role would be assigned if the person should have visibility for computers in their locations only.

VIS-Computer-MyOrg

Grants visibility for computers in a person's organizations. This role would be assigned if the person should have visibility for all computers in their organizations.

VIS-Computer-All

Grants visibility for all inventoried computers. This role would be assigned if the Person should have visibility for all computers.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

VIS-Shared-Credential-MyOrg

Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

VIS-Shared-Credential-All

Grants visibility for all vaulted credentials.

ACT-Shared-Credential-Create-All

Grants people with the role the ability to create shared credentials anywhere.

ACT-Shared-Credential-Create-MyLocations

Grants people with the role the ability to create shared credentials in their locations.

ACT-Shared-Credential-Create-MyOrg

Grants people with the role the ability to create shared credentials in their organization.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to create, edit, and delete shared credentials anywhere.

ACT-Shared-Credential-Object-Administration-MyLocations

Grants people with the role the ability to create, edit, and delete shared credentials in their locations.

ACT-Shared-Credential-Object-Administration-MyOrg

Grants people with the role the ability to create, edit, and delete shared credentials in their organization.

ACT-Computer-Shared-Credential-Approver-All

Grants people with the role the ability to approve PSM login request for any computer.

ACT-Computer-Shared-Credential-Approver-LocalAdmin

Grants people with the role the ability to approve PSM login requests for any computer where the person is a member of the local admins group.

ACT-Computer-Shared-Credential-Approver-MyLocations

Grants people with the role the ability to approve PSM login requests for any computer in their locations.

ACT-Computer-Shared-Credential-Approver-MyOrg

Grants people with the role the ability to approve PSM login requests for any computer in person's organization

ACT-Computer-Shared-Credential-Approver-Responsible

Grants people with the role the ability to approve PSM login requests for any computer where the person is assigned as the responsible person.

Roles needed to manage non-computer vaulted credentials

To manage non-computer vaulted credentials for computers, users need to have a combination of the following Management Role assignments (based on the needed scope):

Management Role

Purpose of Management Role

Management Role

Purpose of Management Role

UI-Shared-Credential-Object-Administration

Grants access to the user interfaces and workflows for managing shared credentials.

VIS-Shared-Credential-MyLocations

Grants visibility for vaulted credentials in a person's locations. This role would be assigned if the person should have visibility for vaulted credentials in their locations only.

VIS-Shared-Credential-MyOrg

Grants visibility for vaulted credentials in a person's organizations. This role would be assigned if the person should have visibility for all vaulted credentials in their organizations.

VIS-Shared-Credential-All

Grants visibility for all vaulted credentials.

VIS-Location-All-Business-Locations

Grants visibility for all locations under All Business Locations.

VIS-Location-MyLocationsAndAbove

Grants visibility for the Person's locations and above.

VIS-Location-MyLocationsAndBelow

Grants visibility for the Person's locations and below.

VIS-Location-All

Grants visibility for all locations in the location trees related to managing shared credentials.

ACT-Shared-Credential-Create-All

Grants people with the role the ability to create a shared credential anywhere.

ACT-Shared-Credential-Create-MyLocations

Grants people with the role the ability to create a shared credential in their locations.

ACT-Shared-Credential-Create-MyOrg

Grants people with the role the ability to create a shared credential in their organization.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to create, edit, and delete shared credentials anywhere.

ACT-Shared-Credential-Object-Administration-MyLocations

Grants people with the role the ability to create, edit, and delete shared credentials in their locations.

ACT-Shared-Credential-Object-Administration-MyOrg

Grants people with the role the ability to create, edit, and delete shared credentials in their organization.

ACT-Shared-Credential-Approver-All

Grants people with the role the ability to approve checkout request for all credentials.

ACT-Shared-Credential-Approver-MyLocations

Grants people with the role the ability to  approve checkout request for credentials in person's locations.

ACT-Shared-Credential-Approver-MyOrg

Grants people with the role the ability to approve checkout requests for any computer in their locations.

ACT-Shared-Credential-Object-Administration-All

Grants people with the role the ability to to create, edit, and delete all shared credentials.

ACT-Shared-Credential-Object-Administration-MyOrg

Grants people with the role the ability to create, edit, and delete shared credentials in person's organization.

ACT-Shared-Credential-Object-Administration-MyLocations

Grants people with the role the ability to create, edit, and delete shared credentials in person's locations.

Roles needed to manage Privileged Access Policies

To manage Privileged Access policies, users need to have the following Management Role assignment:

Management Role

Purpose of Management Role

Management Role

Purpose of Management Role

UI-Admin-Privileged-Access

Grants access to user interfaces and workflows for managing Privileged Access Settings and Policies.

IN THIS ARTICLE