You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Assigning IAM Shop Permission Levels

Owned by Phillip Hanegan
Aug 21, 2023
3 min read

EmpowerID's IAM Shop Permission Levels provide a way to manage and control access to resources such as applications, shared folders, Exchange mailboxes, and computers within your organization. These permission levels represent native permissions that users can select when requesting access to resources through the IAM Shop.

Examples of such Permission Levels could include "Local Admin" for computers, “read-only” for shared folders, and “send-as” for Exchange mailboxes. When a user requests access to a resource configured with IAM Shop Permission Levels, EmpowerID adds the user to the corresponding group on the native system that grants the requested permissions. For this process to work, administrators must assign the desired IAM Shop Permission Levels to the resource in EmpowerID and map those permission levels to the appropriate groups granting those permissions on the system itself. It is important to note that IAM Shop Permission Levels are merely labels and must be mapped correctly to grant any permissions.

In this article, we will walk you through the process of assigning and mapping IAM Shop Permission Levels to resources in EmpowerID by assigning permission levels to a computer.

EmpowerID includes several default IAM Shop Permission Levels for applicable resources, such as “Local Admin” and “Domain Admin” for computers. However, to tailor permission levels to your specific needs, you have the option to create your own custom IAM Shop Permission Levels. For the details, please see Creating IAM Shop Permission Levels.

How to assign IAM Shop Permission Levels

  1. Navigate to the View page for the shared folder, application, computer, or mailbox to which you want to assign IAM Shop Permission Levels. In this example, we are navigating to the View page for a computer.
    The quickest way to do this is to use the Global Search located at the top of each page.

    Global Search Demo

     

  2. On the View page for the computer, click the RBAC subtab and expand IAM Shop Assignees for Requesting Access.

  3. Click the Add New button.

     

  4. Under General, select the IAM Shop Permission Level you want to assign.

     

    Now that you have selected the permission level, the next step is to select the assignee granting the permission level (map the permission level). In our example, we are going to select an EmpowerID group that is mapped to a group on the native system. You can select any type of RBAC actor as the assignee type as long as that actor has a role that grants the access represented by the access level.

  5. Under Assignee Granting the Permission Level, do the following:

    1. Select the assignee type from the Which Type of Assignee For This Policy dropdown.

    2. Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.

       

  6. Click Save.

     

  7. Repeat to add other assignees as needed.

  8. Click Submit to complete the process.