Access Levels are bundles of EmpowerID Operations and/or native system rights specific to resource types such as Exchange mailboxes or user accounts. Assign them to users to grant access to IT resources as specified by the Access Level.

Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment. These actions can range from viewing a resource in an EmpowerID user interface to provisioning and deprovisioning resources in native systems. The extent of the access is determined by the configuration of the Access Levels and the scope of the assignment.

EmpowerID provides a large library of Access Levels already configured for most common resource types and delegation scenarios. You can use these out of the box and create your own.

Create Access Levels

  1. On the navbar, expand Admin > RBAC Definitions and click RBAC Access Levels.

  2. On the Access Level page, click the Add button.

     

  3. Enter the following information on the Access Level Details form:

    • Name — Name of the Access Level

    • Display Name — Display name of the Access Level; the Display name is what appears for the Access Level in the UI

    • Description —Description of the Access Level

    • Enforced — Select this option if you want EmpowerID to enforce native rights granted by the Access Level (for inventoried systems only)

    • Is Default Role — Select this option if the Access Level is the default for the resource type

    • Risk Score — Enter a numeric value from 1 to 100. This number is a user-defined value that can help you identify the potential security ramifications associated with the Access Level, based upon the volume and/or nature of operations and/or native system rights associated with it. The higher the number, the higher the risk.

    • Resource Type — Select the resource type for which you are creating the Access Level, such as Business Role Location or Exchange Mailbox.

    • Publish in IT Shop —Select this option to make the Access Level requestable in the IT Shop

    • Hide in UI — Select this option to prevent users from seeing the Access Level in EmpowerID

  4. Click Save.

Once an Access Level Definition is created, it needs EmpowerID Operations and/or native system rights before it can be used to delegate resources to users. This is demonstrated in the Adding Operations to Access Level Definitions and the Adding Rights to Access Level Definitions topics.




See Also

Add Operations to Access Level Definitions

Add Rights to Access Level Definitions

Clone Access Level Definitions

Default Access Level Definitions

Excluding Access Level Enforcement