Access Levels are bundles of EmpowerID Operations and/or native system rights specific to resource types such as Exchange mailboxes or user accounts. Assign them to users to grant access to IT resources as specified by the Access Level.
Each resource type has its own set of Access Levels defined with different combinations of EmpowerID operations and rights (where applicable) to ensure that the level of access to the resources remains consistent for the type and the assignment. These actions can range from viewing a resource in an EmpowerID user interface to provisioning and deprovisioning resources in native systems. The extent of the access is determined by the configuration of the Access Levels and the scope of the assignment.
EmpowerID provides a large library of Access Levels already configured for most common resource types and delegation scenarios. You can use these out of the box and create your own.
Create Access Levels
On the navbar, expand Admin > RBAC Definitions and click RBAC Access Levels.
On the Access Level page, click the Add button.
Enter the following information on the Access Level Details form:
Name — Name of the Access Level
Display Name — Display name of the Access Level; the Display name is what appears for the Access Level in the UI
Description —Description of the Access Level
Enforced — Select this option if you want EmpowerID to enforce native rights granted by the Access Level (for inventoried systems only)
Is Default Role — Select this option if the Access Level is the default for the resource type
Risk Score — Enter a numeric value from 1 to 100. This number is a user-defined value that can help you identify the potential security ramifications associated with the Access Level, based upon the volume and/or nature of operations and/or native system rights associated with it. The higher the number, the higher the risk.
Resource Type — Select the resource type for which you are creating the Access Level, such as Business Role Location or Exchange Mailbox.
Publish in IT Shop —Select this option to make the Access Level requestable in the IT Shop
Hide in UI — Select this option to prevent users from seeing the Access Level in EmpowerID
Click Save.
Once an Access Level Definition is created, it needs EmpowerID Operations and/or native system rights before it can be used to delegate resources to users. This is demonstrated in the Adding Operations to Access Level Definitions and the Adding Rights to Access Level Definitions topics.
See Also
Add Operations to Access Level Definitions
Add Rights to Access Level Definitions
Clone Access Level Definitions
Default Access Level Definitions
Excluding Access Level Enforcement