IT Shop Management Roles

Owned by Phillip Hanegan
Last updated: Jul 27, 2021
2 min read

The mechanism by which EmpowerID secures a workflow and the operations within that workflow is known as “Rights-Based Approval Routing” or RBAR. With RBAR, EmpowerID checks in real-time to see if the current person within a workflow process has the delegations needed to perform the operations associated with that process. If the person has the delegations, the process continues; if the person does not have the delegations, the process either exits or routes for approval to someone with the delegations needed to approve the operation. In EmpowerID, these delegations are controlled through the assignment of Access Levels. Before people can access a workflow or perform an operation within that workflow, they must have an Access Level assignment that allows them to do so. These assignments can be made directly to users or more commonly through membership in a Management Role that is configured with the Access Level.

Management Roles are prefixed by their function in EmpowerID and include the following:

  • UI – Management Roles prefixed with UI grant users access to specific UI elements in the EmpowerID Web interface.

  • VIS – Management Roles prefixed with VIS grant users the ability to see specific object types in EmpowerID.

  • ACT – Management Roles prefixed with ACT grant users the ability to manage specific objects in EmpowerID. 

To access the Authorization Service Portal, users need to have the Management Roles shown in the below table.

Roles needed to Access the IT Shop

To access the IT Shop, users need to have one of the below Management Role assignments (based on the needed scope):

Management Role

Access Granted by Management Role

Management Role

Access Granted by Management Role

UI-IT-Shop-MS-Full-Access

 

Inherits the below Access Levels from the parent Management Role Definition:

Workflow Access

Initiator Access Level for following workflows:

  • UpdatePersonDirectAssignment

  • UpdatePersonBusinessRoles

Control (User Interface) Access

Viewer Access Level for the following controls:

  • Application Process Control

  • Business Roles TCode Control

  • Business Roles Owners Attribute Control

  • Business Roles Advanced Search Control

  • Business Roles Role Approvers Attribute Control

  • Application Roles Resource System Attribute Control

  • Business Roles Name Attribute Control

  • Target System Control

  • Application Roles TCode Control

  • Application Roles Advanced Search Control

  • Shop for Target Person Control

  • Business Functions Control

  • Business Roles Parent Business Roles Attribute Control

  • Application Roles Owners Attribute Control

  • Application Roles High Level Classification Attribute Control

  • Business Domains Control

  • Business Roles High Level Classification Attribute Control

  • Application Roles Name Attribute Name

 Application Access

Viewer Access Level for the following applications:

  • IT Shop Microservice App

  • EmpowerID Web

Web Service Access

Executor Access Level for the following Web services:

  • All ITShop WebServices

  • AllRbacObjects

  • CartSubmissinoAPI.SubmitCart

 Pages and Reports Access

Viewer Access Level for the following pages and reports:

  • Groups Page (IT Shop)

  • Business Roles Page (IT Shop)

 

VIS-IT-SHOP-MS-API

Grants visibility to the base Web services required by all users of the IT Shop microservice.

Web Service Access

Executor Access Level for the following Web services:

  • BusinessFunctionsAPI

  • BusinessFunctionsAPI.GetChildrenByOrgZoneType

  • BusinessFunctionsAPI.GetOrgZonesByOrgZoneTypeTypes

  • BusinessLocationsAPI.GetOrgZoneTypes

  • BusinessLocationsAPI.Search

  • BusinessRolesAPI

  • BusinessRolesAPI.CheckAssignmentStatus

  • BusinessRolesAPI.GetApplicationRoleTemplates

  • BusinessRolesAPI.GetAssignedAppRolesByPersonGUID

  • BusinessRolesAPI.GetAssignedBusinessRolesByPersonGUID

  • BusinessRolesAPI.GetOrgRole

  • BusinessRolesAPI.GetOrgRoles

  • BusinessRolesAPI.GetSingleOrgRole

  • CartSubmissionAPI

  • CartSubmissionAPI.SubmitCart

  • CheckForSODAPI

  • CheckForSODAPI.GetAssigneesForOrgRoleType

  • GlobalSettingsAPI

  • GlobalSettingsAPI.GetConfigSetting

  • GroupsAPI

  • GroupsAPI.CheckAssignmentStatus

  • GroupsAPI.GetAssignedAppRolesByPersonGUID

  • GroupsAPI.GetAssignedMembershipByOrgRolesOrgZoneID

  • GroupsAPI.GetGroups

  • GroupsAPI.GetSingleOrgRole

  • GroupsAPI.GetTargetSystemsFilterdata

  • LocalizationAPI

  • LocalizationAPI.CountryHelpText

  • LocalizationAPI.GetByResourceSet

  • ProtectedAppResourceAPI

  • ProtectedAppResourceAPI.AlllowedSsoApplications

  • ProtectedAppResourceAPI.GetChildrenByProtectedApplication